CHAPTER 18: THE DEVIL IS IN THE DETAIL – ROBERT CLARK

It is reasonable to assume that most organisations gravitate towards ‘big ticket’ threats when preparing their BCM arrangements. All the same, the reality is that even the little things that often might go unheralded in the media can also cause us grief if left unattended. Rather than a full blown case study, this chapter is a cornucopia of little, seemingly unimportant items which could still have a big impact on your business continuity’s effectiveness.

Have you considered the workforce?

I was invited to review the business continuity arrangements for a Netherlands-based company whose operation was contained in a single multi-story building. On discovering the cafeteria and kitchen were on the ground floor underneath the data centre, I deemed it a rather inauspicious start.

Mindful that their premises were a concentration of risk, it was their intention to relocate their key workers, about 50% of the workforce, to their offices in Brussels if they were denied access for an extended period. On a good day the trip would take about two hours each way. On a bad day. . .

Many of these key employees were young mothers who dropped their children off at kindergarten or school before work and collected them afterwards, which very much governed the hours they could work. It had been assumed that they would all be prepared to either commute daily or temporarily relocate to Brussels. I suggested that they briefed these individuals of the firm’s intentions and not surprisingly they were met with a resounding ‘no way’.

But the relocation saga did not end there. I later spent time in their Brussels office and I asked the question, ‘If a few coach loads from the Dutch office arrive looking for somewhere to work, what plans do you have to accommodate them?’ It transpired that the Belgians were totally unaware of the Dutch plans, meaning that a Dutch disaster could have become a Belgian disaster too.

Flooding

With frequent media reports on major flooding incidents around the globe and concerns about climate change abounding, one could be forgiven for focusing on the enormity of the threat. But it does not need to rain for flooding to occur.

It was a Friday afternoon and the office was emptying rapidly. Suddenly one of my colleagues noticed a trickle of water running down the office wall and the trickle soon became a torrent. The server room was on the ground floor – and much of the ICT equipment was actually on the floor. As electrical equipment does not react particularly well to water, we persuaded a couple of techies still in the building to perform an emergency power-off and get the equipment off the floor. Fortunately they succeeded as there was no IT disaster recovery in place at the time.

It transpired that a workman had drilled through a water pipe on the top floor which came directly from a large tank on the roof. While the water supply to the tank could be isolated, it was not possible to stop the tank draining its contents into the office.

On another occasion I was reviewing a Lisbon-based organisation’s risk assessment and noticed that they had flagged flooding as a major risk. Since they were located at the top of a hill, I challenged this. It emerged that their concern centred upon the swimming pool on their office roof. With Lisbon susceptible to earthquakes, they quite rightly argued that if the pool cracked, the consequences could be disastrous. Local knowledge won the day!

Information security

With Internet-facilitated information theft increasing in prominence, we must not forget that the age-old physical threat still exists and can still cause companies grief. One NGO I visited was reeling from the theft of several PCs from a ground floor office. An emergency exit was forced open by thieves and they helped themselves to some easy pickings. The PCs were quickly replaced and some more effective security measures put in place but that was not the real issue. Each of the stolen PCs contained data which had not been backed up to the NGO’s file server and the loss of this data was causing some acute embarrassment.

Taking effective backups of all your vital data, whether server, PC or tablet-based could make the difference between recovering or not after a serious incident.

In the UK, the BBC has regularly reported stories of missing laptops, pen drives, CDs, DVDs, external hard drives, etc. containing sensitive data. Local authorities appeared to be the worst offenders, with over 1,000 cases of data loss reported by 132 local councils between 2008 and 2010.

The private sector is little better. HSBC were fined £3 million in 2009 and Zurich Insurance were fined £2.3 million in 2010 for customer data loss. Even the BBC itself admitted in 2010 to losing £240,000 worth of laptops and mobiles.

Of particular concern is the reported loss of laptops from the Ministry of Defence, including unexplained disappearances from high security areas. Over a four year period, this amounted to more than 650 machines, some of which contained classified information.

The UK is not the only source of such worrying losses – and the theft of hardware is not confined to laptops, pen drivers and other easily moveable hardware. The following example, from Australia, caused much embarrassment:

‘Australian authorities have ordered an urgent review of security at Sydney’s international airport after the theft of two mainframe computers from a restricted customs area.’ – (Mercer, 2003).

Airport security guards had been fooled into allowing the dismantling and removal of the two mainframe computers from a high security zone. Did no one notice the response time degradation?

Closer to home, two friends were reading for university degrees and each had a laptop to aid their studies. Every day they unfailingly backed up their work onto pen drives. One night, however, a burglar helped himself to the laptops and their pen drives too. In short they both lost all their data. But it did not have to be so. With simple and inexpensive Cloud-based backup solutions available, worrying about losing data in this way should become a thing of the past.

Employee fraud

‘A typical organization loses 5% of its annual revenue to employee fraud. Applied to the estimated 2009 Gross World Product, this figure translates to a potential global fraud loss of more than $2.9 trillion. . . Employee Theft Solutions, a division of The Shulman Center for Compulsive Theft and Spending, estimate that one-third of all U.S. corporate bankruptcies are directly caused by employee theft.’ – (Russakoff & Goodman, 2011).

Fiducial notes that there are many ways in which employees can defraud their employers. For example :

• ‘Opening a checking account in a nearby community under the same name as the employer company.
• Overpaying the payroll taxes or large suppliers and asking for refunds which are then deposited in the employee’s new company account.
• Convincing the employer that the independent accountant is an expensive luxury which the company can do without now that the employee is available to do financial statements.
• Soliciting the help of a supplier’s employee, then overpaying the supplier and sharing the overpayment.
• Opening a checking account with the same name as the employer’s major suppliers and then paying invoices twice. The first payment is sent to the supplier, and the second is deposited in the employee’s extra supplier account’.

Succession planning

It is not unusual for organisations to undertake succession planning, but this is generally aimed at identifying replacements for the more senior members of staff. For example, having realised he was losing his battle against cancer, Steve Jobs resigned from Apple, naming Tim Cook as his successor. There can be situations though when ‘lesser’ members of staff are just as vital to the company because there is no one else who can perform the critical role that they undertake. For example, the loss of the payroll clerk could mean that no one gets paid if nobody else understands how the payroll process works.

I came across a situation where one computer programmer in an organisation of around 400, was the only employee with expertise in ‘MUMPS’. He alone had in depth knowledge of several massive and unstructured monolithic programmes written in that language. He had also been allowed over several years to accrue 12 months leave by combining time-off-in-lieu instead of overtime payments and untaken annual leave. With his intention of taking a round-the-world-cruise the company was facing a massive exposure of their own making. First by allowing him to accrue the leave and second by not providing a stand-in for him to cover for his absence.

Fire

Large building fires will often catch the imagination of the media and business continuity planners will invariably have the threat well and truly on their radar. But an electrical fire that started in a small storage room in a large office complex did not even rate a mention by the local press. This was largely due to an alert security guard extinguishing the blaze before the fire brigade’s arrival. Sounds like job done – except that was not the end of the drama. It transpired that all the fire debris and soot had been sucked up into the air conditioning system and for the next month it was being circulated around the building making it uninhabitable. As soon as a layer of debris was removed by face-mask wearing cleaners, it was duly replaced by more deposits from the air conditioning.

In another case, an off duty fireman friend was rather surprised to get a call from his cousin, especially now that Health and Safety are quite rightly demanding our attention more and more in the workplace. The conversation went something like ‘Our office wall is getting very hot, what should we do?’ ‘Get out now,’ came the response. Apparently the building was shared by several small companies and one section was ablaze. Regardless of the size of a company, it is eminently sensible to ensure an effective fire alarm is installed and frequent building evacuation drills are held. Do you know how quickly you can evacuate your premises?

Keeping your contact details up to date

Keeping your contact details current is a key BCM task. I learned this lesson the hard way almost 30 years ago. I was managing a team of IT techies trying to sort out a serious system failure and we concluded that we needed the specialist skills of a colleague who was not on duty at that time. Even though it was 3 am I duly telephoned him. When the phone was answered I was horrified to discover that he no longer lived there. On reflection, I cannot believe what I did next. I actually asked the gentleman I had erroneously dragged out of bed if he had our man’s new telephone number, which he politely gave me before bidding me goodnight. Needless to say, it was some time before I was allowed to forget that rather unfortunate faux pas, but rest assured I never did it again.

Trauma management

Including some trauma management arrangements in your BCP is not uncommon, but these would usually be invoked in response to a serious life threatening incident in the work location. A recent event in Malta suggests that we should consider extending trauma management for events outside the workplace, too. Two employees of a multinational company were outside of their office enjoying a cigarette break. They found themselves just a few feet away from an attempted armed robbery and witnessed a victim being shot in the face. The event resulted in traumatisation of the employees.

The cyber threat

‘There are two types of company – those that have been hacked and those that are going to be hacked.’ – Robert Mueller III, Director of the FBI, 2012.

When people talk of the cyber threat they appear to believe that it is a single threat. The reality is that it is multi-faceted, comes in many different forms and continues to evolve.

Another false impression is that only large organisations are at risk of attack. This is sadly untrue, as in reality SMEs are looked upon by perpetrators as ‘low-hanging fruit’ and therefore easy pickings. In 2012, 31% of all attacks targeted companies with 250 or fewer employees. Similarly, the government departments of small countries do not escape the attention of cyber criminals, as this 2011 quote from Rodney Naudi, Government of Malta Information Security Department Manager, reveals:

‘We’re currently seeing more [cyber] attacks addressing specific audiences including a surge in precision targeting such as phishing e-mails in Maltese. People need to be aware of the implications of a simple click. We might be small, but we experience the same threats that larger countries face.’

Ignorance concerning ICT security can be an organisation’s Achilles’ heel. The FBI report that over 80% of cyber attacks could have been easily prevented. An email with a Malware attachment is one of the most common routes used to infect computers, although often an effective Antivirus program would prevent such infections.

What did the press really say?

People will often take seriously what they learn through the media, so companies should be prepared to respond quickly to any inaccurate reporting about them. Sometimes, this reporting could be considered irresponsible. A case in point occurred after a fire broke out at Malta-based Drop Chemicals. With clouds of black smoke billowing from the site, safety fears were heightened when a local paper reported the presence of cyanide. In the end, it transpired that the threatening-looking green substance observed in the vicinity was nothing more sinister than washing-up liquid, one of the company’s products.

A less spectacular example with broader economic implications is provided by Northern Rock. There is little doubt that the bank was in trouble, although the catalyst that triggered the run on the bank has been much debated. Many commentators implied that media remarks, and in particular those of the BBC’s Robert Peston, caused the run, a charge vigorously denied. Ultimately taken into public ownership, Northern Rock was not the only bank in the UK to request support from the Bank of England. It was, however, the only bank to need Tripartite Authority rescue (i.e., The Bank of England, the FSA and HM Treasury).

Your fiercest competitor could also be your best friend

Just a few days after the NatWest Tower in London was bombed in 1993, I had a meeting with my bank manager. We talked briefly about how brilliantly NatWest had recovered. He explained that everything was up and running in 24 h except foreign currency handling which took an extra day or so. Whenever a client came into a branch requesting foreign currency, all the other high street banks helped out. After all, any of them could have been in a similar position to NatWest.

Safety in numbers

For a time, I worked for a small consultancy company in the City of London where the workforce numbered around 70. One day the managing director got wind of a lottery syndicate being formed. Although the odds of the syndicate scooping the jackpot were miniscule, the thought of 10% to 20% of his workforce taking early retirement filled him with trepidation. So he persuaded around 85% of the work force to join the scheme, thereby substantially reducing the individual share of any winnings and effectively mitigating the risk. Furthermore, the cost of this mitigating action was zero.

Malicious damage

When you think of malicious damage you may picture smashed windows, damaged vehicles, graffiti or perhaps even arson. You might think of the perpetrators as mindless individuals perhaps under the influence of drugs or alcohol. Sometimes, however, a disgruntled employee on the inside of your organisation has the motive and means to cause considerable harm to the company.

In one such instance, a middle-aged credit controller was denied a pay rise and took his revenge over a three-year period by spraying the company’s computer equipment with the highly corrosive cleaner ‘Cillit Bang’. He was only caught after CCTV cameras were installed in the office.

In another case, a SCADA (Supervisory Control and Data Acquisition) expert applied for a position with the Maroochy Shire Council in Queensland, Australia, but his application was unsuccessful. His revenge attack made headlines:

‘He caused 800,000 litres of raw sewage to spill out into local parks, rivers and even the grounds of a Hyatt Regency hotel. Marine life died, the creek water turned black and the stench was unbearable for residents.’ – (Abrams and Weiss, 2008)

He was subsequently caught and a judge handed down a two-year prison sentence plus the costs incurred by the council for the clean-up. This attack became the first widely known example of someone maliciously breaking into a control system. Since then the vulnerability of SCADA has become more widely apparent, accentuated by the high profile Stuxnet cyber attack on the Iranian nuclear programme.