Continuity & Resilience Q3 2019 by Redactive Media Group

THE MAGAZINE OF THE BUSINESS CONTINUITY INSTITUTE | Q3 2019

The ability to model any given scenario can help prevent catastrophes in the future â&#x20AC;&#x201C; Welcome to the world of digital twins

SEEING DOUBLE P01 Cover_Q3 Autumn 2019_Continuity-Resilience.indd 1

03/09/2019 13:37

ContSA FP.indd 1 BCI.Q3.2019.002.indd 2

23/05/2019 12:24 15:01 03/09/2019

Q3 2019 | ISSUE 7

REGULARS

04 Welcome 06 News Cyber attack threats, power outage investigated, Women in Resilience speak up

10 Debate

F E AT U R E S

What would be your recipe for Organizational Resilience?

SPECIAL REPORT

12 Interaction Opinion: Tim Wren, British Standards Institution Expert View: Michael Crooymans, Signify

36 BCI News BCI hosts ﬁrstever Community Resilience Volunteer Week, BCI Education Month returns

37 Next Gen Yvette Heeremans, Sociale Verzekeringsbank

16 Keeping businesses safe Providing secure and trusted information is vital when helping advise local businesses how best to work effectively through a developing crisis situation

20 SPECIAL REPORT: Data breaches Leading companies have suffered data breaches recently, but it isn’t always the cyber threat at play – losing a mobile device or sensitive documents can hit businesses just as hard

28 PROFILE: Linda B Laun Continuing to break the glass ceiling at the highest level, the multiple BCI award-winner has a plan for dealing with all eventualities

15 Tech Round-up News from: StorageCraft, Punch Technologies, Resilinc, TUV SUD, Earth Networks, IOXO

38 My Lightbulb Moment King’s College London’s Sarah Rowe on the value of pre-planning

32 Seeing double Digital Twins: How modelling any given scenario with a virtual building or town can help tackle future catastrophes efﬁciently

P03 Contents_Q3 Autumn 2019__Continuity-Resilience.indd 3

03/09/2019 13:38

LEADERS’ MESSAGES

WELCOME Continuity & Resilience is the magazine of the Business Continuity Institute and is published four times a year. BUSINESS CONTINUITY INSTITUTE 10-11 Southview Park, Marsack Street, Caversham, Berkshire, RG4 5AF tel: +44 (0) 118 947 8215 bci@thebci.org | www.thebci.org EDITOR DeeDee Doke deedee.doke@redactive.co.uk A S S I STA N T E D I TO R Patrick Appleton patrick.appleton@redactive.co.uk REPORTERS Colin Cottell colin.cottell@redactive.co.uk Graham Simons graham.simons@redactive.co.uk CONTRIBUTING WRITERS Sue Weekes, Roisin Woolnough DESIGNERS Gary Hill, Will Williams PRODUCTION EDITOR Vanessa Townsend PICTURE EDITOR Claire Echavarry

TIM JANES

From Exxon to Equifax

hen I started out in Business Continuity (BC), the Exxon Valdez oil spill was a recent case study in corporate crises. In 1989, it was America’s worst offshore spill, costing Exxon $3bn (£2.47bn) to clean up and settle legal claims, and severely damaged the ﬁrm’s reputation. It was a watershed moment for the oil giant and led to major organization-wide changes in safety, risk and supply chain management. The entire industry adopted better methods and procedures. Modern oil tankers are now double-hulled, to reduce the likelihood of a catastrophic oil spill. Tankers that want to operate in US waters are required to carry insurance

issued by the US Coast Guard to cover the full loss of clean-up should any oil be lost. Oil disasters still occur, but at a signiﬁcantly lower frequency and scale than in the late 20th century. Time moves on, and at a recent BCI event it was suggested that data breaches can be regarded as the oil spills of the 21st century. This interesting analogy holds some valuable insights for our industry. In 2017, Equifax revealed a huge data breach, losing the personal information of 148m customers from its servers. The incident received extensive publicity, as it involved consumers’ personal data. Data breaches can affect any organization, not just oil companies.

SENIOR SALES EXECUTIVE Andrew Penny Tel: +44 (0) 20 7880 7661 andrew.penny@redactive.co.uk PRODUCTION DIRECTOR Jane Easterman Tel: +44 (0) 20 7880 6248 jane.easterman@redactive.co.uk

D AV I D T H O R P

Are universities key to gender equality?

PUBLISHING DIRECTOR Aaron Nicholls Tel: +44 (0) 20 7880 8547 aaron.nicholls@redactive.co.uk PRINTER The Manson Group, St. Albans PUBLISHED BY Redactive Publishing Ltd Level 5, 78 Chamber Street, London, E1 8BL Tel: +44 (0) 20 7880 6200 www.redactive.co.uk

n 1968, the Chartered Institute of Marketing (CIM) launched its new training business and proudly issued its ﬁrst portfolio of short courses. The title jarred when I saw it almost 30 years later: ‘Courses for Marketing Men’. Even 20 years ago this was considered beyond the pale. By 1998 CIM had a robust and well-established training business and the gender balance of course attendees was around 60/40 male/female. By 2010 the balance had shifted to 63/37 in favour of female attendees – a sea change in a profession that considered itself a male preserve in the 1960s and 70s. I recently attended the launch

© Business Continuity Institute 2019 The views expressed in C&R are not necessarily those of the Business Continuity Institute. All efforts have been taken to ensure the accuracy of the information published in C&R. However, the publisher accepts no responsibility for any inaccuracies or errors and omissions in the information produced in this publication. No information contained in this publication may be used or reproduced without the prior permission of the Business Continuity Institute. ISSN 2517-8148

Recycle your magazine’s plastic wrap. Check your local facilities to ﬁnd out how.

4 C O N TIN UITY & R E S IL IE N C E | Q3 2019

P04-05 Chairs Message_Q3 Autumn 2019_Continuity-Resilience.indd 4

03/09/2019 13:39

Regulators and governments are starting to get tough. Equifax has been fined $650m by US regulators, and British Airways may have to pay £183m after the data of 500k customers was stolen. These figures exclude the internal costs and disruption to rectify the data breach, or the reputational and commercial damage. BC and Resilience professionals can help organizations understand the data breach threat, prepare practical response plans and build capabilities using multi-team exercises based on real-world scenarios. The results can lead to improvements in organization-wide Resilience, without having to experience a data breach. The first step is to ask: “What would your organization’s Exxon/Equifax crisis look like?”

DEEDEE DOKE

Editor’s comment

PH OTO G RA PH Y: A K I N FA LOPE

Tim Janes Hon FBCI, Chairman, BCI

of the Women in Resilience group formed by BCI members committed to increasing the gender balance within the Resilience professions. This fantastic initiative has a number of advantages that the pioneers of gender equality in that other profession four decades ago didn’t enjoy. Firstly, marketing women started from a low member base of around 10%, whereas the gender split for BCI members in the UK stands at 67/33 male/female of members who identify their gender; in the US it’s 65/35 male/ female, as in Australia. Similar balances are seen across BCI’s European chapters too. The global trend infers that more women are entering the BC profession – and staying. Key to maintaining this welcome

upward momentum is higher education. Universities are waking up to the potential that higher education courses in Resilience can deliver to them. The key to hitting gender equality targets in 10-20 years’ time is to make sure the ﬂow of young people into the profession is balanced and that there are suitable role models in senior positions with whom they can identify. The current levels of female practitioners lead me to believe that such role models already exist. The next step is to develop Business Continuity and Resilience as attractive academic ﬁelds that in turn will encourage more school-leavers to consider careers in our discipline.

here has 2019 gone? Globally, it’s been often tumultuous, sometimes exciting and regularly rewarding, and evolution and revolution have been ongoing conditions in the BC/R world. No one could deny the business case for Resilience today as the requirements for adaptation, agility and strength continue to be the subtext of all too many news stories. In the UK, money – the language of business – is talking big time, as British Airways and Marriott ﬁnd themselves on the debit end of big bills for data breaches. Resilience is akin to weight lifting; it takes exercise, focus and the right diet to achieve results. And a Resilience strategy reinforces that old adage, “An ounce of prevention is worth a pound of cure.” How do we put Resilience at the top of the agenda for organizations small, medium and large? The July launch in London of Women in Resilience was an inspiration to all who attended. Clearly, there is work to do to diversify the profession gender-wise – as well as throughout every possible strand of the human spectrum. But this event was about celebrating success so far, powering ahead based on strength, expertise and achievement – not victimhood. The key? Make inclusion happen – don’t wait for permission.

DeeDee Doke Editor

David Thorp Executive Director, BCI

5 CONTINUITY & RESILIENCE | Q3 2019

P04-05 Chairs Message_Q3 Autumn 2019_Continuity-Resilience.indd 5

03/09/2019 13:39

G LO BA L N E W S U P D AT E

40% 15%

of detected threats using ﬁles associated with Microsoft Excel

in relation to Microsoft Word

CYBER SECURITY

Be on guard for pre-attack reconnaissance, says report By Patrick Appleton Organizations can improve their defences against cyber threats by understanding when attackers are on reconnaissance missions, a report has suggested. Mimecast’s ‘Threat Intelligence Report’ covers the period between April and June 2019 and looked at nearly 160bn emails across its global customer base, 67bn of which were rejected for displaying highly malicious attack techniques. One such email, using a mixture of obfuscation and social engineering relating to a payment it (fraudulently) says has been made, appears to have been sussing out the company’s security measures rather than actively attempting a cyber attack, Mimecast analysts suggest. Relying on its research, the report added analysts believe the real attack is likely to be attempted within the next two quarters and will be more sophisticated. However, organizations can defend more effectively

against the real attack by helping employees to recognise the nature of the first email and negating the incoming threat. Research also revealed a marked increase in the number of simple impersonation email attacks between April and June, with CEOs, CFOs and finance staff noted as those most likely to be impersonated by cyber attackers. According to Mimecast, one email – pretending to be from a CEO and urgent in tone – attempted to take the conversation from email to text message, a less secure channel of communication. Such manoeuvres, the report said, can result in victims handing over confidential information without realising it is an attack. Well-known malware such as Emotet and Adwind continue to be used by threat actors, with Mimecast finding a surge in Emotet activity in 2019. Adwind – which targets Java applications and uses malicious JAR files to infect

– has updated to a version of the malware which includes new capabilities such as stealing passwords and data from web forms, taking screenshots from webcams and transferring ﬁles to a remote server controlled by the attacker. As Java has a large install base, Mimecast said a potential attack using Adwind – which has thousands of cyber criminal users – has the capability to affect all major operating systems and platforms. Of the sectors covered by the report, professional education suffered the most overall targeted attacks during the April-June period. Management and consulting, and biotechnology were the most heavily targeted (30% of threat volume) when it came to impersonation attacks. Interestingly, the

“Organizations can’t become lax at handling simple attack techniques – patching is not optional”

6 CONTINUITY & RESILIENCE | Q3 2019

P06-08 News_Q3 Autumn 2019__Continuity-Resilience.indd 6

03/09/2019 13:40

VISIT THE WEBSITE FOR MORE NEWS: WWW.THEBCI.ORG

30% Management and consulting, and biotechnology were the most heavily targeted (30% of threat volume) when it came to impersonation attacks

“Training users on the threat landscape and their role in protecting the organization is critical”

Mimecast’s Threat Intelligence Report looked at nearly 160bn emails across its global customer base

C R I S I S M A N AG E M E N T

UK power outage under investigation from regulator By Graham Simons

IMAGES: ISTOCK/SHUTTERSTOCK/PA

research found a peak in opportunistic attack threats in the biotechnology sector on April 22 - the same day the International Summit on Biotechnology & Healthcare began in Dubai. Other notable findings showed that targeted attacks prefer Microsoft Office as a form of bait, with 40% of detected threats using files associated with Microsoft Excel and 15% in relation to Microsoft Word. Mimecast added that attackers are using older methods more frequently too, which suggests cyber criminals are on the hunt for organizations and systems with out-of-date software patches. “Organizations can’t afford to become lax at handling simple attack techniques,” the report said. “At the very least, organizations must recognise that patching is not optional.” Accepting that the ‘catand-mouse game’ with cyber criminals is set to continue in the near future, the analysis concluded that organizations “can gain the upper hand” by using next generation analysis operated by expert threat analysts. “Training users on the threat landscape is critical,” it added.

UK government regulator Ofgem has launched an investigation into power cuts in August which hit UK airports and caused delays and cancellations across the East of England’s train networks. According to a statement from Ofgem released in late August, the investigation will seek to establish what lessons can be drawn from the power cut to ensure that steps can be taken to further improve the resilience of Britain’s energy network. The investigation will also explore whether any of the parties involved – National Grid ESO, National Grid Electricity Transmission, 12* distribution network operators in England and Wales, as well as generators RWE Generation (Little Barford Power station) and Orsted (Hornsea) – breached their licence conditions. While Ofgem says the opening of the investigation does not imply non-compliance for any of the companies

mentioned at this early stage of the investigation, should evidence emerge over the course of the investigation enforcement action could follow. When approached for comment, a National Grid Electricity System Operator spokesperson said the organization “welcomes Ofgem’s investigation into the

“RWE does not have any indication we breached any of our licence conditions”

power cuts of Friday 9 August, following our submission of our interim technical report”. “National Grid ESO will continue its work on a more thorough investigation and report back in line with Ofgem’s timetable of 6 September.” A spokesperson for RWE Generation said: “We will fully co-operate with this investigation and provide all the necessary information and data to Ofgem. It is important that all the information is reviewed in an open and transparent way. “We do not have any indication that we have breached any of our licence conditions.”

7 CONTINUITY & RESILIENCE | Q3 2019

P06-08 News_Q3 Autumn 2019__Continuity-Resilience.indd 7

03/09/2019 13:41

NEWS

IN BRIEF

VISIT THE WEBSITE FOR MORE NEWS: WWW.THEBCI.ORG

UK remains vigilant in battle against cyber crime The UK’s National Cyber Security Centre has managed to stop 140,000 separate phishing attacks, according to its annual report.. Reporting on the ﬁndings, the BBC revealed 64% of illegal sites were offline within 24 hours of being discovered and 99.3% eventually went dark.

DIVERSITY

‘Improve opportunities for women in BC/R’ By DeeDee Doke With women comprising just 30% of BCI members, the BCI’s newly launched Women in Resilience (WiR) group say the BC/R discipline is ripe for improvements in building a more inclusive environment. From ﬁnding language bias in job speciﬁcations to encountering too few relatable role models, women in BC/R careers report they have encountered a variety of barriers in their way. However, WiR aims to

Brothers Entertainment Group; and Victoria McKenzie-Gould, Corporate Communications Director, Marks & Spencer. In her opening remarks to the group, Needham-Bennett asked, “What are your biggest challenges? For me, it was a sense of belonging… It has been hard to see people I could relate to.” Female representation in the BCI is gaining ground. Currently, 51.9% of BCI membership in the 20-29 age group is made up of women,

work towards building up the numbers of women in leadership, gender equality and parity within BC/R, and understanding “how we can help shape a positive future”, WiR Vice Chair Kate Needham-Bennett said at the 2 July launch, hosted by Marks & Spencer. Featured speakers at the event included NeedhamBennett; WiR Chair Gianna Detoni; BCI Head of Thought Leadership Rachael Elliott; Sally Hayes, Business Continuity Director, Warner

said Elliott. University courses in BC/R fields are attracting more women too. Detoni said that the most important characteristic one should have is courage, which benefits both individual and the business. However, she noted that women are “not as brave in putting themselves forward”. And in referencing flexible working, a work pattern desired by many women, Detoni urged, “We need flexibility for everybody. Taking care of children is not just for women.”

AWA R D S

BCI magazine wins recognition at Memcom Awards The 2018 relaunch of BCI’s quarterly magazine, Continuity & Resilience (C&R), was awarded Highly Commended honours in June for Best New Magazine or Relaunch in the Memcom Membership Excellence Awards. The awards recognise print, digital and marketing & communications published by membership organizations to their members.

The top winners and highly commended offerings were recognised for delivering evidence of strategy, reach and impact for a clearly deﬁned audience, high professionalism, creativity and providing an accessible read for nontarget audience readers. C&R is published by Redactive Publishing in London. The editorial team consists of Editor DeeDee Doke, Assistant Editor Patrick

Appleton, Reporters Graham Simons and Colin Cottell, and Technology Contributor Sue Weekes. Art and design were provided by David Twardawa and Carrie Bremner with photo research & management by Claire Echavarry. Doke said, “The team are delighted to be working with BCI to deliver a forward-thinking, thought-provoking title to reﬂect and inform a global, professional audience. BC/R is evolving, and we want to support and inspire professionals in this changing world.” The BCI said it was “delighted that C&R has been recognised by Memcom as delivering a progressive publication that provides another platform for the fantastic work being done in BC/R.”

8 CONTINUITY & RESILIENCE | Q3 2019

P06-08 News_Q3 Autumn 2019__Continuity-Resilience.indd 8

03/09/2019 13:41

DEVELOP YOUR RESILIENCE WITH BCI EVENTS

5-6 November 2019 | Novotel London West

INVESTING IN RESILIENCE Use code C&R2019 for a 10% discount on your ticket, exclusive to Continuity&Resilience readers! Book your ticket now to one of the world’s largest conferences in the business continuity and resilience calendar, and enjoy all the amazing beneﬁts that two days in the company of like-minded people can bring! The 2019 Conference programme has been released, visit our website now to start planning your itinerary.

Spaces are limited - book your 1 or 2 day ticket now to avoid disappointment: www.thebci.org/bciworld2019 BCI.Q3.2019.009.indd 9

BUILDING RESILIENCE Offering BC and Resilience professionals the opportunity to take part in education initiatives and consider how training can improve their organization’s resilience, this year’s theme of Building Resilience highlights the importance of building upon your existing knowledge and relationships across an organization to improve organizational resilience. Get involved with a packed webinar programme, competitions, resources and offers on BCI training courses to help you on the road to Building Resilience.

Take part: www.thebci.org/educationmonth19

03/09/2019 12:28

D E BAT E

THE BIG QUESTION What would be your recipe for Organizational Resilience? E D D B E N N E T T, C A N A DA

Empower your people The recipe for Resilience will differ from business to business but what’s of common importance in the beginning is that you have a quality ‘chef ’. Investing in Resilience professionals to steer and guide the process will provide the basis for success. The ﬁnished product has to be consumable by everyone across the organization to ensure they are engaged and able to execute their roles before, during and after a disruptive event. Base ingredients are situational awareness, self-sufﬁciency and personal accountability. Situational awareness of external and internal hazards enables everyone to act as a sensor which increases effective communication

and swift escalation or mitigation of threats. Selfsufﬁciency means not relying on others to solve your problems. You must be able to operate as independently as possible. Finally, everyone has a part to play and the days of relying purely on the Business Continuity, disaster recovery staff or outsourced solutions to ﬁx everything are over. Staff need to be personally accountable for themselves and their departments. To achieve this, you need to empower your people, provide accurate information quickly and provide the tools required to operate in chaos. Frequent training and awareness efforts across all levels is the key to sustaining Resilience. Edd Bennett, Manager, Business Continuity, BCAA

J O L A N DA H O R N E , S O U T H A F R I C A

Recipe for success By making use of our “Organizational Resilience” recipe at T-Systems in South Africa, we are directly linked to our customers, suppliers, regulators and even our competitors. For us to be successful at bolstering our Resilience, we make use of the following “ingredients”. Resources, Employees, Silos, Integration, Leadership, Incidents, Embracing New problems, Communication, Evaluation. The foundations of a ‘ﬂop-proof ’ process is based on leadership, decisionmaking, and evaluation; this is mixed with communications and commitment to meeting end goals. First, gather together all empowered and skilled employees and understand

10 CONTINUITY & RESILIENCE | Q3 2019

P10-11 Big Question_Q3 Autumn 2019__Continuity-Resilience.indd 10

03/09/2019 13:42

D E B AT E

M O R T E N V E S T R E , N O R WAY

Adaptability is important A resilient organization is characterised by being agile, having the ability to balance stability and flexibility and being able to adapt quickly to changes. The organization must have good structures to respond to and manage risk and the opportunities that comes with it. To maintain the balance between stability and flexibility, an organization should review organizational structures such as the allocation of resources, governance and management mechanisms, including how decisions are made, and processes. Organizational Resilience deals with future investments, supply chains, sustainability, innovation, and people. That is why there is no absolute ‘one size fits all’ for how to build Resilience. Each

IMAGE: ISTOCK

their tasks and responsibilities. Ensure that the relevant resources are available and that each one understands the long-term success of achieving Resilience. Encourage them to cooperate in the challenges by getting them involved in meetings, making decisions, and adding significant value to the organizational growth. Embracing and capitalising on change is key. Be proactive, detect early warning signals to identify new problems. Importantly, make use of past lessons learnt in order to address current and future incidents. Understand the unity of purpose, the minimum requirement of clearly defined business priorities and operational levels. Blend in some integration, looking forward and backwards, breaking down silos and driving participation. And finally, validation through development and evaluation will clearly show the growth. Jolanda Horne, Business Continuity Specialist, T-Systems

PIERRE WETTERGREN, SWEDEN

Stand up and deliver Every implementation of a Business Continuity Management (BCM) system is unique but there are a few ingredients I always include. The key focus is deliverables. Stop talking about critical processes and instead see processes as those who generate the delivery of services or products. Deliverables have owners tasked with ensuring business objectives are met. Once they understand the value of securing the continuity of the deliverables, the owners become advocates for the work. In most cases, deliverables have

organization must deﬁne its own culture and behaviour, depending on the context and the organization’s objectives. An important prerequisite for building Organizational Resilience is the balance between taking care of the organization’s core values and goals while operating practices, strategies, and objectives are subject to constant change and adaptation to changing environments. A key factor here is leadership that facilitates and embraces innovation and builds, cultivates and nurtures Resilience into the organization culture where both stability and change coexist. Morten Vestre, Business Continuity Manager, EVRY Group

clearly deﬁned values. Those values are later used in the business cases for improving the underpinning capabilities. Top managers love to see the connection between the investment and the deliverables. Also develop tactical support by training workshop facilitators, as they are trained in coaching leaders and their teams through all steps, and are a key component to developing Organizational Resilience. Too often centralised BCM programmes send out instructions and templates without providing tactical support to the organization’s managers. This is devastating and ensures capabilities will soon fade out. Pierre Wettergren, Chief Experience Ofﬁcer, Clever Collaboration Group

11 CONTINUITY & RESILIENCE | Q3 2019

P10-11 Big Question_Q3 Autumn 2019__Continuity-Resilience.indd 11

03/09/2019 13:42

INTERACTION

OPINION TIM WREN

Take the ‘smaller’ problems seriously

ear of workplace health and safety incidents, despite being costly, disruptive and frequent, may not keep business leaders up at night. However, cumulatively these incidents outstrip the costs of more high-profile threats such as cyber attacks or IT outages, and they should be getting a bit more attention than at present from executives. The BCI’s ‘Horizon Scan Report’, based on the responses of 569 industry professionals across 70 countries and published earlier this year, found that the biggest organizational risk was widespread unplanned IT and telecommunications system outages. However, the cumulative financial cost of those 21st-century perils isn’t as high as those for health and safety or reputational incidents, especially for the largest companies. It is clear some threats are underrated in relation to the damage they can inflict on future business Resilience. Health and safety is one. In 2018, incidents cost a total of more than $1bn (£824m) for organizations surveyed that suffered losses of more than 7% of annual revenue. In comparison, the cost of cyber attacks was around $140m, yet health and safety ranked 12th on the list of top perceived future risks. In my view, organizations are not taking these threats seriously enough or not proactively developing plans to mitigate them. Emphasising the need for planning is one aspect where the

international management systems standards offered by the British Standards Institution can help. Achieving Organizational Resilience means identifying not only the big risks, but also the issues that can be easily missed. Taking a holistic view of a business’ health and success, rather than dwelling on risk management, is key. Other issues in the BCI report included unexpected “black swan” events and political change, which was unsurprisingly among the top 10 expected disruptions. However, the financial aspects of such upheaval seem to be neglected, as the potential for exchange-rate volatility and a higher cost of borrowing did not place within the top 10 concerns. In the end, organizations with BC plans in place for more than a year suffer fewer disruptions than their peers, the report concluded. These prepared organizations have demonstrated tangible benefits from embracing Business Continuity planning. Overall, the findings give businesses great insight to help build a foundation for anticipating and responding to disruption; not just the high-profile threats, but also those lower-profile but potentially costlier issues like health and safety. We’re operating in an evolving business environment, so this knowledge is priceless going forward.

Some threats are underrated – health and safety is one of those

THIS QUARTER’S BEST TWEETS TWITTER @THEBCEYE

Dr Magda Chelly @m49D4ch3lly Aug 18 #Cybersecurity is no longer just a technical issue managed by “tech-savvy” nerds. Cybersecurity is a business responsibility of the board of directors, #business owners and even parents.

Mark Hoffman @m_hoffmancbcp Aug 13 Plandemonium. What occurs at time of crisis when you have a plan, but no one is familiar enough with it to know what to do! It’s time to exercise your plans! #cybersecurity #businesscontinuity #crisismanagement

Rosemarie Grant @Rosegeiergrant July 31 Building expensive structures in risk prone #disaster areas is NOT #resilience. It is a waste of #embodiedenergy, natural resources, investment capital, & worse – it puts lives in danger. #LocationMatters

Don Weir @MCSDonW May 30 The best way to prepare employees to stop #ransomware attacks is to train them. Train new employees at orientation and all employees bi-annually.

Tim Wren is Americas Commercial Director at the British Standards Institution

12 CONTINUITY & RESILIENCE | Q3 2019

P12 Interaction-Opinion_Q3 Autumn 2019__Continuity-Resilience.indd 12

03/09/2019 13:43

INTERACTION

EXPERT VIEW M I C H A E L C R O OY M A N S

Ensuring continuity of the ICT services

s our information and communications technology (ICT) processes become more digital and leaner, the likelihood of being able to perform them manually lessens. The expression “We can’t do anything without ICT” is a phrase we hear more frequently and business impact analyses often show this is true. Furthermore, the data is utilised by many processes in the value chain – problems with order entry can quickly result in problems with planning and production. Not too long ago a data loss of 24 hours was acceptable but now recovery time objectives (RTOs) of 0 are more common. The reliance on ICT is not limited to our own systems – ICT outages affecting our suppliers and customers more commonly affects our business processes. In 2017 Amazon’s S3 services were disrupted. Given how many organizations reported being affected it was a reminder that while the continuity of our ICT may be in order, we cannot assume our suppliers have done likewise. On social media, many interested in the cause of the disruption were ‘relieved’ when it was discovered and steps taken to prevent a reoccurrence. However, as there was little talk about being prepared for such an event, I suspect businesses will still have problems when the next major disruption occurs at a cloud provider. ICT is usually

organised as a supporting function within an organization. It is common to provide them with the business requirements and let them translate this into ICT services. This approach is reﬂected in the various standards relating to Business Continuity. Here are some tips and focus areas to help achieve the required level of ICT continuity.

ICT Department As the ICT department is responsible for providing the continuity of the ICT services, it is important that they understand exactly what the requirements are. Generally, they will be supplied by Business Continuity management (BCM) as max downtime (RTO) and max data loss (RPO), which can vary for speciﬁc functions within the application. It is crucial to determine where the data comes from, as well as all the infrastructure on which the data and processing depends on – the continuity of each of these elements is necessary. Don’t forget other ICT requirements that may be necessary for dealing with other types of business disruptions – e.g. the ability for many employees to be able to work at home. When establishing the disruption response and recovery teams, plans and procedures, focus not only on infrastructure disruptions, but also on disruptions due to application issues and/or data. How will

Try to be involved in the testing as a participant and/ or observer to see if the test plans and results are representative

missing or corrupt data be recovered? All response measures need to be regularly and thoroughly updated, tested and exercised. Separate to the continuity of the ICT services, the ICT team must be able to deal with disruptions in the ability to deliver their services – consider how these can be continued in the event of the loss of building or (critical) personnel. The team needs its own BCM – use 22301 or the BCI’s Good Practice Guidelines to deﬁne and implement.

Suppliers of ICT services Elements of our ICT services are more commonly outsourced to external suppliers. It is necessary to understand not just how the availability of these services is defined and contracted but also the continuity of the services. Availability is usually defined in terms of uptime percentages and measured per month. Continuity is less frequently defined in contracts, but it should specify max recovery times and max data loss in cases of disasters. Try to be involved in the testing as a participant and/or observer to see if the test plans and results are representative. Remember also to ask an organization how they manage their critical suppliers. Business It may not be possible (or feasible) for ICT to meet all the continuity requirements. The business needs to take this into account and have plans to deal with these situations should they arise. It is worthwhile for the business to be involved in the ICT tests and exercises. Information Security Another aspect of ICT continuity is information security. Not only does it play a role in preventing disruptions but also in the detection, response and recovery. It is good to align the plans with the information security department and to exercise with them. Michael Crooymans is the Global Resilience Officer at Signify and a Director of the BCI.

13 CONTINUITY & RESILIENCE | Q3 2019

P13 Interaction-Expert_Q3 Autumn 2019_Continuity-Resilience.indd 13

03/09/2019 13:43

Expert Voice SPO NSO RE D FEATU RE Y U D U S E N T I N E L

Crisis Communications Tech is Changing: Did You Get the Message? RICHARD STEPHENSON CEO, YUDU Sentinel

henever a crisis happens, communication is one of the key priorities. For most customers, clients and wider stakeholders, what a company chooses to communicate is the only part of the crisis response they’ll see. For the incident response teams, speed and strength of communication will determine the effectiveness of the crisis response - and technology has a critical role to play. Forcing people to use a platform that they are unfamiliar with, to communicate in a way that doesn’t come naturally, will cause problems. That’s why we developed YUDU Sentinel. Sentinel is a crisis management platform designed to help with all aspects of a crisis response: from instant conference calls to sharing evacuation plans. We’ve also recently launched Sentinel Hotline, a phone service that lets you set up numbers that people can call for instant updates on a situation.

SO WHY DO WE NEED PURPOSE-BUILT CRISIS COMMS TECHNOLOGY?

Communication needs to be much richer and deeper than SMS notifications. There are limits on what can be communicated with SMS alone. The deeper information we need sits in the plans we prepare. Today, we can have all the information we need pre-downloaded on our phone. Sharing also becomes central to crisis response: to solve problems, we need real-time

Communications need to be as mobile as your staff Even those who work in conventional offices are no longer tied to their desks. If an incident happens over lunch, during a business trip or commuting hours, you still need to be able to contact everyone. The one item that none of us leaves their office or home without is our mobile phone: an untapped resource. Communications should use channels that include, or even prioritise, the mobile phones of those they need to contact. There is no excuse for leaving people in the dark “Nobody will tell me anything” is the ever-repeating chorus we hear every time there’s a crisis. Whether it’s cancelled flights or a major data breach, the last thing you want is for the information vacuum to be filled with hysteria and misinformation. Simple actions such as having a bank of pre-made communications templates can help. Purpose-built solutions like Sentinel Hotline can also help ensure that people know where to turn for information and is the source of truth in a crisis. ● Sentinel offers a mobile app with a chat function while still giving control to the people in charge of managing the crisis. To see a demo of the software in action, contact us at sentinel@yudu.com, or visit our website to find out more at www.yudu.com/ sentinel.

↗

You need the right communication tools for the job Outside of work you might enjoy adding Snapchat filters to your selfies or sending gifs in WhatsApp – but none of those are good reasons to use social media apps for business purposes, let alone in a crisis. These platforms are held on US (mostly Facebook) servers, siphon data without permission therefore breaching GDPR - and are outside of the purview of the leadership team who have probably not been invited into the chat group.

collaboration amongst teams with image, video and document sharing.

YUDU SENTINEL For further information please visit: www.yudu.com/sentinel

14 CONTINUITY & RESILIENCE | Q3 2019 27 CONTINUITY & RESILIENCE | Q3 2019

YUDU advertorial.indd 27

03/09/2019 12:30

TECHNOLOGY

Plug-and-play business continuity for SMEs

Companies team up ffor all-in-one safety platform

StorageCraft’s OneXafe Solo 300 is a cloud-based, plug-and-play Business Continuity (BC) solution aimed at small-to-medium-sized enterprises that streams data directly to StorageCraft’s cloud services. It is designed to provide cloud-based anytime, anywhere data back-up, protection, and recovery for small business environments with zero upfront cost. It has a two-step deployment process that can protect single tenant and multitenant environments within minutes. Users can assign service level agreements (SLAs) and recovery time objectives (RTOs) and OneXafe Solo 300 does not impose a limit on the number of machines it supports. It continuously monitors the health and status of the data environment and reports on storage capacity, remote replication and SLAbased data protection policies. OneXafe Solo 300 will be available in autumn. www.storagecraft.com

Punch Technologies and Johnson Controls are joining forces to develop an all-in-one safety communications platform that offers US businesses faster, more effective emergency management and communication. PunchAlert can be integrated into businesses’ existing security systems and provides the opportunity to more easily and effectively communicate with employees, emergency responders and other surrounding businesses in the event of an emergency. It can crowdsource content and involve local emergency responders in communication. Punch reports that it will also launch a safety wearable called Rescue in 2020. www.punchalert.com

Situational awareness for employees Earth Networks is rolling out a new mobile application and hub designed to deliver critical weather information and alerts to distributed employees across an organization. Sferic Connect helps organizations mitigate risk by providing environmental intelligence from the world’s largest hyperlocal weather network, ensuring employees have standardised, reliable information that is relevant to their needs. Features include push alerts for weather, lightning detection courtesy of more than 1,700 sensors in 14 countries and a storm-tracking map. It provides individuals with real-time information on temperature, wind speed, UV and forecasts. www.earthnetworks. com

TECH ROUND UP Best new tech h this mon month

BEST NEW TECH

Countering against cyber attacks Ransomware attacks have brought the need to strengthen cyber security sharply into focus. With this in mind, IOXO is launching CityWRX, an initiative that uses its cloud platform CloudWRX to move all computing functions to the cloud from on-premise IT, in theory removing vulnerable devices and connections. Its proprietary CloudLock replaces desktops and laptops and provides secure access to city data and resources. If teams want to keep existing hardware, IOXO’s software-only version turns any internet connected device into a secure workspace. IOXO claims to bring enterprise grade protections that are typically available to only the largest municipalities to small and remote cities. www.ioxo.cloud

AI and data science to battle hurricane season Resilinc is applying artiﬁcial intelligence (AI) and data science to its body of supply chain data, hurricane data and other factors to recommend organizations with tailored actions to enhance supply chain Resilience. The automated service evaluates supplier sites based on many different factors. These include regional weather risks, customer history of supply chain events, and its BC plans or lack of them. Resilinc also analyses key customer metrics, such as how many products are produced on site, and the revenue at risk in the event of disruption. www.resilinc.com

Reducing the risk of digital transformation TÜV SÜD has unveiled its new risk and safety management software solution mCom ONE and the Smart Industry Readiness Index, which are designed to help organizations transition to smart manufacturing. The cloudbased mCom ONE solution is a digital machinery compliance management tool, which claims to pave the way for future hazard and risk management. TÜV SÜD’s Smart Industry Readiness Index, meanwhile, allows manufacturers to manage the complex challenges involved in industry 4.0 and digital transformation. The tool produces targeted analyses of processes, systems, and structures and breaks them down into understandable and implementable building blocks to help organizations visualise the beneﬁts of digital transformation. www.tuvsud.com

15 CONTINUITY & RESILIENCE | Q3 2019

P15 Tech Round Up_Q3 Autumn 2019_Continuity-Resilience.indd 15

03/09/2019 13:44

SX TAY X X XIXNXGX AX LX E R T

IMAGES: ALAMY/GETTY

couple of years ago, an item that looked like an unexploded bomb was found outside London’s Victoria mainline station. British Transport Police (BTP) was immediately alerted, the station was evacuated and cordons went up around the area. Local businesses could see that something was happening and that the situation was potentially very serious, but no official information had been released. Chris Tsikolis, Head of Security and Business Resilience at the Victoria Business Improvement District (VBID), said it was really alarming. “We could see people running around but had no information. We were calling BTP but couldn’t get through.” Then local businesses started calling VBID, the first call coming from the shopping centre that sits directly above Victoria Station. “They should have been the first to know, but they knew nothing about it. It was chaos,” says Tsikolis, who had received an email and call within an hour from the police saying it was a false alarm – the item was not a bomb after all. However, the incident got VBID’s Head of Security thinking about the usefulness of an early warning platform for all businesses in the area so that they could be alerted to any emergencies, disruptions, potential disruptions and problems in the area in real time. He was already aware of an American package called Everbridge that was launched after the September 11 attacks in New York, so he and the rest of the VBID Safe and Secure Steering Group met with Everbridge and a handful of suppliers of other similar platforms. One of them was Yudu, whose Sentinel Technology platform was selected. Tsikolis explains: “Most of the proposals from the other providers were off the shelf, focusing on individual businesses. We wanted something that would enable us to alert our business members and so we wanted something a bit different. We couldn’t offer advice, because then we

16 CONTINUITY & RESILIENCE | Q3 2019

P16-18 Alerts_Q3 Autumn 2019_Continuity-Resilience.indd 16

03/09/2019 13:45

S TAY I N G A L E R T

KEEPING THE BUSINESS COMMUNITY

SAFE

Having secure and trusted information is vital when helping advise local businesses on the ﬁrst steps to take in a crisis BY ROISIN WOOLNOUGH

would immediately become liable. We also wanted to own the platform.” Eight months later, the crisis management tool was trialled by 15 local businesses over a two-month period at the end of 2018. In January 2019 it was officially launched. At time of writing, more than 130 local businesses are using the platform, with new members signing up frequently. VBID is the first business improvement district to use this kind of technology, although others are looking to follow suit. There are 60 BIDS in London alone, and 300 across the UK. VBID was able to tailor the platform around members’ needs. It has VBID branding on it, including a branded name – Victoria Emergency Notification System (VENS). Shortly before launch, a few adjustments were required to make it more relevant to the business district. These tweaks related to the kind of information that could be uploaded to the document library and ground rules for users of the platform. “Once we developed the platform we realised that we wanted to be the conveyor of genuine and valid information, rather than picking up information from Twitter, Sky Media etc,” says Tsikolis. “We felt we had to plug the platform into a reliable source, which was the Met police.” The London Metropolitan Police was reluctant to feed information directly onto the platform, but fortunately for VBID, one government department in the area was happy to share relevant information in real time, feeding it straight onto the platform. So VBID gave a couple of individuals from the government department access to the platform and trained them up in how to use it. This has led to a 24/7 feed of real time information. The Met also feeds information to the platform, although it goes via VBID first. Tsikolis would like to get BTP involved in the scheme. “We’ve got the busiest transport hub in the country. Transport for London wasn’t interested in joining, but we’re trying to get BTP to join.” Ruth Hart-Leverton, UK Head of Communications at the energy company Orsted UK, says it is important to receive information from a reliable source. “In order to protect your

17 CONTINUITY & RESILIENCE | Q3 2019

P16-18 Alerts_Q3 Autumn 2019_Continuity-Resilience.indd 17

03/09/2019 13:45

SX TAY X X XIXNXGX AX LX E R T

business and staff, in a world of fake news, it is extremely reassuring that we are receiving information that is veriﬁed and is coming to us as early as possible.” Since January, VBID has been able to push out information about incidents or events that will or might affect businesses in the area. “I get a text or an email to say, for example, a demo is planned for this evening and there might be some civil unrest,” says Martin Phelan, Regional Manager Security Services UK at American Express Services Europe Ltd, and a member of the VBID Safe and Secure Steering Group. “I might then need to put some internal comms out, particularly if it will affect the tube station, which lots of the staff use to commute.” As well as being an information tool, Sentinel is also being used to build community spirit and action. Members are encouraged to build relationships with each other, sharing information and best practice. The idea is that by getting individual businesses to work with each other, the overall Resilience of the area is improved. Richard Stephenson, CEO at YUDU, explains: “It’s really important from a Resilience point of view for communities to have communication tools to use, particularly in a crisis. It’s always the communication that tends to fail. We need to knot communities together so that they can communicate and share best practice – that makes communities more resilient.” When a major incident does occur, businesses can pool resources and work together. Stephenson says members will know where the ﬁrst aiders are, for example, or who has safe places. “You create a local grapevine of information related to how to keep people safe

“Research has shown that during a crisis, people tend to forget things” and how to react in a crisis to make sure businesses in the area are able to offer their own expertise and resources to help mitigate [local] crises,” he says. VBID is currently introducing a secure chat facility within the area to make communication even easier. Lorrie Dannecker, Group Services Director and Business Continuity Manager at Telegraph Media Group, was part of the trial group. She says the London Bridge attack in 2017 highlighted the importance of community action. “It raised awareness of what we need to do to help each other and not just rely on emergency services, as sometimes emergency services have to wait until it’s safe to come in.” It’s not just useful in crisis situations – Dannecker says she is able to minimize disruption to day-to-day operations. She can alert the loading bay or delivery companies or maintenance providers, for example, when there is an issue affecting delivery. Prior to the system being introduced, Dannecker says she only received generic information about potential disruptions from Westminster City Council. Now she has much more speciﬁc information and it’s 24/7. “When I get information about protests, for example, that might affect our

staff or building, I forward it on to security teams. At weekends I monitor activities in the area, whereas traditionally we would not have received anything.” This 24/7 capability is really useful to members. However, Tsikolis says other BIDs may struggle to provide real-time information around the clock. “The main challenge is how to make this platform available and give it 24/7 capability.” Any BIDs looking to implement the same or a similar tool need to get a variety of organizations on board with the concept – the police, transport providers, etc. Tsikolis thinks there is a strong appetite for crisis management tools and says the Met is currently building its own platform, which will take about a year to complete. He is working on adding a new function to the app – providing a set of actions that members can instantly draw on when they need to. So if there is an incident, members can look up the action set on their phone and decide what course of action to take – if there is a bomb threat, what are the evacuation procedures, for example. “This will give you a list of options for actions you should take in the ﬁrst 30 minutes of a crisis,” says Tsikolis. “Research has shown that during a crisis people tend to forget things or no one has actually read the Business Continuity plan.” So far, Tsikolis says the tool has been helpful during April’s Extinction Rebellion protests and other events. It has yet to be tested during a major emergency, such as a terrorist threat, but if needed, those developing the tool are working hard to make sure the platform is fully functionable if disaster strikes.

18 CONTINUITY & RESILIENCE | Q3 2019

P16-18 Alerts_Q3 Autumn 2019_Continuity-Resilience.indd 18

03/09/2019 13:45

Expert Voice SPO NSO RE D FEATU RE P L A N B C O N S U L T I N G

Why Cyber Incident Management is a Senior Management Issue

“

T teams will handle it.”

Is that your senior management team’s approach to cyber incident management? That’s a potential problem. Senior managers need to be ready and prepared to manage a cyber incident – the technical efforts are only a piece of the puzzle. Of course, your IT department has a crucial role in conducting a technical response and recovery effort. They will restore vital systems and data, address the vulnerability, and perform or supervise any forensic investigation – all critical steps in a successful response. But three other elements fall squarely at the feet of the senior management team to address.

THEY ARE: Proactive communication – First and perhaps most critical is to communicate with your stakeholders proactively. These could be the individuals or organisations that have lost personal data or the customers whose delivery of service has been impacted by the cyber incident. Alongside the stakeholders directly affected by the incident are the regulators, shareholders, investors and the organisation’s staff who all have an interest in the event.

Regulatory compliance – Secondly, the senior management team must ensure that the organisation complies with statutory reporting requirements, such as reporting under GDPR. In the UK, reporting a breach to the Information Commissioner’s Office (ICO) has to be carried out within 72 hours.

Continuity of operations – The third phase is to enable the continuity of operations and business recovery. If the organisation cannot access its IT systems for an extended period, business continuity plans must be invoked. These plans can be used to continue operational activities using manual work-arounds or recovery solutions until IT systems are restored. It is in the best interest of senior managers to be engaged in response to cyber incidents. If the response is inadequate, it is usually the CEO, CIO or CTO who ultimately has to take responsibility. Senior managers must ensure they are ready by having a robust response plan, reliable recovery solutions and a trained awareness of their responsibilities when an incident occurs. Charlie Maclean-Bristol is an award-winning resilience consultant and Fellow of the Business Continuity Institute. Charlie regularly assists organisations with enhancing their business continuity and crisis management capability as Director of international consultancy practice PlanB Consulting and the Training Director of global business continuity training provider BC Training. ●

↗

All cyber incidents have a greater or lesser effect on the organisation’s reputation, and this needs to be managed carefully to prevent an incident from becoming a crisis.

organisation fulfils its required legislative duties.

CHARLIE MACLEAN-BRISTOL Director, PlanB Consulting

PLANB CONSULTING For further information please visit: www.planbconsulting.co.uk +44 (0)1505 228898 info@planbconsulting.com

Also, people affected by the breach need to be kept informed of the incident and the actions being taken. Engaging and notifying regulators will require careful management, consideration and considerable resource to ensure that the

PlanB Consulting 19 CONTINUITY & RESILIENCE | Q3 2019 27 CONTINUITY & RESILIENCE | Q3 2019

Plan B advertorial.indd 27

03/09/2019 12:30

SPECIAL REPORT

D A TA B R E A C H E S

LOOKING INTO THE BREACH SPECIAL REPORT

20 CONTINUITY & RESILIENCE | Q3 2019

P20-26 Special Report_Q3 Autumn 2019_Continuity-Resilience.indd 20

03/09/2019 13:47

D ATA B R E A C H E S

Most companies fear the cyber threat, but losing mobile devices or paper records can cause just as much havoc for organizations of all sizes BY COLIN COTTELL

ardly a day goes by without news of a data breach somewhere in the world. At the end of July, Capital One admitted that a hacker had been able to obtain personal details of about 106m customers in the US and Canada. In the UK, the Information Commissioner’s Office (ICO) gave notice of its intention to fine British Airways a record £183.4m fine for a data breach involving around 500,000 customers, and hotel chain Marriott just shy of £100m for alleged infringements under the EU’s General Data Protection Regulation (GDPR), under which organizations can be fined up to 4% of their global turnover. Brian Davey, MBCI, Business Continuity & Information Risk Specialist and Principal Consultant at Davey Continuity, says the BA case has been “a bit of a wake-up call at board level” for his clients. Organizations serving corporate clients in particular are fearful that such a data breach could see them lose the confidence of those clients, which “could lead to the loss of contracts and market

21 CONTINUITY & RESILIENCE | Q3 2019

P20-26 Special Report_Q3 Autumn 2019_Continuity-Resilience.indd 21

03/09/2019 13:47

SPECIAL REPORT

D A TA B R E A C H E S

share, and ultimately causing the business to close”. Aside from these high-profile incidents involving huge fines and millions of customers are the more mundane, ‘everyday’ incidents – but nonetheless often damaging – breaches. Such as one involving Queensland Health, who launched an investigation after medical files were found on the roadside, and a Chicago healthcare company that left patients’ records in its old facility. In the UK, estate agency Life at Parliament View was fined £80,000 for leaving 18,610 records exposed for two years. Under GDPR, which is widely recognised as among the toughest data protection and data privacy legislation in the world, a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Figures published by the UK’s ICO show there were 2,577 non-cyber personal breach reports sent to the ICO in Q4 of 2018-19 compared to 686 cyber personal breaches. Among the most common type of the former breaches were data posted or faxed to an incorrect recipient, the loss or the theft of paperwork or data left in an insecure location, and the loss or theft of a device containing personal data. Davey says examples he has come across in his

“Paper records can be used for the biggest breach of an organization. These might be passwords or details to assist a potential breach” Dr Bright Gameli Mawudor, PhD, Head of Cyber Security Service, Internet Solutions Kenya

career include conﬁdential waste paper being put in the wrong bins and ending up in landﬁll, and laptops and USB sticks being left on public transport. Among the most common cyber breaches were unauthorised access, phishing attacks and ransomware. Right around the world the trend is the same. And it is one that has not gone unnoticed by those at the top of organizations. According to the BCI’s

£183.4m

2019 ‘Horizon Scan Report’, cyber attacks and data breaches were the main concerns for 2019 of the 569 global Business Continuity (BC) and other related professionals, based on a combination of likelihood of these incidents happening and the impact on their organization. According to Dr Bright Gameli Mawudor, PhD, Head of Cyber Security Service at Internet Solutions Kenya, unauthorised disclosure is one area that most organizations do not focus on. “Losses of devices via many avenues get taken lightly, although they are containing very confidential and sensitive information,” Mawudor says. “Worse cases get to be seen when the laptops or devices are unencrypted that allows for even an unexperienced computer user to access the data using numerous methodologies that can be found on YouTube and Google. “Information such as passwords and other credentials retrieved from such devices can be used for further attacks to an organization by having direct access to email records, database and file servers as well as internal networks,” Mawudor continues. “Paper records, on the other hand, may at times contain minimal information but such can be used for the biggest breach of an organization. These might be passwords to critical infrastructure or details to assist a potential breach.” When it comes to preventing breaches from devices that are lost or stolen, Mawudor says there are a number of solutions. “The first way is to have all laptops in an organization to be encrypted to prevent access to the data if they are lost. All devices in an organization must

IN THE UK, THE ICO GAVE NOTICE OF ITS INTENTION TO FINE BRITISH AIRWAYS A RECORD £183.4M FINE FOR A DATA BREACH INVOLVING AROUND 500,000 CUSTOMERS 22 CONTINUITY & RESILIENCE | Q3 2019

P20-26 Special Report_Q3 Autumn 2019_Continuity-Resilience.indd 22

03/09/2019 13:47

D ATA B R E A C H E S

IMAGES: IMAG E S : GGETTY/ISTOCK E T T Y/I STO CK

GDPR STRENGTHEN YOUR DEFENCES The GDPR (General Data Protection Regulation) obliges companies dealing with the data of EU residents to report breaches of personal and private information to the relevant regulator, and also to notify data subjects who may be adversely impacted by the breach “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”. In the UK, GDPR is regulated by the Information Commissioner’s Office (ICO), which in July levied a record fine £183.4m fine on British Airways, and just shy of £100m on Marriott. So how likely is it that other organizations will be hit by similar penalties? Brian Davey worked as a data protection officer in the UK for five years, and had regular dealings with the ICO. Davey tells C&R: “In my experience as a data protection officer in financial services, the ICO takes a fair and reasonable approach to assessing breaches and does not simply hand out large fines without good reason. If your organization has committed a data privacy breach, you need to be able to demonstrate that the breach was not the result of a systemic failure in your security controls, processes and procedures or due to a disregard by management for the privacy of personal data. However if you repeat the data privacy breach due to the same root cause then watch out. To err is human, to err twice is asking for trouble.” Figures available on the ICO website show that in the 12 months to the end of July 2019, the ICO handed out 55 monetary penalties, issued 22 enforcement notices, and made 13 prosecutions for breaches of data protection and privacy regulations.

go through asset management where there is discovery and an inventory of any connected device at any point in time. Asset management keeps records such as name of device, the MAC address which is unique, as well as applications running on them. Network access control must be coupled with the above to know new unauthorized devices being introduced into the network or when they have gone away, and their time stamps contributing to suspicious activity.” With data breaches from paper records and traditional files and filing systems still a significant problem, Mawudor says: “Policies around handling of paper records must be strict to enable employees to be aware of the severe consequences to disclosing company information.” For loss of devices and human error, awareness and training is the most effective means. Loss of devices should be reported proactively and organizations can devise disciplinary controls, depending on culture. “To prevent unauthorized access internally you need technical controls like role-based access controls, access permission to files, password control and similar,” says Sanjiv Agarwala, MBCI, Founding Director of Oxygen Consulting Services, President of BCI’s Pune Chapter, and a member of the BCI India Next Practice Think Tank. Many published statistics related to data breaches draw a distinction between breaches that result from human error and those that are caused by people with malicious or criminal intent. Davey says the two are often linked, making it difficult to make a clear distinction. “There is indeed a link between human error and malicious attack, with two simple examples being the use of social engineering to force people to drop their guard and ignore normal security controls, and the ransomware attack delivered via a phishing email, where an end user then

Approximately 1m social insurance numbers from Capital One’s Canadian customers were compromised as a result of a data breach that wasn’t discovered until four months after it occurred

Personal breach reports

Figures published by the UK’s ICO show there were

2,577 non-cyber personal breach reports sent to the ICO in Q4 of 2018-19 compared to

686 cyber personal breaches

23 CONTINUITY & RESILIENCE | Q3 2019

P20-26 Special Report_Q3 Autumn 2019_Continuity-Resilience.indd 23

03/09/2019 13:48

SPECIAL REPORT

D A TA B R E A C H E S

makes the mistake of clicking on the link and activating the malware. The malicious act is sending the malware but the mistake is clicking the link.” Davey offers an example of social engineering involving a call centre operator who was persuaded to give out a customer’s details by the caller pretending to be the customer’s wife, and exploiting the call centre operator’s human instinct to be helpful by playing the sound of a crying baby in the background. Human beings are often the weakest link, which is why Davey says it is vital that organizations test how susceptible they are to making such mistakes “by sending staff fake ransomware emails and seeing who clicks on it”. “The training has to very practical and show them scenarios such as phishing, email spooﬁng, malicious document compromise, mobile security as well as basics of incidence response,” adds Mawudor. Amit Garg, MBCI, Information Security Expert and Director at Berkeley Research Group, based in Alexandria, Virginia, USA, says the increasing sophistication of “bad actors in making phishing emails look authentic means that organizations need to up their game when it comes to data security awareness”. “Someone will spoof to be the CEO of a company or high-level executive telling another employee ‘Please transfer this amount of money to this bank’,” says

PRACTICAL STEPS TO PREVENTION BE AWARE Employee awareness and training with regular testing to measure its effectiveness

FIGHTING FIT Test employees and systems regularly

TAKE CARE Provide clear policies and processes on disposing of both data devices, such as laptops, and paper records and ﬁles

KNOWLEDGE Make sure you know exactly where data including hard copy data is held or stored eg. on servers, in the cloud at all times, in ﬁling cabinets

STAY SECURE Protect the network through IT security policies and standards, including encrypted communications, VPNs. Firewall, penetration testing and controlling physical access

BE CAUTIOUS Limit access to the network to vendors and visitors, and apply the same standards to vendors and contractors as to the core organization

DATA CULTURE According to the BCI’s 2019 ‘Horizon Scan Report’, cyber attacks and data breaches were the main concerns for 2019

Build a culture that puts data privacy and data protection at its heart

ABIDE BY LAW Make sure you adhere to data protection and data privacy laws

Garg. “People are not thinking it through.” However, he admits organizations have their work cut out. “They are fooling the best of us,” he says. In addition to training to raise awareness and inculcate good habits among staff, organizations also need to put technical measures in place, says Mawudor. These should include basic endpoint solutions that monitor the behaviour of malwares in their network and systems. With 50% of the 7,800 publicly reported breaches between 2012 and 2017 on the VERIS Community Database studied by consulting firm McKinsey having a substantial insider threat component, privilege access management should also be considered to control the level of access and activities of privileged users on systems, security experts advise. According to Mawudor: “This will curb cyber breaches from rogue employees who have high clearance on systems within the organization.” At the same time, McKinsey found that only 38% of breaches from insiders were malicious. Mawudor advises 24/7 continuous monitoring services possibly outsourced to allow for a third-party eye on activities going on in an enterprise network. He says this is often ignored within organizations, allowing various malicious or unknown threats go on for months without being detected. Steven Cvetkovic, Chief Information Security Officer, Swinburne University of Technology, Melbourne, Australia, and a former BCI Victorian & Tasmanian leader, says the first stage in preventing data breaches is to identify threats. Every year the university identifies its top 10 cyber risks, and according to Cvetkovic, most threats and successful attacks come from a single phishing email, with the most attacks coming from abroad, in particular from Nigeria, China and Russia. In response he says a lot of effort is put into communicating with staff to highlight the risks, although he admits not always with the hoped-for results. “We have learned that no matter how

24 CONTINUITY & RESILIENCE | Q3 2019

P20-26 Special Report_Q3 Autumn 2019_Continuity-Resilience.indd 24

03/09/2019 13:48

£3.23m

DEPENDING ON THE SIZE OF AN ORGANIZATION, THE COST OF A DATA BREACH OVER THE COURSE OF FIVE YEARS FOLLOWING THE INCIDENT CAN REACH UP TO $3.92M (£3.23M) much you communicate, there will be a pocket of people who fall victim to these activities.” “They [the perpetrators] work on people being very busy, so they think, ‘I will just respond to this email and then I will continue with my normal day-to-day operations’,” Cvetkovic continues. “The detection really starts with the vigilance of the end user, making sure that you help staff identify potentially fraudulent emails.” Like many other organizations, one way the university does this is to launch simulated phishing attacks. Rather than working in its own silo, Cvetkovic says the university’s information security department works very closely with colleagues in BC. He explains how when one organization sought help from the university’s experts, “during an active data breach when core systems containing personally identiﬁable information and sales data was compromised, we advised them to enact their BC plans to focus on serving the customer as opposed to working through a dirty data set, while their IT department worked through their containment and recovery activities”.

“It all starts with the BIA [business impact assessment],” says Cvetkovic. Andrea Bonime-Blanc, PhD, Founder & CEO GEC Risk Advisory based in New York, favours the adoption of the ‘KISS’ principle (Keep it simple, stupid). She explains that in the context of an organization guarding against data breaches, this means having a strong, periodically implemented, surprisebased cyber-hygiene program that reaches all employees. This should include planted fake “phishing” emails and similar practical techniques, as well as useful, bite-size information that is targeted, regularly done and easily absorbable. According to Bonime-Blanc: “One of the last things you want to do is to gather your employees together in a conference room for two hours and lecture them with PowerPoints, aka ‘death-by-PowerPoint’. “Keep it simple, keep it hard-hitting and keep it relevant,” she advises. Above and beyond a strong and active cyber-hygiene program, Bonime-Blanc says the other critical thing that every

D ATA B R E A C H E S

The true cost of a data breach Depending on the size of an organization, the cost of a data breach over the course of five years following the incident averages between $2.5m (£2.1m) and $3.92m. According to a recent report by IBM, ‘The Cost of a Data Breach’, while financial penalties are an increasing concern for organizations, they understate the longterm cost of a breach. The cost includes the hiring of thirdparty cyber forensics firms, legal costs, upgrading security and compensation payments, as well as fines. On top of this is reputational damage, which is hard to put a figure on, as well as lost business

“The last thing you want to do is to gather your employees and lecture them with PowerPoints. Keep it simple, hard-hitting and relevant” Andrea Bonime-Blanc, PhD, Founder & CEO GEC Risk Advisory

25 CONTINUITY & RESILIENCE | Q3 2019

P20-26 Special Report_Q3 Autumn 2019_Continuity-Resilience.indd 25

03/09/2019 13:48

D A TA B R E A C H E S

Capital One suffered a data breach that affected more than 100m customers in North America

do and don’t do may impact the bottom line, which has a direct impact on their salaries. There must also be awareness – lack of data security can affect a company’s services,” she adds. Data breaches can take various forms and it is very difficult to lock down all possible entry points, says Mawudor. Hence, he argues it is vital that organizations move beyond cyber security to embrace cyber Resilience. This involves “being able to identify protect, detect and respond from cyber attacks”. “Achieving cyber Resilience rather than cyber security requires one to adopt a framework that fits the organization, perform a gap analysis and risk profiling to know their current state and where they need to be soon.” The next step involves “mobilizing the right stakeholders to drive this agenda”, Mawudor says. With the world awash with data, the risk of data breaches ever present and the increasingly serious repercussions – financial and otherwise – of not taking the subject seriously, there has never been a greater need for organizations to heed such advice.

“People should understand what they do and don’t do may impact the bottom line, which has a direct impact on a company’s products and services” Angel L. Fitchett, MBCI, an IT Security Risk Remediation Management Contractor

CASE STUDY Organizations are understandably reluctant to publicise data breaches in which they have been involved. C&R asked Airbus, which said in January that it suffered a data breach, resulting in unauthorised access to employee data, for details of the measures it takes to prevent data breaches and the actions it took in response. The company declined to provide detailed information, but did send a statement to C&R, which said: “Airbus takes cyber security very seriously. All of Airbus’ IT systems are designed, from the start, with security and data privacy in mind. We have a multi-layered approach to security and a substantial number of incidents are prevented by our teams every year.” However, following an “unauthorised access by an outside individual” that took place in March that affected around 100m individuals in the US and 6m people in Canada, Capital One was more forthcoming. The individual was arrested, but Capital One said the attacker obtained portions of credit card data as well as 140,000 social security numbers and 80,000 bank account numbers. Approximately 1m social insurance numbers from its Canadian customers were compromised as a result of the data breach that wasn’t discovered until 19 July, some four months after it occurred. Although the breach allowed access to encrypted data, the company says that ‘tokenization’, which substitutes the sensitive ﬁeld with a cryptographically generated replacement, meant that most social security and account numbers remained protected.

IMAGES: SHUTTERSTOCK

type of organization needs is leadership. “I don’t mean the right people in tech functions, which goes without saying; I mean the C-Suite and the board must be proactively engaged in ﬁguring out what the right cyber-protection, information security governance approach should apply to their entity.” In Bonime-Blanc’s experience, she says, “the single most important thing” is to have a “global cross functional InfoSec [information security] team including critical business and functional leaders”. This should be chaired by the company’s CEO, and approved by the board, to decide and guide the company on its best InfoSec governance. “Once that has been determined, everything else can ﬂow from it – people, programs, budgets, policies,” says Bonime-Blanc. Angel L. Fitchett, MBCI, an IT Security Risk Remediation Management Contractor based in Cypress, Texas, says that developing a security culture is essential if organizations want to minimise the risk of data breaches. At the heart of that culture should be the recognition that “at some point in the process there is human involvement and that how people behave and what they do and don’t do may result in some form of vulnerability”, Fitchett says. For a security culture to be effective, “it requires everyone to be aware of the right policies, processes and procedures”. She says this should be “a continuous process” with staff heavily involved. “People should understand what they

26 CONTINUITY & RESILIENCE | Q3 2019

P20-26 Special Report_Q3 Autumn 2019_Continuity-Resilience.indd 26

03/09/2019 13:49

Expert Voice SPO NSO RE D FEATU RE O N S O L V E

The Business of Weather Weather risks are some of the most common causes of disruption to business. Ann Pickren provides some useful advice.

he business of weather is not lost on the C-Suite, which is beginning to view weather risks as being as impactful as traditional threats. As a result, risk management leaders can develop a plan to protect people and property. Core to these efforts is putting in place the right strategy to rapidly communicate with stakeholders before, during and after a significant weather event occurs.

CxOs must be invested Executive buy-in should encompass weather risk prevention, management and recovery. Central to these efforts is being able to quickly and accurately communicate with employees. Even the most elaborate plans for weather can be undone if an employee receives incorrect instructions, notifications arrive too late or wrong employees receive notifications. Risk management professionals must make a strong business and financial case for incorporating an Emergency Mass Notification System (EMNS) into their plans.

ANN PICKREN President, OnSolve

↗

Understand your weather risks Do you know your severe weather risk? First, check location-specific concerns based on historical patterns as well as severe weather forecasts. Make a list of threats and how often incidents occur. Don’t forget events like severe thunderstorms, hailstorms, flooding and snowstorms. Secondly, look at risks to your supply chain, which can cause ripple effects across entire operations. Supplier risks are your risks! Finally, expand your weather risk touchpoints. It isn’t just traditional offices, but also key partner facilities. Take an inventory of your operations and how severe weather could impact them. Then order them by possibility and impact. Power outages during storms are more likely than a flood, but a flood could be more devastating.

communication methods only go so far. Phone trees, for example, rely on people to be ready and willing to make calls quickly, and inevitably some contacts are left out of the chain. A more effective method includes an EMNS which can use multiple modes of communication to get in touch, including (however, not limited to) voice calls, text messages, desktop alerts and social media. Multimodal alerting not only ensures that notifications are delivered quickly but also increases the chances that your messages reach intended audiences. It’s imperative that an EMNS is capable of two-way communications to ensure that all employees are safe and accounted for. Poll recipients, collect responses, report and monitor the results and take action when necessary. It’s also critical to target groups by geographic areas as weather situations often vary in severity based on regionality. In order to eliminate confusion, the most effective EMNS can target specific groups with tailored information. The business of weather is about employing risk management strategies that protect people and property. The strategies can help ensure the business can continue to operate without disruption and do so efficiently, protecting assets and the bottom line. An effective workforce communications plan for weather disruption should be a vital component of any risk management strategy. ●

ONSOLVE For further information please visit: www.onsolve.com

Tailor your workforce communications When it comes to getting pertinent information out to employees, customers and suppliers, traditional

27 CONTINUITY & RESILIENCE | Q3 2019 27 CONTINUITY & RESILIENCE | Q3 2019

Onsolve advertorial.indd 27

03/09/2019 12:31

PROFILE

28 CONTINUITY & RESILIENCE | Q3 2019

P28-31 Profile_Q3 Autumn 2019_Continuity-Resilience.indd 28

03/09/2019 13:50

PROFILE

DRUMMING TO A DIFFERENT BEAT BY COLIN COTTELL

Ignoring perceived boundaries and breaking the glass ceiling in a male-dominated profession, Linda B Laun is a ﬁrm believer in having a plan for every eventuality

usiness impact assessments, ISO standards, a training and education programme for staff – all standard, traditional guidelines and methods familiar to Business Continuity and Resilience (BC/R) professionals. What sets Linda B Laun, AFBCI, apart from others is her willingness and ability to apply these standards and methodologies in new and innovative ways. Or as Laun unapologetically describes them, “thought leadership ways”. ‘Thought leadership’ is a term often linked with Laun, Global Business Resilience Program Manager at multinational enterprise open-source technology solutions provider Red Hat. She is also the BCI Americas Awards Continuity & Resilience Professional (Private Sector) 2019, having won the award for the second time in her career. An innovation she has introduced at Red Hat since joining from IBM in 2017

involves the use of short videos to educate and reinforce learnings to the company’s 13,000 associates about its BC plan. The videos include questions embedded in them about the sort of threats that might activate Red Hat’s BC plan. These videos can appear anywhere in the workplace and at any time, says Laun. “It’s more of an education than a test,” she says. Also, this information channel avoids the considerable problem of having to personally visit Red Hat’s 95+ sites across the globe in 35 countries. But top of her list for establishing these ‘thought leadership ways’ are top-down governance and getting executive buy-in,

“You have to know how to act, not react. Following a plan is the way to keep calm heads”

something she learned at IBM and vital to BC/R, “so the folks that you are going to work with know that they [the leadership] are supportive [of BC]”. “That is always number one,” Laun says. At Red Hat, this means building coalitions with executive champions from across the organization’s seven business units – the same approach she followed at IBM, a much larger company – 380,000 staff compared to Red Hat’s 13,000. Laun brings the executive champions together twice a year to share lessons and discuss the challenges ahead, helping break down organizational silos. Hand-in-hand with establishing this top-down governance, Laun places huge emphasis on breaking the process of building Organizational Resilience into “small, bite-sized pieces that are easily consumable and highly impactful”. This has been key to test Red Hat’s global critical incident management plan from scratch in just six months. Starting at the top of the organization and working down, Laun says this is about “asking the right questions of the

29 CONTINUITY & RESILIENCE | Q3 2019

P28-31 Profile_Q3 Autumn 2019_Continuity-Resilience.indd 29

03/09/2019 13:50

PROFILE

right people at the right time, and building a chain of answers that ends up being documented into a final plan”. “A senior executive might be asked, ‘Who is most important for business recovery?’,” she explains. However, someone further down the organization might be asked, “How are you going to [activate the plan] and when?” The big advantage of this bite-sized approach is that it doesn’t waste the valuable time of business people, who would be reluctant to engage with the process “if they have to sit down for six hours to fill in a form, and then realise that for 40% of the questions, they have to ask someone else”, Laun explains. Defining her goal as making the organization more resilient, Laun says she aims “to help the company mitigate risk in whatever form that is, with the outcome being to protect brand reputation, and this is done by helping them confidently respond to any kind of business interruption from that risk or that threat”. Resilience is the ability to react to any kind of change, she continues, listing some of the threats that Red Hat is currently monitoring, such as the demonstrations in Hong Kong, heavy rain in Mumbai and cyber threats. It is not only the ability to respond to negative threats, Laun points out, but also positive changes, such as IBM’s recent acquisition of Red Hat. Laun says she joined Red Hat from IBM in 2017, because it gave her “the opportunity to create something from the ground up”. Her primary focus was getting the three core practices that make up BC/R – disaster recovery, BC and IT – to operate closely together. While the business impact and risk assessment methodology used at Red Hat is pretty standard for the industry,

EDUCATION, AWARDS, CERTIFICATIONS Associate Fellow BCI Directing Innovation course, Smith College Bachelor of Art, University of Cincinnati BCI Americas Continuity and Resilience Professional of the Year 2016 and 2019 (private sector) BCI Global Continuity and Resilience Professional of the Year 2016 (private sector)

they differ in how they are customised to the company’s culture and environment. This is why, she explains, that for Red Hat associates “who have grown up with everything on their phone”, using the short videos is more effective “than bringing people into a room and trying to teach them everything in an hour”. “The challenge is always about the culture,” she adds. In the case of IBM, where she worked for ﬁve years between 2012 and 2017, it was the culture of silos that presented a particular challenge, Laun says. An important aspect of the solution was to align with, though not certify to, ISO 22301 for Business Continuity Management. “That gave us an unbiased source to say ‘Ok, you may have already done it this way, and it’s not bad but let’s call it this now’.” Adopting the same approach at Red Hat, Laun says this satisﬁes clients that the company adheres to best practice and standards. With only six people working across disaster recovery, BC and IT, alongside Laun and a colleague, Laun recognises that her ability to intervene at an operational level across a global organization the size of Red Hat is

“I’ve always been a woman that likes to play in with the guys. I have always felt accepted and supported”

limited. For this reason, she sees herself as facilitator and educator for Red Hat’s employees around the world. “It’s not my plan, it’s their plan – and they have to know the plan and who to call when there is an incident. So part of our continuing expertise is to drive that education and awareness out to the business line or to the site emergency response teams. Ultimately I need to work myself out of a job,” she says. However, Laun’s career trajectory has seen her progress into ever increasingly responsible jobs, having fallen into BC/R in the early 1990s. “I was being interviewed for a job as a data centre manager – although I use that term kind of broadly; it was a very small computer closet,” she recalls during a video link call from her ofﬁce in Louisville, Kentucky. “One of the questions at the exit of the interview was, ‘Hey, what do you know about disaster recovery?’.” What was no more than a throwaway remark at the end of a job interview turned out to be the start of Laun’s ongoing fascination with BC/R and the stepping stone to her successful career. She agrees the threat landscape has changed from the 1990s when it was typically “ﬁre, famine, feast and Godzilla stepping on your building” to today’s terror attacks and cyber wars; however, the importance of being prepared and the consequences of not being prepared are no less real. In 1998, Hurricane Georges demonstrated the devastating impact that unforeseen events can have – in this case, on the population of Dominican Republic, where Laun was working for the National Processing Company, a US provider of merchant credit card processing services. Aside from human consequences, for Laun it also reinforced the vital importance of having a plan. “Even though we didn’t necessarily have all of the t’s crossed and the i’s dotted,” she says, “[we were] able to follow industry best practices, knowing that we should come together as a decision-making team, establish regular calls, do all the things that are in the plan. I had a table of contents, I had a

30 CONTINUITY & RESILIENCE | Q3 2019

P28-31 Profile_Q3 Autumn 2019_Continuity-Resilience.indd 30

03/09/2019 15:31

PROFILE

LINDA B LAUN 2017 – PRESENT Global Business Resilience Program Manager, Red Hat

2012 – 2017 Chief Continuity Architect, IBM Global Business Continuity Management, IBM

2006 – 2012 Global Managing Consultant, Resiliency Services Portfolio Owner

1998-1999 Business Continuity Planning Specialist, National Processing Company

1996-1998 Senior Consultant, PCM Enterprise (SARCOM) and Strategia

1993-1996 Data Centre Manager, United Distillers Manufacturing.

RED HAT Founded in 1993 Headquarters Raleigh North Carolina, USA Provides enterprise open source technology solutions 95+ offices in 35 countries 13,000 associates

plan that just hadn’t been ﬁlled out or published, but I could follow that and guide our company to make the right decisions at the right time. “That was afﬁrming, I think because it just goes back to knowing that you have to know how to act, not react. And following a plan is the way to… keep calm heads.” The experience created an ongoing fascination with BC/R, as Laun forged her career, moving from disaster recovery through consultancy and then into increasingly important and

inﬂuential jobs including Chief Continuity Architect at IBM Global Business Continuity Management, before moving to her role at Red Hat in 2017. Looking beyond the novel approach that Laun has taken to applying standard industry methodologies, Laun has broken the glass ceiling and succeeded in a predominantly male profession. Not that she dwells on it. “Maybe I am weird,” she says, “but I have always kind of been a woman that likes to play in with the guys. I was a

brass player when brass was male dominated, I am a drummer now and people are like ‘I have never seen a woman drummer’. Ok, so what? So I never really thought about it. I never ﬁnd any boundaries because of my sex. I have always felt accepted and supported.” Her advice for those who want to move into leadership roles is not based on gender, but rather that aspirants continue “to build their skills to remain marketable so they are positioned to take on a greater leadership role”.

31 CONTINUITY & RESILIENCE | Q3 2019

P28-31 Profile_Q3 Autumn 2019_Continuity-Resilience.indd 31

03/09/2019 13:51

D I G I TA L T W I N S

P32-35 Digital Twins_Q3 Autumn 2019_Continuity-Resilience.indd 32

03/09/2019 13:52

D I G I TA L T W I N S

The ability to model any given scenario with a virtual building, town or even spacecraft can help prevent catastrophes down the line. Welcome to the world of digital twins

SEEING DOUBLE BY SUE WEEKES

“The more data you have, the better the digital twin understands its physical entity, such as your building”

ans of the ﬁlm Apollo 13, or those familiar with that mission, may recall that it was a mirrored system of the spacecraft on Earth that helped NASA save the lives of the astronauts on board some 200,000 miles way. It is often described as a precursor to the digital twinning technology that was to follow. Indeed today, NASA monitors its entire Space Center using a digital twin. The rise of the Internet of Things (IoT) and cloud computing has made digital twinning technology accessible to far more than the likes of America’s national space agency. For Business Continuity and Resilience (BC/R) professionals, it has applications in a number of areas, including as an additional back-up or storage point for data. Its ability to model almost any scenario (as long as the data exists to do so) and better manage unpredictability and uncertainty are among its most exciting and powerful applications. A digital twin is a digital representation or 3D visualisation of a physical entity that collects information from a variety of sources that could range from IoT sensors and drones to business systems. The physical entity could be anything from a human heart, as developed by Siemens Healthineers in

33 CONTINUITY & RESILIENCE | Q3 2019

P32-35 Digital Twins_Q3 Autumn 2019_Continuity-Resilience.indd 33

03/09/2019 13:53

D I G I TA L T W I N S

Digital twins can replicate real buildings in their entirety to help mitigate damage or disruption if an incident occurs

“If you can collect real-time data and have models that reflect the current state, it becomes more reflective of what’s happening on the ground at a particular time”

Germany and students of Heidelberg University, or an entire city. Indeed, Amaravati, the new capital of the Indian state of Andhra Pradesh, is being built from the ground up alongside its digital twin. “Everything that happens in Amaravati will be scenario-ised in advance,” says Michael Jansen, CEO of Cityzenith, whose Smart World Pro software is being used to create the twin. An individual building, a business process, network or even a person can have a digital twin that can mirror and model what is happening in the real world based on the data it receives. This then allows the twin to demonstrate, for instance, how their physical counterpart will behave or react in a particular situation or set of circumstances. The Amaravati twin project, which is aggregating data from a wide range of sources including sensors, is still in its early stages but is already demonstrating the potential power of today’s twinning technology. Andrew Penney, Business Development Manager at Cityzenith, explains that by using a micro-climate simulation and weather analysis and other tools, it has been possible to work

out how the real-life city can lower its median street temperature by 8 degrees Celsius. Results from a digital twin can take a number of different forms depending on the software used but could range from video visualisation and heatmaps to the more straightforward bar and line graphs. According to research company, MarketsandMarkets, the digital twin market will grow from $3.8bn (£3.14bn) today to $35.8bn by 2025 at a compound annual growth rate of nearly 38%. North America currently holds the biggest share of the market but Asia Pacific will see the highest growth in the forecast period. Research firm Gartner reckons digital twins are starting to enter mainstream usage and among those organizations implementing IoT technology, two-thirds are either in the process of or plan to establish a digital twin. A number of drivers, including reduced product CASE STUDY: NORTHUMBRIAN WATER lifecycles but costly unplanned Northumbrian Water has taken how deep the water was going of its digital transformation downtime and predictive on three PhD students who to be and the fire service wanted programme, which will see maintenance, are also boosting are working with academics at to check the area. the asset management team demand. These are among Newcastle University and their “It was not understanding investigate whether the digital the areas where the technology industrial supervisors on the that particular piece of context twin can be linked to existing can be of most use to the digital twin project. It doesn’t that held us up, and when we asset management tools, and BC/R function. foresee one big digital twin but re-ran the incident we found we longer-term strategic planning Infrastructure companies smaller ones that represent parts could have supported better teams are also involved. and those who serve them are of the system working together. decision-making in the moment At its third innovation festival among the early adopters. Its “Twincident” project came if we’d had the tools available,” this year, one of the areas of out of an incident in Newcastlesays Chris Jones, Research focus was how digital twins General Electric in the US, for Upon-Tyne where its operational and Development Manager, could be co-created with instance, has built a digital twin teams responded to a burst Northumbrian Water. stakeholders to ultimately of an entire power plant. water pipe, which flooded a In addition to the students make joint decisions that are The twin is integrated with major road. When talking to who are working on the in everybody’s best interests. analytic models of the various operational managers and the digital twin project, the Jones explains that they may power plant components that leadership team afterwards, it network performance, asset create data hubs in a city or measure asset health, wear became clear that when the management and other key region that other organizations and performance. It also has a team arrived, they were unable teams are being involved. and councils could have access digital twin of a wind turbine to do anything straightaway For example, the company to, as well as emergency that shows the impact on the because they hadn’t appreciated is reaching the final stages services and other utilities.

34 CONTINUITY & RESILIENCE | Q3 2019

P32-35 Digital Twins_Q3 Autumn 2019_Continuity-Resilience.indd 34

03/09/2019 13:54

IMAGES: GETTY/ISTOCK

D I G I TA L T W I N S

$35.8bn

physical twin if the wind blows harder, longer or not at all. In the UK, Northumbrian Water, which aims to become the most digital water company in the world, has been working with Newcastle University to develop a digital twin (see box, left). Research and Development Manager Chris Jones says that the organization has a well-developed BC function in place but recognises that a lot of its systems are extremely dynamic and can be affected by a range of factors, including time of day, weather or even something that happened the day before. “You can develop a limited number of scenarios manually and we use these to put the necessary Business Continuity in place – but with dynamic systems, context is hard to reflect,” he says. The digital twin collects data from around 4,000 sensors that sit on its network measuring flow, pressure, water level and other critical factors. “If you can collect data in near real-time and have models that reflect the current state of, say, the water network, it becomes much more reflective of what’s happening on the ground at any particular time,” adds Jones. “That immediacy and context of time and place is what we wanted to be able to capture in the digital twin.” A primary use of the twin is for incident reporting but it is also being used for longer-term strategic planning around service capacity and demand. The latter explores likely changes in customer behaviour around using water and wastewater services, and whether current assets

and business processes are sufficient to meet customers’ future needs. “So we are looking at short-term Resilience,” says Jones, “such as how to manage incidents better and get services restored more quickly, so there is less disruption in a community; and then longer-term Resilience, exploring capacity demand, forecasting and planning.” Going forward, digital twins will be a valuable tool to help make organizations more resilient and sustainable in terms of their own bricks and mortar. IES, which develops analytics solutions for the built environment, launched a digital twin platform earlier this year. At the moment its technology is used to help organizations increase the energy efficiency and sustainability of their buildings. However, Product Manager Catherine Conaghan, says there is interest in using the platform to test how buildings will react to changes in climate. “We can simulate any changes in climate and look at what effect it will have on the building and whether its system could deal with it,” she says. “For instance, we can model the impact of an increase in sunlight. It could help prevent overheating in the summer and could also help with energy Resilience and resource planning. For example, understanding how a campus could keep lights on during a power cut.” One of the early adopters of the technology is Nanyang Technological University in Singapore for which IES developed a 3D master-planning and visualisation model for its flagship EcoCampus. The measures it put in place reduced energy consumption across the campus by 10%, saving $3.9m and 8.2kt of carbon. Using operational data from utilities and building management systems, IES was able to identify opportunities to achieve optimal performance across the campus. Conaghan reports that achieving optimum performance and comfort levels for occupants are among its customers’ priorities and this, of course, can have a direct link with the performance of employees. She adds that the storage of building and operations data in a digital twin also increases Resilience in terms of retaining employee knowledge. According to The company currently deals directly with research, the business owners and managers, as well as the digital twin facilities function but welcomes involvement market will grow from other functions such as BC/R, which can from $3.8bn also contribute valuable data sources, as Conaghan (£3.14bn) today concludes that, “The more data you have, to $35.8bn the better the twin understands its physical entity, such as your building.” by 2025

35 CONTINUITY & RESILIENCE | Q3 2019

P32-35 Digital Twins_Q3 Autumn 2019_Continuity-Resilience.indd 35

03/09/2019 13:54

NEWS FROM THE BCI

BCINEWS EVENTS

C A M PA I G N

First Community Resilience Volunteer Week sees the BCI help the homeless

The BCI hosted the inaugural Community Resilience Volunteer Week (CRVW) in August. As part of the BCI’s vision to create “a world where all organizations, communities and societies become more resilient”, CRVW connected the BCI

community with organizations who could benefit from their experience in Organizational Resilience and Business Continuity planning. The week shone a spotlight on the great work being carried out by organizations such as the Red Paw Emergency Relief Team, Serve On and the Lagos Food Bank. Even BCI Central Office got involved by volunteering for local homelessness prevention charity Launchpad and helping out on their allotment. Even though CRVW is over for this year you can still find plenty of information on how you can volunteer. For more information, visit https://www. thebci.org/event-detail/event-calendar/bcicommunity-resilience-volunteer-week.html

E D U C AT I O N

BCI Education Month 2019 – Building Resilience September sees the return of Education Month – an annual initiative to raise awareness of the opportunities available to BC and Resilience professionals wishing to expand their knowledge and professional development. 2019’s theme of Building Resilience has highlighted the importance of building upon existing knowledge and relationships across an organization to improve Organizational Resilience.

There is still time to participate in educational webinars, resources and obtain training discounts – as well as taking part in competitions! Thank you to this year’s sponsors ClearView Continuity. To ﬁnd out how you can keep Building Resilience, visit www.thebci.org/ EducationMonth19

Sep-Nov The BCI has a busy calendar of events around the world, where members get together to network with their peers, celebrate the global successes of our partners and members, and learn more from speakers about BC. Take a look at the BCI events calendar at: https://www.thebci.org/ events/event-calendar.html BCI Education Month 2019 1-30 September, Worldwide BCI Africa Conference 2019 12 September, Johannesburg, South Africa BCI UAE Conference & Middle East Awards 16 September, Abu Dhabi, UAE Business Risks Summit 2019 9 October, Cologne, Germany Critical Infrastructure Protection and Resilience Europe 14 October, Milan, Italy Continuity Insights Conference 21 October, New York, US Emergency Preparedness and Business Continuity Conference 29 October, Vancouver, Canada BCI World Conference & Exhibition 5-6 November, London, UK

36 CONTINUITY & RESILIENCE | Q3 2019

P36 BCI News_Q3 Autumn 2019_Continuity-Resilience.indd 36

03/09/2019 15:41

Q&A

NEXT GENERATION PRACTITIONER

N E X T G E N E R AT I O N

Yvette Heeremans NATIONALITY: Dutch TIME IN THE PROFESSION: Four years FIRST JOB IN BUSINESS CONTINUITY/ RESILIENCE: Continuity/Resilience Process Manager CURRENT EMPLOYER: Sociale Verzekeringsbank CURRENT ROLE: Business Continuity Manager FAVOURITE ASPECT OF THE WORK: To make colleagues aware of the importance of Business Continuity and Resilience to prepare the organization together for a disaster

What attracted you to the industry and how did you get into it? As process manager at my previous employer, an investment brokerage bank, I was asked to play the role of disaster coordinator. I was responsible for keeping various Business Continuity plans up to date and organising the fallback tests. I enjoyed organising the tests and making colleagues aware of their importance. What is your biggest learning to date? I can’t mention just one particular thing. You always have to keep learning and if there is nothing left to learn, it may be time to try something new. It makes your work challenging and keeps you sharp. Although I do have an important lesson, which is ‘it is good to be progressive, but it makes no sense to be ahead’. You have to adjust the pace of change to your environment. What is your career ambition? I don’t speciﬁcally have one goal in mind. I ﬁnd it important to have challenging work in which I can continue to develop myself personally and professionally. In addition, I would like to do what I enjoy and also be able to contribute to something for my organization.

What is the best career advice you have received? Early in my career I was told not to underestimate myself and not to be so modest. I can do more than I think and sometimes I have to leave my comfort zone. I would advise others to just do it and see how it goes! What is your preferred mode of learning? I prefer to do on-thejob training or using old-fashioned classical methods with an inspirational teacher. A good teacher can make or break training. What changes would you like to see in the profession? Today, organizations must be primarily trained in dealing with a crisis. General scenarios have to be considered. You cannot work out every possible scenario in detail, but make sure you have worked out a set of measures. Before the ﬁrst DDoS (Distributed Denial

of Service) attack, nobody had heard of it.

In your opinion, why should more people be joining the BC community? Although a disaster often seems far away, fate can strike at any time. Even small threats can destroy an organization. Therefore, Business Continuity is crucial to the stability and sustainability of organizations. It is about limiting damage and being operational again as quickly as possible. As they say: ‘Fail to prepare, prepare to fail’. You hope you will never need it, but if fate strikes, you better be prepared. Who would be your mentor? In my current position I have been trained by Joop Epskamp. He has years of experience in Business Continuity and Resilience. He is an external colleague and I am his successor. As long as he continues to work for my organization, I want to learn as much as possible from him.

“It is good to be progressive, but it makes no sense to be ahead. Adjust the pace of change to your environment”

37 CONTINUITY & RESILIENCE | Q3 2019

P37 Next Generation_Q3 Autumn 2019_Continuity-Resilience.indd 37

03/09/2019 13:55

W H A T A G R E AT I D E A

MY LIGHTBULB MOMENT IMAGES: ALAMY/ISTOCK

Laying the groundwork I love it when a plan comes together. It’s the best thing about the Business Continuity and Resilience world. We had an incident at one of our campuses related to some of our scanners, which saw the chilling units fail, so the scanners had to be powered down. That means we lose money, patients’ time, etc. Failing scanners was a new issue for our campus operations manager too. To determine our recovery strategy, I went to the department’s Business Impact Analysis (BIA) to see if the machines were for clinical use, with fast restart requirements, or research, which would give us more time. Having banged on about getting the BIAs done, it was the best feeling to be able to look it up quickly, let campus ops know they could plan the repairs and restart, and get a message out to the senior community to say, “Don’t worry – all in hand.” It made the teeth-pulling process of getting the BIA done worth its weight in gold.

“It made the teeth-pulling process of getting the BIA done worth its weight in gold”

Sarah Rowe, Business Continuity Manager King’s College London

38 CCONTINUITY O N TIN UIT & RESILIENCE | Q3 2019

P38 Lightbulb_Q3 Autumn 2019_Continuity-Resilience.indd 38

03/09/2019 14:16

And counting ... ... New customers using Alert Cascade Since our last advert, 42 organisations have chosen Alert Cascade to keep their people safe, informed and connected ... • ĜĵŞĬåØ ųåĬĜ±ÆĬåØ ĵ±ŸŸ ĹŅƋĜĀÏ±ƋĜŅĹ ŸåųƴĜÏå ƵĜƋĘ ± čĬŅÆ±Ĭ ųå±ÏĘ •

Ability to create unlimited teams and message templates

•

Trigger alerts from any internet enabled device, via a phone call or by sending an SMS text message

• ŅĹĀčƚų±ÆĬå Ú±Ƌ± ĘŅŸƋĜĹč ě ) Ø U ±ĹÚxŅų •

Automatic number validation for local and international phone numbers

• aƚĬƋĜ ĬåƴåĬ Ş±ųåĹƋxÏĘĜĬÚ

account structure

+44 (0) 1733 785 999 ALERT CASCADE FP.indd BCI.Q3.2019.039.indd 39 1

info@alertcascade.co.uk 28/08/2019 12:26 09:35 03/09/2019

RISK ERADICATOR

YOU are ready for anything. You’re poisedˏ

WE are Sungard Availability Services.ˏWe

to anticipate risk, mitigate the impact and capitali/e on the outcomes. You’re revamping production and recovery processes to keep IT systems in sync and cyberthreats at bay. But the risk and complexity of IT transition can run companies ragged.

help transform IT and deliver resilient, recoverable production environments— protecting risk eradicators from the perils of IT disruption every day. Lead with resilience at www.sungardas.coȐ1'.

Transforming IT for resilient businessTM

BCI.Q3.2019.040.indd 40

03/09/2019 12:27