This is an edited transcript of a talk given by Jim Preen, head of media at Crisis Solutions, to the BCI World Conference in London about convergence and the future of crisis management.
First, I want to consider the cyber security threats we now face and then look at how business continuity and crisis management might need to change to combat these challenges.
One of the big challenges for those of us who work in resilience is convergence. Largely it’s the convergence of technologies.
I’m going to take two examples: Convergence as in the Internet of Things and then convergence in communications and media.
Convergence in the Internet of Things
As I’m sure you know the Internet of Things is the development of the internet where everyday objects have network connectivity, allowing them to send and receive data.
Research firm Gartner says 6.4 billion connected ‘Things’ will be in use this year, up 30% on 2015.
Whenever this topic arises journalists seem to head straight for their fridge, or in this case their Smart Fridge. In fact, a fridge so smart it will tell you when you’re out of milk, when foodstuffs are reaching their eat by date and then automatically re-order what you need. A delivery that in a year or so will be made by drone if Amazon has anything to do with it
IOT security is in its infancy, but up until very recently hackers and criminals paid little attention to it. That underwent a big change, on 21st October 2016 when a cyber-attack played havoc with the internet. Sites brought down included Twitter, CNN, Amazon, Netflix and Spotify.
The attackers targeted Dyn a company that controls much of the DNS or Domain Name System infrastructure. To cause the most amount of harm this was a clever place to go.
They bombarded Dyn with a Ddos attack, firing cyber junk at their servers, which duly caved in.
What made this interesting, not to say scary, was the delivery mechanism. According to Dyn, the bad guys used a relatively new weapon called the Mirai botnet to fire their cyber missiles at the unsuspecting servers.
Unlike other botnets that harness computers to fire out spam, this botnet harnesses the Internet of Things, using cameras, kettles and DVR players to do its dirty work.
Mirai scours the Web for IOT devices with factory-default usernames and passwords, and then press-gangs them into service.
Because there are so many unsecure IOT items out there, the attackers mounted possibly the largest Ddos attack on record.
It’s thought the IOT products that were compromised were largely made by one Chinese hi-tech company, XiongMai Technologies.
Xiongmai devices are particularly vulnerable, as in many cases they don’t even offer the possibility to change user names and passwords on their products.
The company has now issued a widespread recall of their goods.
Convergence in information management
IOT is now spreading to law enforcement. Police in the US are already using body cameras, and smart guns. A California company called Yardarm has developed a chip that, when inserted in a gun, streams location data and instant notification when a firearm is drawn and fired.
In our homes, we now have Nest and Hive to control heating, security cameras and smoke alarms. Interestingly Nest is owned by Google, the great information aggregator.
One of the jobs of these systems and devices is to collect data, some of it very personal data, which is held by companies in their databases.
Add to this all the information made available from the new wearable technologies, like Apple watches, and you start to realise it’s not just the Internet of Things; it’s the Internet of People.
These connected devices all leave a belching contrail of data, whether it’s location, application usage, browser history, or how hot you keep your home.
Take the food sector for example: As sensors and cameras are increasingly used on foodstuffs, refrigeration units, in logistics and even on customers themselves – supermarkets have a burgeoning array of information to process.
In normal times, it’s called data mining, in an emergency it might be part of your crisis management response.
Information management in a crisis has always been tricky. With the abundance of information made available from smart devices, it’s going to be even more problematic.
Some say quite rightly that in a crisis there’s never enough information, but increasingly, because of convergence, there’s too much information – the difficulty will be sorting the good stuff from the white noise.
Organisations need a robust system to record, filter and then share information so the strategic team has the information they need to take correct decisions.
It may sound Orwellian, but in the next few years we’ll be surrounded by devices connected to the internet that will digitise every step we take, convert our daily activities into data, which can be distributed and potentially seized. We’re pairing our physical lives with a digital doppelganger.
Convergence in the media
From a communication point of view we’re seeing convergence in the media. There used to be a divide between the old media of print and TV news and the new digital media. That’s changing as the two coalesce. Most of journalists who are on a breaking story spend time glued to their Twitter feeds.
Increasingly organisations need to listen to what various audiences are saying and respond appropriately. Communication is becoming far less top down, just issuing press releases is no longer enough, companies must listen and communicate with individuals. And that goes not just for external stakeholders but also for staff and their families.
Convergence in the media will have other effects. For example, what was once local can now quickly become global. Small crises can escalate much more quickly.
So a fast-paced response is even more important. First impressions are lasting impressions – this doesn’t necessarily mean having all the answers; it means having an early presence so the public knows that you are aware of the emergency and that there is a system in place to respond.
From a comms point of view, if the public isn’t aware that you’re responding to the problem, then effectively you’re not.
At the heart of convergence and our continuing reliance on technology lies this duality. It has the ability to create more and different kinds of crises that will damage reputations and interrupt business, while at the same time allowing crisis managers to respond faster and more efficiently than ever before from just about anywhere on the planet.
The future of business continuity
So what needs to change within crisis management and business continuity to combat these threats?
When you start writing a BC plan, the current procedure is to initiate a lengthy Business Impact Analysis (BIA), then develop a recovery and continuity strategy, which then becomes a plan. When this is all in place it’s common to run a test or crisis simulation to see if the plan works.
Go down this road and it means a lengthy lead time before an organisation sees any improvements to planning or resilience.
It may sound counter-intuitive but what about throwing senior management in at the ‘deep-end’ with a crisis exercise? Even before a plan is written or updated.
This approach can provide some very effective early learning, which can improve continuity and resilience straight away.
Here are some possible benefits:
• The crisis management team (CMT) will become aware of issues and gaps immediately
• It should ensure process priorities are highlighted and supported by the CMT
• Communication requirements will be discussed early
• The CMT will have experienced a crisis, remembered key learning points, resilience is improved.
For this to work the exercise needs to be set at an appropriate, realistic level and include guidance and facilitation.
Plans are changing
Once a Business Continuity Plan (BCP) is written or updated, what will it look like? Once again we are seeing change.
A traditional BCP sets out how an organisation will continue to operate in the aftermath of a crisis. It catalogues the required arrangements for a return to business-as-usual and identifies the necessary resources to do so.
Typically, these plans are generic and not tied to a particular threat or crisis but rather concentrate on impacts.
At Crisis Solutions, we are noting a change. No longer are all BC plans generic, but rather reflect specific threats.
We recently ran a data breach exercise for a major bank that involved their Gold and Silver teams.
To combat the threat, they deployed their ‘Cyber Playbook’, which was a thorough, well-presented plan that proved very useful to the teams during the simulation. We also learnt they have a ‘Terror Playbook’.
But is this the right way to go? Should BC plans be threat specific or should they remain generic? Should we now use playbooks for cyber, terror and pandemic threats?
Technology may sometimes put a spoke in the smooth running of our business continuity wheel, but on many occasions the same technology can prove incredibly useful to crisis managers. We need to be agile, reject groupthink, some up with innovative solutions to new (and old) problems and continually adapt to a changing environment. It’s not going to be dull.