Monthly Archives: August 2012

Business Continuity: International Standard Excellence

How resiliant is your supply chain?

Warning (again): contains percentages that you may find rather unnerving.

Business Continuity saw the beginning of change in May this year, when the new International Standard was published.  Moving from a British standard (BS 25999) to an international one (ISO 22301) will offer benefits and reassurance to organisations with international supply chains to consider for instance. It also offers the opportunity to leverage accreditation to potentially lower insurance premiums. Indeed, insurers are increasingly seeking assurance that organisations are compliant with the BC standard before issuing certificates or agreeing premiums.It’s hard to talk about Business continuity without talking benefits. The move to an international standard should create an even greater interest in this increasingly pertinent standard.  According to the CMI Business Continuity Survey, the last three years have seen an increased number of managers in organisations implementing BC plans, from 49% to 58% and now 61%. Most encouragingly, currently 81% of those implementing an effective plan are reporting an effective reduction in business disruption. 77% felt it had improved business resilience. If that is not a clear benefit I don’t know what is!

At the other end of the scale however, we have the organisations that as yet have not fully grasped the importance of planning how to continue business in the event of a BAU threat or disaster. Research done by Norwich Union reported that businesses without an effective BC plan which experienced a disaster have a greatly reduced chance of ever fully recovering. In fact only 8% make to the five years plus mark. It gets worse, 40% never re-open and another 40% re-open but fail within 18 months. Never underestimate reputational damage. How then, can an organisation fail to include Business Continuity Planning into the very fabric of its being? Referring again to the CMI survey, 15% of managers cited a perceived lack of business benefit as a reason for not having a Business Continuity Plan. (I do hope none of these businesses are in the supply chain of any readers…)

However, a staggering naiveté emerges when we read in the same survey that 54% of businesses that do not have a plan say it is because they “rarely get significant levels of disruption in their business”. Given the fact that almost half of businesses surveyed, reported disruption from extreme weather, which cannot only have affected those who have already included it in the scope of their BC plan, surely?

There are a number of factors at work here apart from the unwillingness to acknowledge that sometimes events out of one’s control can impact a business. Also some organisations have a knowledge gap in what they think they can survive and what they can actually survive. Don’t forget reputational damage will be a key indicator in how your talented staff, your clients and your supply chain partners respond to you after a disaster. Another consideration is the best of intentions being poorly researched and  implemented, so another knowledge gap but this time in where the REAL threats and risks lie and planning for things that may be inappropriate whilst real threats are unconsidered. Add to that a good or a less than good plan being poorly implemented, tested and educated through an organisation and you have, what is known among youngsters as an epic fail.

As Business Continuity becomes an international standard, the opportunity for UK businesses to benefit increase. The ability to plan the continuance of business in exceptional circumstances should not be considered exceptional. Supply chain partners, clients, insurers and employees will come to demand this as standard, making the ISO 22301 standard all the more attractive and necessary.

Advent IM – The UKs Leading Independent Holistic Security Consultancy

Advertisements

Insider Threat – what is it?

Warning: Scary stats may follow….  

From the Poneman Institute 2012 Confidential Documents at Risk Study

70% of respondents say that employees, contractors or business partners have very frequent or frequent access to sensitive or confidential documents, even though access to this information is not a job or role-related requirement.
59% say their organizations’ controls are ineffective at monitoring employees, contractors or other insiders who access these confidential documents. An even higher percentage (63 percent) do not believe they are effective at assigning privilege to employees, contractors and other insiders whose jobs or roles requires access to sensitive or confidential documents.”

It’s called Insider Threat.

Are businesses listening to the warnings about Insider Threat?

A recent Telegraph article highlighted an area that security experts have been talking about for some time – insider threat. It highlighted the vast increase in the level of fines that the Information Commissioners Office (ICO) year on year, from £431k to £1.8m. If this were a private sector business’s turnover, they would be delighted. But it isn’t, each one of the 68 warning notices that this figure represents is a failure of an organisation to safeguard the data it holds. Sometimes that data is client or employee data; sometimes it is that of the general public. It was data that should have had appropriate security around it to ensure its safe management and when necessary, destruction – in line with the Data Protection Act.

The temptation is to hang your hat on hackers being responsible for data breaches. Of course, sometimes they are. But sometimes the threat comes from within an organisation or business. This may take the form of a deliberate and malicious act of data theft, possibly for monetary gain (I am thinking about the theft of credit card details – a cottage industry http://www.cio.com/article/712741/Project_Monitors_Price_of_Stolen_Credit_Card_Data_in_Real_Time) or they may be a number of errors/lapses in adherence to security policy or just plain daft behaviour.

When it comes to securing information everything has to start with a comprehensive grasp of the real risks. Part of that has to come from insider threat. Having a robust security policy that has total management buy-in is a vital. Testing and reviewing that policy regularly is another must, but if it basically sits on a nice shelf doing nothing but gather dust all year, it is pointless. Getting the policy out and educated through an organisation is crucial.

If staff recognise that they are part of the problem but even better, part of the solution, then everyone starts to take responsibility for security.  This is how it should be but sadly for too long security has been seen as the responsibility of the IT manager in many cases. Of course the IT manager has to be involved, but so does everyone else.  IT and technology based solutions like firewalls, will only work so far.  In other words if a burglar is already inside your home, having a plate steel front door won’t stop theft. A firewall will not protect a business from someone who downloads thousands of sensitive documents onto a USB then leaves it in a taxi. Wouldn’t having a policy which states, USBs are not permitted or that encrypted USBs are permitted to appropriate staff members be better?

Security training is a vital area that needs to be addressed at boardroom level. More and more we are seeing security and security training fall into the FM basket. As it is a growing trend, business needs to address the resources allocated to FMs to ensure that not just the perceived threat of hackers is addressed but that of the insider threat.

First published in Tomorrows FM (Aug 2012) and reproduced by kind permission of the Editor.

Since the original publication of this article and blog a serious Insider Threat style data breach has occured at Toyota. A fired employee has managed to gain access to some sensitive data (unconfirmed reports say potentially pricing, parts spec, quality testing and and design), not only have they accessed and downloaded it they have also sabotaged systems. The story is here http://www.theregister.co.uk/2012/08/29/toyota_disgruntled_contractor_hack/

Advent IM Security for Schools

Not everyone has heard about “Hacker Mum” yet. It’s a bit of a misnomer actually but the story goes like this – last month a woman, who had once been a secretary at the school her kids attended, was charged with nefariously accessing that school’s grades system to change their grades – upward obviously. While she was there, she had a look at some Human Resources areas and emails too. 

The Mum with the Dragon Tattoo?

Did she hack her way in like some character in a Hollywood blockbuster, dodging high level encryption, finding back doors and generally being a criminal, IT mastermind? Erm, no she used someone else’s login and password credentials. So not so much “Hacker Mum” as plain old “Opportunistically Dodgy Mum” then.

Now is as good a place as any to establish which part of the insider threat we are discussing here. Basically, this threat…

View original post 721 more words