Despite our very best efforts to avoid or prevent incidents and avert disasters, infosec and cybersec pros may concede that they remain a possibility. A remote possibility. Vanishingly small, we hope.
Being prepared for incidents and disasters puts our organizations in a better position to survive and thrive, keeping essential business processes and systems running despite the events (i.e. continuity and resilience), recovering non-essential ones as soon as practicable afterwards (that's recovery and resumption), and generally coping with whatever comes our way (contingency, as in what we need to do is contingent on what actually transpires in the event of our worst nightmares coming true).
Preparedness involves getting ourselves ready in case something goes seriously wrong. Whereas we may cope perfectly well with relatively minor events, more serious incidents or disasters such as the following deserve or require better preparation:
- Power cuts, surges and dips (that's power dips, not the cheese variety);
- Fires, overheating or smoke damage (a hot trio);
- Floods and leaks (rain water, ground water, sea water, sewage);
- Earthquakes, cyclones, tornadoes, volcanic eruptions or terrible storms (The Tempest);
- Hacks and social engineering attacks (yes, cyber incidents too);
- Overloaded IT systems, out of capacity, broken (or just f la ky);
- Malware infections, spyware, ransomware (malevolent software);
- Mistakes by system administrators or users, plus “accidents” of all sorts (whoopsies);
- Essential people unavailable (off sick, on holiday, under a bus, mysteriously disappeared, poached by competitors, poached by a volcano, playing golf, getting married, otherwise engaged, retired, exhausted, hung over, spaced out, busy Doing Other Stuff, on strike, in the nick, locked in the telephone kiosk ...);
- Sabotage and cybertage (cybervandals or drug-crazed ax-wielding nutcases on the rampage);
- Failed IT changes or upgrades (no! What are the chances of that, eh?);
- Cloud and Internet failures (stop it, you're scaring me now);
- Serious frauds (as opposed to the jocular or casual ones);
- Failure to hit significant deadlines, leading to compliance issues (GDPR for example?);
- Other nasty surprises ! BOO !
A vital part of the preparation is preparing our people. Being mentally ready to cope with the stuff life throws our way is part of it. A willingness to Do What Has To Be Done is another. Security awareness and training, then, is business-critical given the risk of incidents and disasters as well as being absolutely invaluable at all other times. If you're not convinced, consider the alternative: would you rather find yourself in the midst of a crisis with a bunch of people who haven't a clue what's going on, are scared witless, don't know what to do and mostly just want to disappear under a rock?
Getting the organization ready to face up to assorted crises has advantages under normal circumstances also. Resilience is a small word for a big concept in business continuity, the idea being that essential business processes and systems should remain at least partially operational under all but the most extreme circumstances. Limping along rather than running, maybe, but still going like the Duracell bunny.
NoticeBored subscribers have another 60 megs of fresh educational content to get their teeth into this month. If your security awareness and training program doesn't cover business continuity, if "Keep calm and carry on" is the best/only advice you can offer, do get in touch: we'd love to help out. We have a clue.