Watch our Director Gary Donlon get personal and answer some key questions about scenario exercises. Gary offers some really valuable insight into what scenario exercises actually are and why they are so important for your organisation and your team.
Click Here to watch.
DISASTER recovery, emergency planning and business continuity come into their own when you have an outage. Like a good insurance policy they cover every eventuality and ensure your downtime is minimised and your business is back up and running as quickly as possible.
As a conscientious organisation, you’ve recognised that the worst could happen, you’ve properly scoped everything that could go wrong, you’ve planned for all scenarios and prepared your IT recovery.
But what if you push the button to get your business back up and running and nothing happens? Don’t say it couldn’t happen to you. It could and evidence suggests it will.
A recent survey of businesses by iland discovered that in the last year 95 per cent of all businesses have suffered some kind of IT outage. Of those, 58 per cent had an issue while their systems were down which had an impact on their ability to resume normal services. WHY?
Pushing the button for a test run recovery is also mission-critical. Many organisations ignore this and focus instead on the recovery of individual services or configuration components. Cloud-based disaster recovery solutions have also muddied the waters and led to the belief that all services can be recovered “pretty much instantaneously”. This is not the case and recovery prioritisation and correct sequencing are vital if it is going to work properly. A full recovery test would give your organisation the chance to troubleshoot any issues and so prevent them happening in a ‘real life’ disaster.
Communication among your team is also vital. Does everyone know what they should be doing and when they should be doing it in the event of an outage? Your people can be your biggest asset or your weakest link so make sure they are all fully trained, ensure they all understand their roles and responsibilities and the sequence of recovery.
Back to my original question, WHY? If you have confidence in your ITDR then pushing the “red button” should hold no fear for you.
If you don’t have that confidence then maybe it is time you gave Jermyn Consulting a call to discuss how we can help with a Service Impact Analysis and Disaster Recovery Plan. After all we have been enabling resilient organisations for 16 years. Call 01484 487955 or fill in a web enquiry from.
ENERGY, like water is essential to a secure and properly functioning society. Providers are constantly looking for new and more efficient ways to secure sources and guarantee delivery to end users be they business or domestic.
Technology is playing a key role in this. Energy providers have been among the most innovative in connecting up networks and digitising systems so that consumers have power at the flick of switch.
Ironically this could be their downfall. Cyber attackers have also recognised this as an opportunity and aware of its financial and political value, have targeted the energy sector increasingly in recent years.
In the last year alone, energy providers have seen a massive increase in the number of successful cyberattacks. Attacks have included everything from teenage hackers accessing 100s of servers which maintained a smart meter system for utilities to a national economy being hit by a virus that was introduced to 30,000 oil company computers - bringing systems offline for 10 days. At the same time providers are obliged by statute to maintain supplies and are penalised if they fail. What can they do to maintain economic service without compromising delivery?
Jermyn Consulting has worked closely with energy providers for the last 16 years on business continuity and information security to help arm them and update their defences against real and virtual threats and attacks.
The first thing to recognise is that every technology is human dependent; by that I mean a human being is the weakest link and also the biggest threat. Conversely they are also the strongest defence. Energy providers like no other industry, have to side-step the traditional IT silo mentality and develop organisation-wide awareness cultures. Creating and enforcing cyber security protocols and systems within an organisation is one of the most effective ways of protecting vital services from attack.
Technology provides cyber attackers with a unique interface to access their prey. Yet at the same time, if such technologies have security in their structure and coding, these can be the first and most secure lines of defence. Energy providers must therefore develop systems that are compliant to the most stringent security standards.
Information is a key weapon against cyber attackers. Energy providers must overcome their natural resistance to sharing best practice and information among stakeholders and competitors. Greater openness would enable better understanding about the impact that cyberattacks could and have had, and lead to improved resilience within the industry as a whole.
If societies and organisations are to flourish in an ever evolving digital landscape, then energy providers must understand the role they play in maintaining a robust defence against cyberattacks.
If you would like an informal discussion about how we could help you analyse your risks and build a resilient organisation, please don't hesitate to contact us.
When the unexpected happens, successful businesses and organisations need to be able to react quickly and adapt accordingly, in what is an ever-changing and dynamic environment. There are various incidents that can put organisations off track – it is how individuals and the senior management team respond following a major incident that determines the organisation’s recovery time.
Terrorism, cyberattacks and human error are all examples of major incidents, the effects of which can all contribute to severe disruption. We are now in a 24/7 digital communications era, so managers must take into account more than just the implications of a financial loss. To successfully re-build a reputation that has been subject to negative mass media coverage can take years; and there are examples of organisations that have never recovered.
Some specific implications of a major incident include:
• Financial – direct loss of income or higher costs
• Reputational – negative coverage commentary
• Time scales – how quickly can you respond?
• Communication – who and what message?
• Ongoing developments – getting “back to normal”
Jermyn Consulting have organised and facilitated over 200 scenario exercises for a vast range of organisations since we started in 2000. Over the years, we have continually developed our scenario exercises to keep abreast of developments and stress the importance of preparing for a worse case incident. Our customers include the full range of organisations; from SME family businesses to large multi-nationals.
For response teams and those who are involved in disaster recovery and incident management, it is imperative that everyone not only understands what their specific role is, but also how important it is. Enabling such a vital team to build cohesion and confidence in a safe yet realistic environment, reinforces understanding and encourages stability within the group. It is also of great benefit for an organisation to enable their PR/Communications team to rehearse and prepare crisis specific communication strategies in conjunction with other teams involved in disaster recovery.
It isn’t just about facilitating and observing scenario exercises. Jermyn Consulting also produce comprehensive reports that highlight key areas for improvement. These reports are essential to better understand the negative implications of poor preparations and also identify practical ways to reduce risk and improve response capability.
To discuss how scenario exercises can be of benefit to your organisation, get in touch today!
PREVENT was under the spotlight when our MD addressed the UK’s leading universities at their annual conference in Glasgow recently.
George Hall spoke to delegates from major universities and Higher Education colleges at the Higher Education Purchasing Association (HEPA) about potential consequences and costs associated with PREVENT and how they can develop coping mechanisms to minimize possible disruption.
Jermyn Consulting has helped more than 65 UK universities develop and implement contingency plans in the last 16 years with PREVENT being particularly challenging for some academic institutions.
“Business risk is far broader than the obvious and so it is with PREVENT. As well as the physical risks to the people and buildings there are cost and reputational implications which often ripple further and for longer than any incident,” he said. “We want to remind them of the ever changing risks involved and demonstrate practical ways to develop appropriate response strategies.
“One practical way of tackling it is with a scenario exercise. For one University we took the example of how an academic invited a high profile speaker to address students. The exercise dealt with issues such as freedom of speech and dealing with protests as well as other possible consequences.
“As part of the exercise we made them analyse their own policies and procedures and how dealing with a potentially divisive figure could affect issues like freedom of speech. The University’s senior team had to consider a broad raft of issues and the potential fallout real, reputational and financial.
“The result was that it improved their responses so that they knew what to look out for and how to deal with what was then an unprecedented situation. My aim was to raise awareness of some less obvious issues surrounding PREVENT, how they can prepare, how they can handle them in a practical way and how any disruption can be managed,” he added.
To find out how scenario excersises would be of benefit to your organisation, contact us now!
Efficient and strong businesses need to keep their IT “clean” as part of their Business Continuity strategy. But while the spring clean should be thorough you need to make sure you don’t cause more problems than you solve.
With the clocks having gone forwards, the days getting longer and the weather getting warmer it seems the season of Spring is well under way. However it is not all flower picking and frolicking as this season also brings with it the dreaded tradition of “spring cleaning”. Yes that time of year when we give our homes a thoroughly good tidy up and a chance to get rid of the clutter in the cupboards and the garbage in the garage.
In an ever more technically advanced world, the cleaning process has grown and along with physical clutter, we also have an increasing amount of electronic data which requires careful consideration when being cleaned. It seems that one company has suffered a cleaning catastrophe recently as the Web hosting provider 123-reg accidentally deleted data from several virtual private servers (VPS) that hosted its customers’ websites. 123-reg, which has about 800,000 customers in the U.K. and 1.7 million globally, acknowledged the error and tried to restore the data but many of the Web sites it hosts remained offline days later and some may be un-recoverable.
123-reg announced that the “cock-up” occurred due to an erroneous line of code in an automated script that performs several maintenance tasks in order to optimise and tidy-up the data on its servers which led to customer websites and data to be deleted.
One notable customer that was affected by the incident was the Scottish League Cup Winners, Ross County. The timing could not have been worse as the issue came amid the club's build up to the big game against Celtic which meant that the club were unable to utilise their crucial online ticket selling system, nor were they able to sell merchandise or provide their fans with the ability to reserve seats on buses and find match information.
So what lessons can we learn from 123-reg’s April accident? Firstly that Major incidents, no matter how unlikely they seem, can happen and planning and preparation are key to ensuring a fast and efficient recovery. Having a Major Incident and Business Continuity plan can ensure an organisation is able to carry on business as near normal as possible in the wake of a serious incident or disaster. Just as important is the data back up and IT recovery process. Those 123-reg customers with the right processes in place were back up and running quite quickly. Those without were effectively starting from scratch to rebuild their web presence.
At Jermyn Consulting we don’t just “plan for the worst” but rather we work with our customers to help anticipate all eventualities, to identify impacts and risks to their operations. We then work together with our customers to develop suitable business continuity strategies and plans. As we can see from 123-reg, disasters do happen but what we can do is plan and prepare so that the overall impact and knock-on effects can be minimized – after all, failure to prepare is preparing to fail.
For more information on any of the issues raised please get in touch.
There have been a number of news stories recently that point to the truth of the old maxim "if it can go wrong, it will". As always we are indebted to the estimable online journals The Register / The Channel for keeping us in the loop with tech news.
First off there was the problem at Insight where an external power outage took down their data centre and their website. The outage seems to have lasted for at least 12 hours (including most of a working day) and that has to hurt in terms of revenue and reputation.
That was followed about four weeks later with an outage at "competitor" Misco which took down their web sales front-end for about 6 hours. But Misco were not hanging around to wait for it to happen again and announced just the next day that they were moving to the cloud to prevent a recurrence. The horse had gone, they had slammed the stable door but at least made the decision to build a new stable. Time will tell whether this outage affects the bottom line as Q1 sales were already down on last year.
In both of these instances, seasoned tech companies who should have had a good level of resilience were taken down by humble power outages or server failures.
Interestingly, the problems are not limited to outages or failures. Sometimes it can be a deliberate and planned routine that goes wrong. That is what happened to web hoster 123-Reg who apparently ran a cleanup script on some virtual private servers. But the script "went rogue" and deleted the servers. The reputation (and presumably revenue) hit for 123-reg is still ongoing not to mention the damage it has done to their customer's whose business have been without a web presence and have had to rebuild from scratch.
So you want to move to the cloud to reduce the likelihood of these things happening but beware. We have written many times before about the problem of the cloud potentially being "smoke and mirrors". Mostly we are concerned about organisations with little skill, re-selling flakey data centre environments with no comeback against anyone if it goes wrong. But the Monster Cloud / Live Drive issue puts a new slant on things. That contract you have may not be what you thought it was. Or what you thought you were agreeing to pay may not be what you end up paying. The message seems to be "cough up or migrate". Some resellers are predicting dire consequences for themselves based on the price hike. And it keeps going on…..
So, what messages can we take away from this?
• As we have said a thousand times before, make sure you have a decent Business Continuity / Disaster Recovery plan in place.
• Ensure that your DR solution comes from a reputable, experienced and trusted provider using good infrastructure to support it.
• Don't just rely on what you have got written down. Test it regularly and thoroughly.
• Look at every outage you suffer and the outages affecting others. Then ask the question "could it happen to me?" - unless the answer is DEFINITELY NOT you have to act to put it right.
For more information on any of the issues raised please get in touch.
Image “3d Modern Interior Of Server Room” by tigger11th freedigitialphotos.net
In an increasingly techno-centric world it is vital that organisations protect their digital information from misuse, theft and destruction. Jermyn Consulting is acutely aware of this and instils it in our customers at every opportunity.
We all work, play, shop and live online so cyber security is no unnecessary hype.
That said, outside the cyber world – yes, one still does exist - the same pertinent security risks that have always been there have not gone away and in some cases have got worse. New risks have arisen as well.
It’s mostly the physical stuff we’re talking about, but perhaps the deluge of “bad news” has caused us to become a little blasé about the risks and likelihood of something happening.
Jermyn Consulting sees constant examples that in our quest to keep cyber thieves at bay we are actually leaking and broadcasting information. What about the client’s print-outs we leave on our desks (we’re still, despite our best efforts not a paperless society). Or the ‘chat’ we had with a colleague during the daily commute when we thought nobody was listening in? Worse still the invoice with bank account details that we have thrown in a general bin, un-shredded, or the laptop we leave open and unattended on public transport while we buy our refreshments in the buffet car?
On the ground and most worryingly, the world is braced for more terrorist attacks in the wake of yesterday’s deadly blasts at Brussels airport. That came just four months after attacks on the Bataclan concert hall in Paris last November where young people were the main targets, so universities and colleges have understandably become more aware of the risks. With thousands of people in one area at one time the effects of any kind of disaster, man-made or otherwise, would be devastating.
The latest risk issue to raise its head is when cyber-security becomes physical; when a hack or ransomware attack stops an organisation in its tracks. If all of an organisation's electronic data is "locked" by cyber criminals it is the same effect as if staff were "locked" out of the office. The computer that you cannot use for whatever reason is useless regardless of the cause.
Now more than ever security and response measures need to be in place, watertight and robust. How a university or any organisation responds in the immediate aftermath of any major incident is critical.
A major incident management plan drawn up calmly and without pressure is vital and should cover the core activities needed to detect and respond to a major incident, whatever the cause. No plan can cover every scenario but all major incidents have some common features so the plan needs to be practical, workable and capable of being invoked quickly and efficiently.
And don’t place too much emphasis on technology. Although the latest, hi-tech equipment may be in place it could be redundant if it is not operated effectively or the power fails. Make sure all of the technology is fit for purpose and in working order and there is a fall-back if necessary.
Last but not least remember to give the right emphasis to staff training and awareness. Everyone needs to be prepared and know their roles and responsibilities should an emergency occur; involve staff in simulated emergency scenarios, where possible, to ensure that everyone knows their part in the incident response process.
In 16 years of business we have written and tested hundreds of incident management plans and assisted our customers to manage real incidents. For more information please get in touch.
Image “Events Puzzle” by Stuart Miles freedigitialphotos.net
Cheeseboards all over the country may have been distinctly lacking with the absence of one of their famous staples.
The extreme floods in Cumbria in December caused such damage at the United Biscuits factory that production of the famous Carr’s water biscuit had to be halted, leaving supermarket shelves empty. Other biscuit production lines were also affected.
The company had no alternative premises to relocate to in the event of an emergency. Instead around 400 employees, contractors and suppliers had to pull together to get the production lines up and running one by one.
This follow a previous crisis ten years ago when the company avoided being closed for good after severe flooding struck. So it seems lighting does strike twice and putting a back-up plan in place is better than leaving it to chance. Alternatively a company could be counting the cost for some considerable time.
Not only will Carr’s have lost immediate business due to loss of production, they risk continued loss as consumers find alternative products they prefer and switch permanently. When you add the reputational damage of not being prepared the true cost continues to mount long after the floods subside.
You may think your organisation has dotted all the Is and crossed all the Ts in covering all eventualities but nothing can prepare you for the havoc nature can wreak when it takes a bad turn.
“But how can we prepare for something that is only supposed to happen every 100 years?” Ah, that line practically runs off the tongue but it is not strictly true; preparations can be made to prevent further exacerbating the disaster.
Business continuity can ensure an organisation is able to carry on business as near normal as possible in the wake of a serious incident or disaster; at the very least essential process will be operational within a reasonably short period. As part of our process we don’t just plan for the worst we help companies anticipate all eventualities.
Jermyn Consulting works with our customers to identify impacts and risks to their operations. We then work together with our customers to develop suitable business continuity strategies and plans.
Be proactive rather than reactive. Crises do occur and particularly in the case of natural disasters no amount of planning will stop them. But the overall impact and knock-on effects can be minimised with a bit of forward thinking.
Image courtesy of "think4photop" FreeDigitalPhotos.net
In the last blog under this heading we identified a number of points that need to be considered if an organisation is to avoid being labelled as having “half a brain”. The first of these was that not all information security breaches are cyber-crime or hacking and we are concerned that there is too much focus in that area to the detriment of other aspects of information security.
Back in the 80s the great (author’s opinion) Don Henley sang the lines
'cause a man with a briefcase
Can steal more money
Than any man with a gun*.
Simpler times eh! The point being that the source of the worst threat is not always what it seems. The ongoing focus on cyber-security is, we believe, deflecting attention away from other threats and, more importantly other security countermeasures.
For instance it has recently been announced that “The former head of GCHQ has been drafted in to help boost the City of London’s defences against cyber attacks”. A laudable goal but what about the other attacks and threats? In the same week The Channel reported that:
Arrow Inc has had to “take a US$ 13 million charge” to cover a fraud which seems to have been engineered by a simple telephone call, and
TalkTalk (yes them again) have admitted that “a small number of customers” have complained about being scammed following contact with TalkTalk engineers. It seems that this was passing on of information by someone who has it to someone who shouldn't have it.
Back in my day in the City of London we often gathered information by simply keeping our eyes and ears open in pubs, restaurants, trains and lifts. There was more than one occasion when we thought someone may have been looking through our bins in the basement.
And it isn't just about the media coverage and initiatives, it is also about solutions. It is easy to find information about cyber security e.g. Cyber Essentials Scheme or 10 Steps To Cyber Security but less so about the non-cyber issues. We have heard a recent example of a company where the board is asking the information security manager “Is everything encrypted? We don't want to the next TalkTalk” while other suspicious activity possibly targeted at the finance director is dismissed as “coincidence or random phishing”.
So by all means get your cyber security in place but don't forget to lock the doors, shred the papers and make sure everyone is aware of the full range of threats (don’t leave papers on the train or blab about major contracts in a pub).
The best way to decide where to focus your is an information risk assessment.
*Don Henley “Gimme what you got” from The End of the Innocence
Image courtesy of "lekkyjustdoit" FreeDigitalPhotos.net