DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 31, Issue 4

Full Contents Now Available!

Wednesday, 20 December 2017 21:28

WS-3 & POC-2

Written by  Dr. Steven Goldman

What are the Top-3 threats to organizations today?

My research and my recent experience with dozens of companies this year has led me to believe that the top three threats to organizations today are:

  1. Cyber attack
  2. Loss of your data network
  3. The change in the news media

Cyber-attack. I am sure that most of my fellow editorialists have also selected the cyber-attack as one of the top three threats to organizations today. One needs only look at the news virtually every day to see some company, agency, or even individual who has been attacked by a bad actor. What is frightening however is the increased sophistication, daring, frequency, and wide range that these attackers employ to do their evil. But what amazes me even more is that there is an entire industry dedicated to providing protection to companies and organizations against these cyber-attacks. While I do understand the need for and appreciate these services, it’s very sad that we need them at all. In my humble opinion, this is a nonproductive use of talent and resources to fight these high-tech jerks. All we want to do is utilize our systems the way we design them, and we should not have to worry about this external threat. But worry we must, and so we act accordingly.

Loss of your data network. Again, another obvious threat. Whether caused by a cyber-attack, external hazard, internal threat, or just plain bad luck - the source does not matter – the loss of a data network threatens everyone, from a large multinational organization to the individual sitting at home working on his/her laptop. Although a cliché, it is true: we have become overly dependent upon our IT systems whether it’s a million-node network or simply you and your cell phone. All these applications and machines are worthless without data to drive them. Data is now being measured in terabytes and even petabytes. So we have backup data centers and the cloud to help protect us. We also have backup uninterruptible power supply (UPS) systems and diesel generators to provide power when the main power source becomes unavailable. Still, how many IT managers lose sleep over this issue?

The change in the news media. “What?” you say. “I’m the hotshot business continuity (or disaster recovery) manager. I don’t need to worry about the news media. That’s public relations’ job.” Wrong. It’s pop quiz time:

Let's say your organization had an emergency event and the technical response teams did a great technical job. However, the communications response was poor.

Question: What will be the perception of the public, news media, your stakeholders, your employees, your management?

Answer: The entire response operation - including you - will be draped with failure.

While many organizations do need to invest in their crisis communications efforts, I am talking about the change in today’s news media that can become a threat to your organization.

I have seen many organizations (and their crisis communications response) treat the news media (when covering crises) as the media used to be: tough, inquisitive, tenacious, and detailed. The media have their faults too, as former New York Times Editor Bill Keller once wrote, “I acknowledge that the press can be annoying, simplistic, predictable, herdlike, insatiable, imperious, sloppy and mean .” But for the most part the media were also reasonably fair, accurate, thorough, and fact-driven. This is no longer the case.

My friend and colleague Joe Sciacca, editor in chief of The Boston Herald, observes that the pillars of American journalism are changing.


Again, you ask “Why should I care? That’s not my job.” Again, I point out, crisis communication is part of your overall response. Communications staff must be prepared for the new challenges to be faced during your crisis. You must also prepare your technical and executive response staff - the ones who supply information to the communications staff - to be ready to receive strange and unusual requests for information. So if you’re the middle of a cyber-attack, your executives may receive questions about Russian collusion, conspiracies theories, damaging tweets, anonymous accusations, executive sleaziness, and topics that have nothing to do with your cyber-attack but somehow make it into the story. It’s also easy for one of your competitors to inject false rumors that indict your management to have somehow caused or ignored the cyber-attack. So now you have to deal with fake news, false rumors, shadowy accusations, a twitter torrent and Facebook flashes in addition to the cyber-attack. Can your crisis communications staff deal with this? Is your executive management ready to respond - but not over-respond? It is your job to find out and make it right.

What areas of BC/DR do you think organizations should be investing in to secure their resiliency for the next 3-5 years? (Where should they put their money?)

My research and my recent experience with dozens of companies this year has led me to believe that, to secure their resiliency for the next 3-5 years, organizations should be investing in:

  1. An emergency notification system
  2. Integrating crisis communications processes
  3. Training, drills, and exercises

An emergency notification system. In the olden days - that would be 20 years ago - we had land line telephones and telephone trees. These trees were paper lists of people who needed to be called to respond to an emergency. Person A called persons B, C, and D; person B called E, F, and G, etc. The paper lists were only as good as the most recent update which in some cases could have been months. The high-tech equipment available included fax machines and appropriately named beepers. (Historical note: the company I worked for in 1982 had a fax machine that could send out a fax to 10 locations simultaneously. However, it had to be hooked up - and I am not making this up - to 10 individual telephone lines!)

Fast forward to today. You absolutely must have an automatic emergency notification system installed and operable. These systems take advantage of today’s technology to notify just about anyone virtually anywhere at any time. Yes, you need to do setup and maintenance; but some of these systems will tap right into your human resources software to update themselves. You can send out e-mail, voicemail, texts, SMS, and more to laptops, cell phones, landline phones, etc. You can also set up groups of people to be contacted, from one person to the entire company. These groups can be, for example all human resources employees, the crisis response organization, senior management, or all people working on the “The ACME Project.” Organizations, agencies, and groups outside your company can be programmed into the system; this would include local, state, and federal agencies and the news media; you can even target people living in a designated areas or demographics. These systems are as persistent as you want them to be plus you can document who received what when and how.

Experience has shown that one of the toughest responsibilities in emergency response is the initial and follow-up notifications. You should invest in a quality and effective emergency notification system.

Integrating crisis communications processes. “What?” you say again. “I’m a hotshot business continuity (or disaster recovery) manager. I don’t need to worry about communications. That’s public relations’ job.” Wrong! It’s pop quiz time again:

Let's say your organization had an emergency event and the technical response teams did a great technical job. However, the communications response was poor.

Question: What will be the perception of the public, news media, your stakeholders, your employees, your management?

Answer: The entire response operation - including you - will be draped with failure.

Most organizations today have kept up with the communications technology revolution by having social media presence. This includes equipment and staff to monitor and respond to social media commentary and discussions regarding the organization. Smart companies also use social media to respond to and indeed get ahead of social media reaction to the company’s crisis. The problem I have seen the last few years is that the social media response is not well coordinated with crisis communications efforts. In fact, this sometimes also applies to the employee communications, customer/supplier updates, and government agency notifications.

Although the communications information source should be from the command center, the distribution of information can become scattered and uncoordinated. I have seen situations where information from the command center is distributed to the human resources department for employees; to public relations for the news media; to operations department for suppliers and distributors; to the sales department for customers; and to legal or government affairs for government agencies. Additionally, it’s usually marketing or PR/corporate communications that handles social media. But often there is no coordination of what is ultimately said to these various stakeholders. Sometimes it is contradictory! This is not good, and can make your whole operation look deceitful, evasive, uncoordinated, or at minimum sloppy.

Like it or not, your organization’s post-crisis image rests upon your crisis communications staff response!! And your response – and not the crisis itself – can become the story. So please work with your crisis communications staff!

Training, drills, and exercises. Over the past many years, I have seen several organizations spend fortunes on business impact analyses and business continuity plans/procedure manuals. Yes, these are necessary and yes they provide lots of good information. However, when it comes to exercising these plans, testing the response personnel, and proving the use the value of these documents, many organizations fall short. One of my areas of expertise is developing a conducting realistic and challenging exercises. I particularly enjoy conducting exercises for a company for their first time. However, I have seen people walk into a command center, armed with their business impact analyses and six-inch thick response binders, and not know what to do.

I have also seen exercises where the corporate business continuity manager was sitting in his corporate headquarters, some consultant was sitting in his workplace half the country away, and at a third location the office was supposed to respond to an “Exercise by PowerPoint” projection. I later talked to some of these response people; they told me that those exercises were a great way to get caught up with e-mail. What’s the point of the exercise?

Confucius said, "I hear and I forget. I see and I remember. I do and I understand."

The quotation from Confucius is apt: A responder can hear about the business continuity plan in training, and a responder can even read the business continuity plan. But until the responder actually does the actions that are in the plan, he/she will not understand what needs to be done. And that’s what you want: when the notification goes out, people understand what the need to do and then go do it. You don’t want them floundering around looking at a plan and try to figure out what to do. By then it’s too late.

So make sure that your business continuity (or disaster recovery) programs provide individual skills training such as leadership and spokesperson. Conduct individual team drills (for example for IT DR, security, EMS, crisis communications, evacuation, relocation, set up at a backup facility) so they hone their skills and coordination. Then finally make sure your company’s emergency response plans will in fact work by conducting a successful integrated emergency plan exercise. If necessary, spend less money on your business impact analysis and your glossy emergency plans in bright red binders. These are shelf-ware. Put your resources into valid, challenging, and realistic exercises. It’s the best value for your limited resources; it’s the right thing to do.

Would you consider the influx of Millennials with the exiting of baby boomers to be a challenge to the technology changes in the resiliency industry? (i.e.: loss of knowledge Vs incoming training needs)

The influx of Millennials coupled with the exiting of Baby Boomers is already a challenge to the technology changes in the resiliency industry.

Goldman2Consider this real-life example: I recently conducted a series of exercises at individual hospitals and hospital systems. One scenario was an IT ransomware threat that eventually shut down the hospital network. IT merrily plugged away at restoring the network and systems. The real action, however, was on the hospital floors where the doctors, nurses, and admin staff worked conscientiously to care for patients without all the IT systems and equipment upon which they had become totally dependent. Patients are literally hooked up to the network. Staff use hospital-issued network-connected laptop computers, tablets, and cell phones to do their jobs. Paper, pen, and clipboard were rare. So when the network crashed, all these technology tools were rendered useless.

Now, the hospitals have emergency downtime procedures to handle most IT events. However, many of the procedures expected staff to use backup forms to carry out their responsibilities. The Baby Boomers were familiar with the forms and how to use them; the Millennials were not! Many Millennials could not fill out paper forms because they had not been trained to do this: all their input experience was on a laptop or tablet! Paper and pen was considered oh so last century. It was a valuable lesson that has since been addressed through training and mini-drills.

In MIT’s “Business Continuity & Crisis Management” summer program, we offer students the course materials either in a conventional three-ring binder/paper format and/or online. Baby Boomers want the binder and the e-files; Millennials only want the materials online. As the Millennials take over, will paper be passé? Where is the backup?

How does this apply to the resiliency industry? Consider In general that we Baby Boomers don’t fully rely on technology because we know it can fail. Millennials? Technology that does everything is all they know. This is the challenge as the technology changes in the resiliency industry. This loss of practical knowledge points to a huge incoming training need.

So if you have all your business continuity and other emergency plans available only online or in the cloud, consider what happens when (not if) the technology becomes unavailable. There is a definite training need here. We Baby Boomers will be retired and on the beach, so we wish you Millennials well.

Spring World 2018 Session - Ready, Set, Exercise! How to Develop and Conduct a Successful BCP/DRP Exercise

Spring World 2018 Session - ICT 2000: Critical Environments Technology Professional (CETP), Offered by ICOR