By David Honour
As we enter a new year it’s always a good exercise to look ahead at potential changes in the coming 12 months and what these might mean for existing business continuity plans and systems. Will the strategies you had in place in 2014 remain fit for purpose, or will some reworking be necessary? What emerging threats need to be considered to ensure that new exposures are not developing? In this article I highlight three areas which are likely to be the biggest generic business continuity challenges in 2015.
The rise and rise of information security threats
2014 was the year that information security related incidents took many of the business continuity headlines, with attacks increasing in sophistication, magnitude and impact. This situation is only going to get worse during 2015.
The greatest risk is that of a full-on cyber war breaking out, which would inevitably result in collateral damage to businesses. The first salvoes have been seen in a potential United States versus North Korea cyber war; but other state actors are also well geared up for cyber battle, including Israel, Russia, China and India. The cyber-warfare skills of terrorist groups such as ISIS should also not be under-estimated.
Ransomware is another area ripe for growth in 2015. The willingness of some businesses to pay ransoms after having their systems disabled by ransomware is fuelling the problem, making it a lucrative industry for professional hacker groups. As well as hardening information security systems and increasing employee education programmes to protect against ransomware, businesses need to consider what their business continuity strategies would be in the case of a successful attack: what is the approach to paying ransoms? How would a ransom be funded? What does the company’s insurance cover in this area? What alternatives are there to paying ransoms? Additionally, a wider conversation between businesses and governments needs to be had about the ethics of paying ransoms and what support government can and should provide to impacted organizations.
Targeted attacks on organizations will continue to increase. The Sony attack shows just how successful a patient, well-crafted, attack can be. The days of wide-scale virus attacks are numbered; but targeted attacks will go from strength to strength.
The buzz around organizational resilience will increase
2014 saw increasing conversations about ‘organizational resilience’: with speculation that it would succeed business continuity management; or that it would become the lead protective discipline, with other disciplines such as business continuity, disaster recovery, risk management, crisis management and emergency management all feeding into over-arching organizational resilience strategies.
The launch of BS 65000, the BSI’s new organizational resilience standard helped to fuel these speculations; as did work on the new ISO/CD 22316 ‘Societal security -- Organizational resilience -- Principles and guidelines’ standard, which is due to be launched by ISO in 2017.
In 2015 the debate about organizational resilience will increase in intensity, and businesses will need to decide what actions they need to take, if any, to change their business continuity strategies and structures in response.
A prime leader of the debate will be the Business Continuity Institute, which recently changed its mission statement from one focussed on business continuity management to one focussed on resilience.
Measurement will become more of a focus within business continuity management systems
Continuity Central’s recent survey into quality control and measurement of business continuity management systems found that only 15 percent of respondents were happy with the current business continuity measurement systems within their organizations. Of the rest, 30.5 percent want to measure more so that they can know where to focus effort and investment to improve their business continuity management systems; and 45 percent want to measure differently to enable them to get more value from their measurement processes.
This dissatisfaction with current business continuity measurement practices, coupled with the requirement to measure that is contained within the ISO 22301 business continuity standard, is likely to see change, development and growth in this area.
David Honour is the editor of Continuity Central.