With so much travel and client contact, a lot of lessons were learnt in 2018 that I’d like to provide a snapshot to below.
How Incident Management Exercises Become Reality
Last year RiskLogic ran around a hundred exercises. However, the most interesting statistic is the number of sessions that were interrupted due to a real event.
Of all those sessions, 10% of them had to be suspended or cancelled due to a real event impacting the organisation.
Those averages mean that for every ten exercise sessions you’ll run, one of them will be cancelled due to a real event.
Prior to our exercises, a RiskLogic facilitator briefs everyone on the exercise and reminds them that “if the alarms or your phones do go off, and the person does not say “This is part of your crisis management exercise”, then it’s probably a real event”.
probably a real event”.
But then, Karen’s phone starts ringing. She answers and realises that it’s a situation eerily like that of the exercise. “Brad, I’ve got a call here regarding some protesting down in our lobby, is this your people?”
“No Karen, it’s not!”.
Although a distraction to the days training, these real events emphasise to the team the importance of doing regular scenario exercises (it also helps that I am there to observe and record).
It’s vital to mix up the scenarios, especially as your team gets more experienced. Go back to your Threat Analysis you did in your Business Impact Analysis (BIA) and consider scenarios based on:
- Your likely-to-occur, high-impact events.
- Global news and real events to replicate (keeping similar to your organisation).
We always recommend a benchmark of one exercise per quarter; the minimum should be once a year.
General Data Protection Regulation
In early February, RiskLogic published an article regarding the new General Data Protection Regulation (GDPR) that will affect any organisation or persons who hold European data. This new regulation, although positive for its subjects, became another complex task for organisations to get their heads around.
It was predicted that the EU could collect up to $6 billion in the first year due to many organisations not taking these changes seriously.
The regulation will affect anyone holding European data who fails to report a breach within 72 hours in a detailed report. This may affect:
- A New Zealand or Australian (ANZ) organisation with an office in the EU.
- An ANZ organisation whose website targets EU customers; for example customers being able to order goods or services in a European language (other than English) or accepting payment in Euros.
- An ANZ organisation whose website mentions customers or users in the EU.
- An ANZ organisation that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals in order to analyse and predict personal preferences, behaviours and attitudes (largely used for marketing).
- The fine for failure to report on a breach could be up to 2% of the organisations’ annual revenue, or 10,000,000 Euros (whichever is larger).
This year it appears that the GDPR success isn’t going unnoticed. On Sunday, the CBS television program, 60 Minutes, reported on the EU GDPR and the state of play for privacy regulation in the U.S..
“For decades, companies like Google, Facebook and Amazon have made vast sums monetising the personal information of their users with almost no oversight or regulation”
CBS News Correspondent Steve Croft said.
“They are still making vast sums of money, but public attitudes about their size, power and their ability, or willingness to police themselves are being called into question”.
The growing consensus, driven by the GDPR and the California Consumer Privacy Act of 2018, may set the groundwork for a federal law in the U.S. with other countries looking to follow suit.
Last year using our own Cyber Security Incident Management Procedures program, we compiled our top five steps you should be considering by May 2018.
1. Acquire a detailed Cyber Security Incident Management Procedure and Plan.
2. IT Personnel to have Access to General and Specific Cyber Procedures.
3. Document Escalation Paths for Major Events.
4. Identify the Risk Classification.
5. Know what Your Reporting Channels are.
Working from Home During Cyclone Gita
Last year’s world Economic forum report listed Severe weather, Natural disasters and Cyber-attacks as its Top 3 risks to organisations in terms of likelihood. For the lucky people living on this side of the planet, I don’t think anyone would disagree with this list.
Living in paradise does have its hurdles. New Zealand seems to sit in the firing line of just about every natural disaster you can think of.
Severe Tropical Cyclone Gita was the most intense tropical cyclone to impact Tonga since reliable records began. Forming in early February as a monsoon trough that was active in the South Pacific, it twisted, turned and tumbled towards New Zealand via Fiji.
On the 9th of February 2018, as Gita passed near Samoa it had organised itself into a Category 1 Tropical Cyclone and by the 10th, a severe Tropical Cyclone.
Just as Queensland organisations suffered a Business Continuity event during Cyclone Debbie the year before, (schools closing after parents had dropped their children off), New Zealand experienced similar issues.
Those that avoided the physical damage did not escape Cyclone Gita’s wrath entirely, with many organisations being affected by critically low staff numbers.
One-hundred-twenty schools were closed across the country as well as seventy early learning centres, meaning thousands of parents had to arrange carers or work from home.
Was Cyclone Gita enough for you to activate your loss of key staff strategy that week? If you’ve struggled with this, here are my six tips on having a robust and tested working from home policy:
1. During your BIA interviews, make sure you are identifying the human resources required to deliver a critical process.
– Ask your staff if they have the ability to work remotely?
2. Answering yes is not proof of concept. Make sure you validate that your critical personnel can work from home.
– Get them to try it when you are not in the middle of a crisis!
3. Does your IT department have a list of how many users might need to work from home? Can your IT department handle three-hundred staff logging in remotely?
4. Do your remote users need tokens to access the network or external 3rd party systems? Do they have them at home?
5. As part of your BIA, did you create a seating plan?
– This is a list of critical personnel who can work from home and those that need a dedicated workstation on your local network. Call centres for example.
6. Can your staff work from home, and do they have the right environment to do this? Can they still be productive? Are there any H&S issues to consider?
With the recent advances in technology, working remotely is now becoming the norm. However, it’s very easy to write that into your plan, but in reality, it might not be a viable recovery option. Validation is the key.
This Year’s Constant Variable
Regardless of what the 2019 World Economic Forum report brings and what you might have to respond to during an incident, the one constant is you will need a good communications plan to deal with any of the Top 3 risks. So, do you have one?
My recommendations for this year is to put a communication strategy in place:
1. The preparation of a good plan will allow you to do 80% of the heavy lifting well before a crisis hits. Plans should contain unique tools, templates and checklists that guide strategic direction and allow the team to execute efficiently during a crisis.
2. Any Crisis, Business Continuity or Incident Management Plan is only as good as the team using it during a Crisis. It’s all about the people. Don’t just train your Communications Manager, train the whole Communications Team, as well as reserve staff. During a major crisis the Communications Manager will quickly get overwhelmed with delivery and will need all the help they can get from their wider Communications Team.
3. Training should be interactive, this is the time where team members learn their roles and responsibilities, how to use the tools, templates and checklists. Most importantly, the team learns how to use the plan to formulate the most appropriate communication strategy that meets the objectives of the wider Crisis Management Team.
4. We would recommend standalone media training, especially for CEO’s and other senior executives authorised to deliver media interviews. This could be a 1-hour face to face training or a 1- hour recorded radio and TV interview, with allocated time for playback and critiquing.
As an organisation, we have operated through high profile crises, so we know how difficult it is to perform effectively under the enormous pressure and additional workload that a crisis brings.
Planning in advance allows your organisation to prepare for the worst, so they can communicate at their best.
Until next time, have a resilient year ahead and remember to always Plan, Do, Check and Act…