Have You Planned For These Emerging Risks – Pandemics, Cyber Attacks And Terrorism?

Business continuity expert Bob Clark joins Danielle Ricci, Vice President of Marketing for AlertFind, to talk about how evolving threats - pandemics, cyber attacks and terrorism - are affecting today’s organizations.

In our upcoming webinar, he’ll discuss what companies need to know about these threats and how to adapt to a more agile approach to security threat assessment.

Here are some highlights from their conversation:

Danielle Ricci: Gone are the days when businesses just had a handful of risks to worry about. How has the risk landscape changed over the past decade?

Bob Clark: It all started off with disaster recovery, which was just about IT. It was focused on the protection of computer assets and data was the primary driver, and that remained like that for about 15 to 20 years.

By the mid-1980s, business continuity planning had come along and we accepted that there were other risks to our resources, our resources being buildings, people, supply chains, etc. We would be foolish to overlook any threats that would disrupt our key resource areas because, if I can just take a step back from a process point of view, the business impact analysis, which we talked about in another webinar, that's broken into four component parts, and the last part is called Activity BIA, and that is the part which identifies all the resources that an organization depends upon. You always want to start with your business impact analysis.

Danielle Ricci: So, what’s an example of an incident that would cause a disruption to the business?

Bob Clark:  Let’s look at an operational interruption. It doesn't matter what it is - it can be product-based or service-based. Just imagine that something has interrupted your operation.

Then I look at the various things that could cause that. It could be a people problem. It could be an ICT failure. It could be a building denial of access issue. It could be a supply chain issue.

Then break this down into all component parts. So we can actually trace it through and it will give organizations the ability to see at a glance how many things could disrupt our dependency on buildings, how many things could disrupt our dependency on people, how many things could disrupt IT.

You want to understand what threats are likely to cause any disruption to our resources, if the resources are disrupted, then it's potentially going to stop your operational capability or interfere with your operational capability. You're then in a situation of looking at it and, say, from both directions from the experience of other people as well as your own experience within your industry.

Danielle Ricci: What are the biggest evolving threats?

Bob Clark: Terrorism, cyber attacks and pandemics. Terrorism's been around a long time, but it's really taken off in the last six or seven years. When it comes to the cyber threats, that's really taken off since the mid 1990s once the World Wide Web had arrived and made it a lot more accessible.

So we can look at it from that perspective, and we can also look at it in terms of threat horizon, and here you can bring in things like pandemics, climate change, Brexit, and that is near horizon.

What effect is that going to have on businesses? Well, the jury's still out on that one, but we know it's going to have some kind of detrimental effect. I think it's inevitable.

Danielle Ricci: So let’s go into each threat and talk about the business impact.

Bob Clark: For terrorism, we discussed the Charlie Hebdo shooting in Paris in 2015. We've since seen it occur in other countries including in the United States. Most noticeably, the active shooter event at the Capital Gazette in Annapolis, Md.

It doesn't really matter whether it's Al-Shabaab, Boko Haram, ISIS, Al-Qaeda or just some nutter with a gun. The point of the matter is the end result is the same. People are going to get injured. People are going to get killed.

But more than that, it's the psychological effect of “This could happen here.” Yes, it could happen anywhere. That's the theory, but when you look at the probability of it happening to your organization, then that probability is not necessarily going to be particularly high unless you’re likely to be the victim of collateral damage because of where your organization is located.

I was talking to the security manager at the Corinthia Hotel in London a while back, and the Corinthia Hotel is not very far from Downing Street. There are a number of government buildings in close proximity, any one which could be a target, and the security manager was actually the security manager at one of the hotels in Washington during Sept. 11.

He looks upon it in terms of we are facing a serious threat because if any one of those nearby buildings or Downing Street gets targeted, we could get caught up in the attack.

Now if you take the Europa Hotel in Belfast, that is the most bombed hotel in the world. I had a long conversation with the concierge, who was there during the Troubles that lasted best part of 30 years. And he said, "We were a target. We know we were a target because the Irish Republican Army were looking to target anything and anyone who was seen as being in league with the establishment."

Mike Nesbitt, who until fairly recently was the leader of the Ulster Unionist Party, one of the political parties in the province, said it was persistence of the IRA to get it closed versus resistance from the hotel to stay open. And they actually, despite the number of bombings they had, they stayed open for 20 years.

So, in terms of terrorism, we're looking at the active shooter scenario, we're looking at the terrorist, we're looking at the idiot that just phones up and said, "Oh, I just left the bomb somewhere, I can't remember where it's somewhere in the hotel." Is it a hoax? Is it genuine? You don't know. You can't take a chance. Otherwise, you're playing Russian roulette with people's lives.

So it's an interesting concept in terms of what organizations need to do. They should listen to the active shooter webinars that you have and look at what training they can do so that their people are aware.

When I look at the Parkland school shooting in Florida earlier this year, they reacted instinctively and that made a big difference as to how many were killed and how many were saved. Because they had gone through the process and knew what to do when this scenario happens, they didn't ask questions, they didn't say to the teacher, "What do we do next?" They just reacted. And that's exactly what organizations should be looking for.

Danielle Ricci: So what should organizations do that they’re not doing already?

Bob Clark: I think they need to understand the threat and here’s a good example of what the Metropolitan Police did in 2004. They created a program called Project Griffin. And Project Griffin is about raising awareness within the community about terrorism. In order to join in, you have to be vetted. And providing there are no issues, you would be allowed to join the program and learn more about what to look for and when to report suspicious behavior because the more people that know about how to react and how to recognize suspicious situations, the safer we will be.

The New York Police Department adopted a similar program to Project Griffin. Organizations should seek out what support and education is available from the police or security services. Often, they’ll go out to organizations, it might be a company, it might be a university or a school, and they actually do desktop exercises for terrorism. Now, it's not quite the same as having a live shooter situation or a rehearsal but they may also do that sort of thing as well.

Be prepared to participate in exercises where your counterterrorism organizations are looking to work with the commercial sector. Don't wait for them to come to you. Go to them. Just say, "We're thinking about doing a rehearsal. Can you advise us how to do it? Any suggestions of things to do? Would you support it in some way?" Because it's practice for them as much as it's practice for employees, in terms of how to behave.

Danielle Ricci: So how do cyber threats play into the current-day security threat assessments?

Bob Clark: A lot of organizations will say, "We're a bank. We're a target." Other businesses might say, "Oh, we're only an SME, no one's going to worry about us." Small- to medium-size enterprises represent low-hanging fruit which is easy to harvest for hackers.

So they might find that they are in fact a target by virtue of the fact that their security protocols aren’t very robust. Just because you are a small organization or even a one-man band, you may have something on your laptop or whatever you use that is useful. It could compromise your own organization. It could compromise your clients in some way.

So you're actually responsible for the data you have about your clients. In some cases, hackers will use smaller organizations to gain access to larger organizations. That’s why it’s critical that all companies take cyber security very seriously.

Danielle Ricci: So what do these emerging threats look like on a global scale?

Bob Clark: I was speaking at a Swiss university and several students were talking about scared they were to be in Europe where there were a significantly higher number of terrorist attacks than in their home countries. Now when you look to the number of terrorist events that happened in 2014, there was something like 215 terrorist events.

These students were all from Asian countries, and when you looked at the terrorism record over a 10-year period for their home countries - it was less than all the attacks that occurred in one year in Europe.

The biggest of their three countries was China and they had something like 87 events over 10 years and when you consider the size of the population, when you consider the size of the country, from a statistical point of view, it's nothing.

Now if you look at the figures in 2014 for Afghanistan, Iraq and Pakistan, 47% of the 16,000 terrorist attacks that happened that year occurred in those three countries. And when you look at the U.S., again it just pales in comparison to what was going on in Iraq, Afghanistan and Pakistan.

So it's taken to account, if you like, what's happening in the country or countries that you're operating in. Because if you're operating in one of the three countries I just mentioned, then there's a high probability of something going down in your neighborhood at some point in time. Which, whether you're targeted or not, there is still the collateral damage that you need to consider. That could be your property. That could be your employees. And it's a major factor, I think, in terms of how you approach this within your risk assessment. So you have to tailor your risk assessment to the countries your business is operating in.

Danielle Ricci: How can businesses create a more agile approach to risk assessment?

Bob Clark: It's recommended that the business impact analysis is done at least once a year unless there is a major change within the company, whether it's an acquisition, merger, new products, products that have been discontinued, etc.

Organizations, if they've got a risk management function, then they should be doing their risk assessments on a regular annual basis. If a new threat comes up and they do an assessment of it and they think, "Oh, that could really cause us some grief if that happened in our backyard," that should be part of the business as usual risk management process.

Now, if an organization doesn’t have a risk management function, then it's probably falls to the business continuity manager to actually perform a security threat assessment and they need to be aware of what's going on - both in the company and in the outside world.

So that's a major challenge. But if they can make the time to say, "So what's actually happening? Are there any evolving threats out there?" and if they can refer to organizations that keep track of these threats, that will help.

Danielle Ricci: For business continuity/emergency preparedness professionals that may not be familiar or comfortable with these areas, how can they quickly build their knowledge?

Bob Clark: There are a number of great websites that offer detailed information and tracking on these different threats. Organizations like Continuity Central send out regular newsletters about how many cyber attacks there were last month in big organizations and the volume of data that was stolen and that sort of thing. You can get that information and you don't necessarily have to pay for it.

For information on pandemics, consider the Center for Disease Control and the World Health Organization.

For terrorism, look at the Global Terrorism Database, run by the Department of Homeland Security and the University of Maryland.

Danielle Ricci: Pandemics, terrorism and cyber threats are all "universal threats" - can companies leverage state or national research/resources to aid in their planning?

Bob Clark: Don't be afraid to go to your local counterterrorism or law enforcement agency, and ask if they’d be interested in doing a rehearsal with you. Sometimes, they’ll do a community-wide drill you can participate in, as well. Having the police in your business can be a huge benefit for you both. They get a chance to learn more about your physical office space and provide feedback, and this can also pay off if they ever have to respond to your building.

Danielle Ricci: With all the focus on these universal threats, it can be easy to overlook smaller, regional threats. Are there areas that we need to cover?

Bob Clark: Well, when you look at the size of the UK, it fits nicely into Minnesota. With this smaller land area, it’s easier to cover all our national risks in the UK Risk Register. But when you look at the U.S., there is a vastly greater range of risks. So those states with a coastline may be vulnerable to tsunamis, those on a fault line are vulnerable to earthquakes, those that are close to volcanoes could have some fall out from the explosion, the volcanic ash, and so on.

And here we have a situation with California that the wildfires are out of control. So if you're dependent upon the supplier that happens to be in California in an area which is prone to wildfires, is that supply going to be reliable? And if I was the supplier, I'd be thinking, "Should I be moving my business somewhere else where I'm not going to be subjected to the effect of the fires and so on?"

You need to take that step back and look at it from a local point of view or from a regional point of view, or even from a state point of view if that's appropriate. What are the threats that I need to take account of? And are they really going to cause me any grief?

Because I think one of the things that I would recommend and here this is where I think the Business Continuity Institute with their 2018 Good Practice Guidelines have missed it, they're saying when you are considering what threats you should be analyzing and doing your risk assessment look at a variety of sources. What they haven't identified are national risk registers or in the case of the U.S., regional risk registers. So what are the things that are affecting your country or your region that you should also be considering? And that's something which I think we are not good at.

Danielle Ricci: With the rapid escalation of these new threats, does the standard risk matrix need to adapt, too? Or is more of a matter of more frequent updating to stay current?

Bob Clark: No, they should do their risk assessment on the same schedule, unless they see a threat that requires them to update more frequently. The important thing to do is to take these new threats seriously.

I'm sure there are parts of the States, and the same in Europe, that seem a million miles away from any terrorist threats. So if someone was thinking, "I'm not sure if we should be worrying about terrorism," then go and talk to the local police and get their advice and if their local police are saying, "Well, our recommendation is take action," then at least they are taking the best advice of law enforcement. There's invariably someone who knows more about a particular subject than you do. There's no harm in going to him, her, them, whatever and saying, "Can you advise?"

Don't stick your head in the sand. And you may say, "Well, terrorism never happened in this little small backwater of Idaho or whatever," and suddenly bang. Something happens.

Join Bob and Danielle as they help organizations become more proactive about emerging threats in our new webinar, “Pandemics, Terrorism And Cyber Attacks: Is Your Organization Ready For An Evolving Risk Landscape?,” at 11 a.m. EDT on Thursday, Sept. 13.

Register Now!