Guerrilla warfare, guerrilla marketing, guerrilla negotiating – if all these things can benefit from a ‘guerrilla’ point of view, how about business continuity management? The basic concept is to get bigger results from a smaller amount of resources, possibly supplemented by some lateral thinking. Guerrilla soldiers don’t have the big guns and tanks of their adversaries. Guerrilla marketers don’t have the big television and print budgets of their competitors. And guerrilla negotiators learn to think around business deals to turn losing propositions into winning ones. Guerrilla business continuity management can draw on each of these areas to help BCM move forward.
In disaster recovery, technology is often a neutral element – neither good nor bad, in itself. Some technologies are better suited to specific needs or offer relative improvements to existing solutions. What determines whether an organisation benefits or suffers is the application of technology. When it is used unthinkingly and incorrectly, the horror stories start. Worse still, many technology-related disaster recovery failures are repeats of catastrophes that were already happening decades ago. What have we learnt since then – or what should we have learned?
How does a business cope with regulations that, when piled on top of each other, are ‘three Eiffel Towers high’? That’s the future for the financial industry, according to a recent report from financial regulations consultancy JWG and its forecast for the situation in 2020. But regulatory risk is also growing in many sectors. New legislation is swinging into play relating to developments unforeseen five years ago. Should organisations simply chase ever-evolving and expanding regulations to try to remain conformant? Or is there an opportunity here, disguised as a problem?
The Ebola outbreak in West Africa is taking a horrific toll in human lives on a scale that is unprecedented. It is also happening in a place that makes the whole rescue process an order of magnitude more difficult. Besides trying to save those already infected, aid workers must cope with the fact that the disease moves more easily outwards than medical supplies and vaccines can be brought inwards. The gradual improvement of logistics and transport in the region over the last few decades is having a perverse effect. It is encouraging the spread of infection, but hindering measures to eliminate it. How can this be?
The world turns and things change – and that includes computer hacker approaches too. The immediate threats of malware and cybercriminals are relatively well-known. Phishing emails are designed to get you to click right away on a hacker’s link. Worms burrow through systems, always on the go. Viruses in that free software you should not have downloaded replicate and ravage. But now there’s a new menace with a different approach. Instead of attacking your system now, some hackers are making themselves at home for the longer term. They enter by stealth and lie low. Then they start to use your computers – just like they were their own computers. Welcome to the Advanced Persistent Threat or APT for short.
With the deaths of more than 4,000 people and an estimated 8,000 cases (at this time), the Ebola epidemic has affected three West African countries in particular. But Ebola could also spread to become a pandemic without geographical limitation. There are three key questions to be answered:
The times, they are a-changing. Mobile computing devices not to mention BYOD and a millennial attitude mean that a substantial number of employees in enterprises now do their work away from their desks. Whether at home, in a bus, train or plane, or in their favourite coffee-shop, if there’s a Wi-Fi connection available, there’s a potential workspace in the making. But naturally enough, all this may then escape the control of the enterprise or at least partially so. For instance, how can companies then implement effective work area recovery for such nomadic workers in the event of an IT incident?
With the security threats around today, the sheer mass of information and the vulnerabilities to attack, it has to be admitted that information security is a challenge. But not an insurmountable one. The right information security takes planning and organisation. The advantages include prevention of loss and damage through information being stolen or compromised, as well as a more alert, capable workforce. So why does one recent survey show a downwards trend in implementing information security procedures?
Knowledge is a tricky thing to handle. Sometimes you can’t get it to stick, for instance, when you’re trying to get people to use a purpose-built sales forecasts system instead of Excel files. Sometimes you wish you could magically unstick it, in the same way you can erase memory sticks. Employees leaving the business are a case in point. In their heads they hold information about products, plans, customers, system logons and more. As the erasable employee is not currently a reality, you’ll have to face the fact that they will walk out with confidential data in their heads. What can you do about it?
Information security often conjures up notions of complex anti-virus software, hardware firewalls and perhaps a high security data centre with biometric access checks. All of this is possible and often used to good effect. However, it would be a mistake to think that security stopped there. Like the Maginot Line in France at the beginning of World War Two, it’s no good being bullet-proof at the front if the enemy sneaks in round the back. And attackers in cyberspace know that it is often faster and easier to get the access information they need by human security laxity, rather than technical hacking. So what should you be looking out for?
Which disaster recovery measurements do you really need? The answer is the ones that are effective in helping you to plan and execute good DR. So your choice will naturally depend on your IT operations. The two ‘classics’ of the recovery time objective (RTO) and recovery point objective (RPO) are so fundamental that they apply to practically all situations. But suppose your organisation is running a service-oriented IT architecture with business applications like ERP using resources supplied by other servers. If some of the servers cannot be recovered satisfactorily, there may be a secondary impact elsewhere. How can you measure this situation and define a minimum acceptable level of recovery?
A recent announcement explained that cyber-security ‘big names’ McAfee and Symantec have agreed to share their threat data. It’s a development that should benefit customers of both vendors. Historically, IT vendors have swung back and forth between the multi-vendor approach (“we’ll handle the other vendor’s stuff for you”) and so-called coopetition, where two or more providers joined forces by agreeing to operate to a common standard for instance. The McAfee-Symantec pact ranges over sharing malware signatures to information on real-time attacks. Who else might follow this apparently enlightened example?
When should you bring in new technology? When it does a better job at meeting your needs, of course. It’s the same for business continuity management. Migrating from in-house physical servers to cloud computing services should be properly justified by lower costs, higher reliability and better performance for instance. Without sacrificing data confidentiality, control or conformance. While cloud computing makes sense for many organisations, there are cases where it doesn’t (example – cloud computing isn’t always cheaper). Looking at the following business criteria and then analysing what new generation technology has to offer may be the smarter way to do things.
It’s an unfortunate truth. The holes in your IT security are most likely to be where you neither see them nor expect them. That means they’ll be outside the basic security arrangements that most organisations make. Firewalls, up to date software versions and strong user passwords are all necessary, but not sufficient. Really testing security is akin to an exercise in lateral thinking or even method acting. You have to look at your systems and network from the outside to see how a hacker or cybercriminal might try to get through or round the mechanisms you’ve put in place. And there’s more still to this inside-out approach to protecting your organisation.