We have recently been informed that Yahoo! has been hacked and has possibly lost up to 1 billion customer records. They have admitted that the information was lost in August 2013, but they are only informing their customers now. The impact and fallout of this incident is just starting. What can the business continuity manager do to stop this happening within their organization and secondly, how can we prepare for a similar event?
Yahoo! is on the slide, once synonymous with the internet and email, it is a shadow of its former self. For me they are a bit like a virus, using underhand tactics to infect your computer with their search engine. Only in certain circumstances do I get a Yahoo! to search for me and can’t work how to stop this happening. When you have to use these tactics to get in front of your potential customers, it does not show a company that is at ease with its brand and marketing.
The company is shrinking as they are losing customers through information security breaches. This cycle repeats itself with every breach and draws increasing attention to their non-vigilance in this highly sensitive area. There has been some talk in the papers about whether parts of the organization knew about the data loss but were reluctant to pass the information up to senior managers. When you have this type of culture going on within your organization, it is a struggle to manage an incident successfully. We all know that it’s not the initial incident that gets you, but the cover up.
So, what can the business continuity manager do? I think the first piece of advice I would give them, is if your organization is dysfunctional, on the slide, and does not take crisis management, resilience or business continuity seriously, your best option is to find yourself a new job! If you are knowledgeable and ambitious there are plenty of companies out there who would like to make use of your skills.
I have said time after time in my bulletins that one of the roles of the business continuity manager is to horizon scan and be aware of new threats which are not being sufficiently addressed. Senior managers may decide not to do anything to address the threat which is their prerogative, but yours is just to make them aware, qualify the impact and suggest appropriate mitigation measures.
With cyber events being in the news every week it is hard for any CEO to have missed the threat. What they may not know is their organization’s level of preparation and possible impacts. As the business continuity manager, you could suggest an independent audit against ISO 27001 perhaps, to determine your level of vulnerability.
Where I think you can add value is making sure your organization is prepared to respond to a cyber incident. Do you have a plan in place and has that plan been exercised? The techie guys, perhaps with outside help, will sort out the technical side of the response but the senior managers need to respond to the potential reputational damage an incident can cause. Possible scenarios can be played out in advance of difficult questions so those in the crisis team understand the implications of their actions. These could include whether to cut off connection to the outside world or pay a ransom.
The last area the business continuity manager can help in is ensuring appropriate responses are in place. Does the company have a contractor on standby or cyber insurance to ensure that experts can assist your own IT staff in responding to a hack? Do you have pre-formatted communications which you can send out to customers or staff, informing them of what they can do to protect themselves if their data is lost by your company?
Most business continuity managers are not experts in the technical aspects of a cyber response but we should be able to ensure that or organization is ready to manage a cyber-attack if it was to happen.