Operational Resilience and Impact Tolerance: Are you ready for the next wave?

Humanity will make history if C19 is a single wave pandemic. The bubonic plague lasted in Europe between the 14th and 18th Centuries with 3 major waves. In 1346 it wiped out one third of Europe’s population; in 1361 an estimated 10-20% of the remaining populations died of plague; the next wave in 1374 is virtually unrecorded! While Shakespeare is writing his plays there are 2 taboo subjects which are barely mentioned: one is the plague – A plague o both your houses ~ Mercutio; the other was the disastrous military campaigns in Ireland! The World Health Organisation finally declared the third wave of bubonic plague as expired in 1959 – that is only 61 years ago!

C19 is a timely reminder, both individually and collectively, that we need to maintain our own operational resilience and impact tolerance. Last month, I discussed how the Bank of England and others are pushing for operational resilience and impact tolerance to be regulatory requirements but it goes beyond that – C19 is a harbinger for many, especially the SME community, that you must be able to look after yourself.

The first wave of the pandemic has shown that many businesses have been able to pivot from being office-based to supporting staff working from home. However, as the lockdown continues to extend, business leaders need to think about how to maintain long-term productivity, staff wellbeing and security – will the State have the wherewithal to manage another wave? I very much doubt it.

Global markets demand global contact so, for the foreseeable future, the ability to withstand wave after wave of uncertainty requires the right organisational culture and resilient mindset.

Shifting Resilience & Sliding Productivity

The NCSC Cyber Aware campaign is reaping collective benefits. Since its launch on 21 Apr 20, it has received over 508,985 suspicious cyber activity reports from the public with 3,768 previously unknown phishing URLs being removed and 40,086 views of advice and guidance. This is evidence of shifting resilience. Some firms have modified their websites to give access to easy-to-understand instructions to users on what to do in relation to securing their home offices and segregating their work connectivity from, say, their entertainment or IoT networks.

Productivity is also under pressure with growing confusion and uncertainty on when to unplug. Recent surveys show that large parts of the workforce struggle without the structure of a workday. A factor exacerbated by being overloaded with an exploding catalogue of digital tools – an 8×8 report this month highlighted that a majority (62%) of those surveyed said that they are now using more digital apps and tools in their jobs. Just over two-fifths (42%) used between 6-15 different apps and platforms during their working day, while a small minority use between 16-20 (2%) or even more (1%).

A big difficulty separating work from home is being driven by a majority using personal devices (67%) and personal communication apps (55%) for work purposes. The survey also found that 42% of British workers feel more stressed and overwhelmed than when in the office, blaming too many apps, a blurring of the lines between work and home life and difficulty unplugging. This is not to mention the increased cyber vulnerability surface.  Taken together, organisations must be clear on their in-place controls and defences and the associated cost-benefit analysis in this new era: resilience is proportional to the situation.

Physical & Cyber Security

Working-from-home places greater emphasis on BYOD control and the ability to reliably segregate the confidentiality and availability of work-related data from home-life and, most likely, school-life. Employees must be aware of the dangers of adding shadow IT and unprotected devices to the network and how to securely configure all their approved devices so that they can process work-data appropriately. Employers need to adjust their risk postures and mitigation strategies to manage a more dispersed and decentralised info-structure. Be under no illusion, nation states use whatever means to take best advantage from the weak links of home networks and children desperate for the latest online fun.

Similarly, now is a good time to take stock of the digital tools recently rolled out to support home working: which ones are delivering against business needs and which ones are taking up bandwidth? People time, network space and added cost. It is important to fully understand the underlying driving forces and to adjust the implementation strategies accordingly. If this means retiring novel tools then so be it – don’t let the tail wag the dog.

Response Framework

As the UK’s workforce begins its return to a new-normal, now is the time to examine your response frameworks – are they fit for purpose? Are they resilient and flexible enough to handle a 2nd or even a 3rd wave of uncertainty? Where will the resources, money and team goodwill be found to deal with these likely challenges?  These scenarios need to be considered, costed and tested.

This paradigm shift provides a unique opportunity to re-evaluate your resilience and impact tolerance. A sustainable home-working environment with suitable social channels and a regular communications routine to avoid isolation syndrome offers a potential cost-saving but needs to be considered in the context of data confidentiality, availability and staff well-being.

Any enterprise whose staff figures exceed 30 – 40 really ought to evaluate these options through a balanced-scorecard approach.  Over the past 18 months, Spectra Analytics, working with Perimeter Group have developed a leading-edge Operational Resilience and Impact Tolerance Maturity Assessment, known as ORBITT, to help Enterprises effectively manage resilience challenges like global pandemics by analysing the key vectors of digital and physical infrastructures; Enterprise controls and defences; response frameworks and their effectiveness and, most importantly, a resilient organisational culture and mindset.

Visit our new LinkedIn Showcase page to find out more about ORBITT https://www.linkedin.com/showcase/orbitt.ai/

————————————————————————————————

This blog was written by Spectra Analytics Chief Information Officer Chris Crowther. Chris has over 25 years’ experience in the information assurance and security domain.

He is uniquely qualified to understand the evolving threat environment, as well as having an exceptional track record of driving and delivering change in complex organisations.

He is a global digital leader with senior experience with the UK military and other Government Departments, US Military and Federal Government, the United Nations, KPMG and Airbus. Amongst a plethora of awards and accolades from the UK and US, Chris’ contribution to the world of Information Risk was recognised in 2016 by his qualification as a CESG Certified Professional Lead Security and Information Risk Advisor. Chris is co-founder and chair for the West of England Cyber Cluster.