What to do When Plan-b Fails

What to do When Plan-b Fails

Life has a habit of throwing curve balls at us. Unexpected events that change our daily lives. Businesses try to reduce the impact of these events and put in place contingency budgets, insurance and emergency planning documents. But what happens when those plans fail too?
planbfail

Life has a habit of throwing curve balls at us. Unexpected events that change our daily lives. Businesses try to reduce the impact of these events and put in place contingency budgets, insurance and emergency planning documents. But what happens when those plans fail too?

‘Business-as-usual’ is the way that you
work every day. You arrive at your office, you sit at your desk, power up your
device and use the apps and services that you use to do your job. ‘Plan A’ – day-to-day
operation.

However, what happens if something goes
wrong? Curve balls are thrown at businesses in a number of different guises, fire,
flood, theft, riots, power outages etc. To plan for these issues, businesses
create a Business Continuity plan – a plan that shows how to keep the business
going in the event of an incident. If the incident is more severe, then a
Disaster Recovery plan may be invoked – this plan aims to assemble what assets
are left of the business and attempts to re-start the business. Both of these
plans are designed as a ‘Plan B’ fallback position. A plan of what to do next.
These can also include ‘playbooks’ which will have pre-built scenarios based
around specific threats and a set of instructions to reduce the impact on the
business.

With the rise in use of the internet to
do business came a new threat of cybercrime. With these new threats to
businesses, new layers of defence and mitigations had to be added – firewalls, cyber
insurance, risk managers, procurement policies, security operating centres, SIEMS
and technical solutions to monitor all aspects of the business. Vendors have
created tools to cover almost every type of threat imaginable from simple user
access to the devices to full Nation State attack protection. Looking at the
threat that cyber brings alone, companies worldwide are spending $124
Billion
per annum on reducing the cyber threats to their businesses.

Plan B therefore needed strengthening to
incorporate cyber threats and new mitigations were included into Business
Continuity plans and Disaster Recovery plans. An example of this was the WannaCry
ransomware infection that hit many businesses globally, but most newsworthy was
the NHS – the UK main healthcare organisation. They invoked the Business Continuity
and then Disaster Recovery plans, keeping the lights on still proved to be a
significant issue. Plan B worked and the NHS was able to use fixes to put the
lights back on and get the hospitals operational. Plan B worked in this
example.

During late 2019 and into 2020, we have
Covid19, the global pandemic that closed countries down and forced people to be
isolated within their own homes. Plan B for businesses was taken out of their
hands by legislation which forced non-essential businesses to close their
doors. Plan B may have had some elements which would help businesses in terms
of remote working – staff ‘dialling in’ over personal internet connections to
access systems and applications. However, the speed at which Government
announcements shut down the offices of businesses meant in some areas that
Business Continuity plans were simply overwhelmed and unable to cope.

Most employees are operating in a remote
way now if at all. Working remotely in isolation, sometimes using personal
devices, sometimes using the limited technology we were able to borrow from the
office. ‘Dialling in’ to their offices over personal internet connections being
shared with kids working at home and streaming films and TV shows using various
workarounds to gain access to systems and applications that may not have been
implemented in a way to operate remotely. Where personal equipment is being
used, often these are used by multiple members of the household. Then multiply
this across the globe. The security risk to the business from this Plan B
situation is significant. The opportunity for cybercrime is a very real and
pressing issue.

In a Plan A business-as-usual day in the
office, the devices would all be known to the monitoring software that the
security team will be running, they would be from known suppliers with
potentially locked down environments so only known software will be running.
The employees would be connecting over known network connections through
security products to the apps and services.

However, we are no longer operating in
Plan A but instead Plan B and beyond. This is an unprecedented incident and herein
lies the problem, Plan B is currently at breaking point. Businesses are bending
the rules to make do and mend to keep themselves operational during the
worldwide crisis. Plan B is starting to fail. Most businesses are coping but at
what cost? Due to the speed of change to businesses, security measures were
side-lined in favour of getting businesses back online, potentially leaving
them vulnerable to attack.

So, with Plan B now failing, what comes
next? How can businesses cope with unprecedented incidents? The plans cannot cater
for every event, that is simply impossible and so what should businesses do?
What comes after Plan B? The following are some basic headline tips that can
help a business make good decisions whilst under pressure:

  1. Use flexible frameworks for playbooks – playbook
    tells the user what to do in detail under certain incidents e.g. if there is a
    fire then evacuate, call emergency services, do a roll-call etc. However, when
    a major incident occurs, you will need to be flexible so create a loose
    framework which looks at confidentiality, integrity, availability and welfare
    under good management control.
  2. Do not compromise on security – keeping
    your organisation safe should be as primary a concern as staff welfare. With
    the cost of the average cyber-attack to UK enterprises running at $3.88
    million per breach
    and with fines for GDPR running at 2% of revenues then
    having security underpinning change then you are protecting the profits, the
    business, the staff, suppliers as well as the end customers.
  3. Be aware of what is out of your control
    personal routers, ISPs, power grids. You will not be able to plan for
    absolutely every eventuality, but you can make your employees aware of what you
    can support and what they will need to look at in their own environment. There
    is a shared risk and employees should recognise that.
  4. Communication is key – invest as much
    time as possible keeping employees up to date during an incident with what is
    going on and expected next steps. You will also need to externally communicate
    to suppliers and clients, so, ensure all management has PR training and funnel
    all communications through a central channel. Remember that good messaging can keep
    your business going during a major incident.
  5. Test greater than your plan – As part of
    your Business Continuity and Disaster Recovery testing, integrate into this
    your risk register. This will give you visibility of what is important and
    vulnerable to the business. Test at least once a year using a scenario that
    your Plan B cannot cope with. Test greater than your plans – this may mean
    doing security testing on devices outside of your infrastructure.
  6. Employee culture should be your friend
    if you create a supportive environment for your teams then should Plan B start
    failing, they will be there to help you back. As they are disrupted too, it is
    in their interest to get the business operational post-incident. Ensure that
    you have that trust relationship.

Truly devastating incidents for businesses and their employees can happen on a global scale. We have seen other natural disasters such as tsunamis, earthquakes and volcanic eruptions. Plan B should be a fall-back position, the next step after business-as-usual. However, when the incident is on a massive scale, major service outages, supply chain disruption, then businesses need to plan differently and consider what comes after Plan B.

Author Details

Stuart Coulson, Freelance Consultant and Director at HiddenText Ltd

Stuart is currently a freelance security consultant and has a long history in the infosec community. He has previously worked in compliance as well as for a not-for-profit addressing the cyber skills gap. More recently, his focus has been aimed towards security education and awareness.

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest
Scroll to Top