What to do When Plan-b Fails

Life has a habit of throwing curve balls at us. Unexpected events that change our daily lives. Businesses try to reduce the impact of these events and put in place contingency budgets, insurance and emergency planning documents. But what happens when those plans fail too?

‘Business-as-usual’ is the way that you work every day. You arrive at your office, you sit at your desk, power up your device and use the apps and services that you use to do your job. ‘Plan A’ – day-to-day operation.

However, what happens if something goes wrong? Curve balls are thrown at businesses in a number of different guises, fire, flood, theft, riots, power outages etc. To plan for these issues, businesses create a Business Continuity plan – a plan that shows how to keep the business going in the event of an incident. If the incident is more severe, then a Disaster Recovery plan may be invoked – this plan aims to assemble what assets are left of the business and attempts to re-start the business. Both of these plans are designed as a ‘Plan B’ fallback position. A plan of what to do next. These can also include ‘playbooks’ which will have pre-built scenarios based around specific threats and a set of instructions to reduce the impact on the business.

With the rise in use of the internet to do business came a new threat of cybercrime. With these new threats to businesses, new layers of defence and mitigations had to be added – firewalls, cyber insurance, risk managers, procurement policies, security operating centres, SIEMS and technical solutions to monitor all aspects of the business. Vendors have created tools to cover almost every type of threat imaginable from simple user access to the devices to full Nation State attack protection. Looking at the threat that cyber brings alone, companies worldwide are spending $124 Billion per annum on reducing the cyber threats to their businesses.

Plan B therefore needed strengthening to incorporate cyber threats and new mitigations were included into Business Continuity plans and Disaster Recovery plans. An example of this was the WannaCry ransomware infection that hit many businesses globally, but most newsworthy was the NHS – the UK main healthcare organisation. They invoked the Business Continuity and then Disaster Recovery plans, keeping the lights on still proved to be a significant issue. Plan B worked and the NHS was able to use fixes to put the lights back on and get the hospitals operational. Plan B worked in this example.

During late 2019 and into 2020, we have Covid19, the global pandemic that closed countries down and forced people to be isolated within their own homes. Plan B for businesses was taken out of their hands by legislation which forced non-essential businesses to close their doors. Plan B may have had some elements which would help businesses in terms of remote working – staff ‘dialling in’ over personal internet connections to access systems and applications. However, the speed at which Government announcements shut down the offices of businesses meant in some areas that Business Continuity plans were simply overwhelmed and unable to cope.

Most employees are operating in a remote way now if at all. Working remotely in isolation, sometimes using personal devices, sometimes using the limited technology we were able to borrow from the office. ‘Dialling in’ to their offices over personal internet connections being shared with kids working at home and streaming films and TV shows using various workarounds to gain access to systems and applications that may not have been implemented in a way to operate remotely. Where personal equipment is being used, often these are used by multiple members of the household. Then multiply this across the globe. The security risk to the business from this Plan B situation is significant. The opportunity for cybercrime is a very real and pressing issue.

In a Plan A business-as-usual day in the office, the devices would all be known to the monitoring software that the security team will be running, they would be from known suppliers with potentially locked down environments so only known software will be running. The employees would be connecting over known network connections through security products to the apps and services.

However, we are no longer operating in Plan A but instead Plan B and beyond. This is an unprecedented incident and herein lies the problem, Plan B is currently at breaking point. Businesses are bending the rules to make do and mend to keep themselves operational during the worldwide crisis. Plan B is starting to fail. Most businesses are coping but at what cost? Due to the speed of change to businesses, security measures were side-lined in favour of getting businesses back online, potentially leaving them vulnerable to attack.

So, with Plan B now failing, what comes next? How can businesses cope with unprecedented incidents? The plans cannot cater for every event, that is simply impossible and so what should businesses do? What comes after Plan B? The following are some basic headline tips that can help a business make good decisions whilst under pressure:

  1. Use flexible frameworks for playbooks – playbook tells the user what to do in detail under certain incidents e.g. if there is a fire then evacuate, call emergency services, do a roll-call etc. However, when a major incident occurs, you will need to be flexible so create a loose framework which looks at confidentiality, integrity, availability and welfare under good management control.
  2. Do not compromise on security – keeping your organisation safe should be as primary a concern as staff welfare. With the cost of the average cyber-attack to UK enterprises running at $3.88 million per breach and with fines for GDPR running at 2% of revenues then having security underpinning change then you are protecting the profits, the business, the staff, suppliers as well as the end customers.
  3. Be aware of what is out of your control – personal routers, ISPs, power grids. You will not be able to plan for absolutely every eventuality, but you can make your employees aware of what you can support and what they will need to look at in their own environment. There is a shared risk and employees should recognise that.
  4. Communication is key – invest as much time as possible keeping employees up to date during an incident with what is going on and expected next steps. You will also need to externally communicate to suppliers and clients, so, ensure all management has PR training and funnel all communications through a central channel. Remember that good messaging can keep your business going during a major incident.
  5. Test greater than your plan – As part of your Business Continuity and Disaster Recovery testing, integrate into this your risk register. This will give you visibility of what is important and vulnerable to the business. Test at least once a year using a scenario that your Plan B cannot cope with. Test greater than your plans – this may mean doing security testing on devices outside of your infrastructure.
  6. Employee culture should be your friend – if you create a supportive environment for your teams then should Plan B start failing, they will be there to help you back. As they are disrupted too, it is in their interest to get the business operational post-incident. Ensure that you have that trust relationship.

Truly devastating incidents for businesses and their employees can happen on a global scale. We have seen other natural disasters such as tsunamis, earthquakes and volcanic eruptions. Plan B should be a fall-back position, the next step after business-as-usual. However, when the incident is on a massive scale, major service outages, supply chain disruption, then businesses need to plan differently and consider what comes after Plan B.