8 Bad Things: The Most Common Business Continuity Threats

Richard Long

People in business continuity talk a lot about black swans: unexpected events that come from outside normal experience and have strongly negative effects.

Black swan events are definitely worth thinking about and being prepared for due to their potentially catastrophic impacts.

However, in today’s post, we are going to talk about the opposite of black swan events. Some people refer to such events as white swans, but I am going to refer to them as “8 Bad Things That Are Likely to Happen This Week.”

These are negative events that I think actually have a high likelihood of happening to some organization somewhere in the coming week—or at any rate, they are things that happen fairly frequently, having a negative impact each time.

If one of these events happens to your organization, will you be ready?

Here’s my list of bad things that are likely to happen this week:

8 Common Business Continuity Threats

  1. An organization somewhere will suffer a cyber breach. It will likely involve one or more of the following: ransomware, a denial of service attack, a phishing attack, malware, or an active attack exploiting network security vulnerabilities. If your organization has not made preparations to cope with a cyber attack, then it’s time you reevaluate the risk assessment component of your BC program. Sooner or later, your company will face a cyber event. For more on cyber breaches and how to protect yourself against them, see these two recent posts: Email Security: How BC Professionals Can Help Their Companies Stay Safe and Staying Safe While Browsing the Web: How You Can Help Protect Your Organization.
  2. An organization will suffer losses caused by a breakdown at a single point of failure. This could involve technology, such as a single server or single network device, or a person who is the only one possessing certain specific knowledge or expertise. The organization affected might have been aware of the single point of failure for some time (and been putting off dealing with it), or they might be completely surprised to learn of it.
  3. An organization will suffer an outage of a major application or service. The coming outage could involve technology, such as a single server or single network device, or it might overlap with the issue of single points of failure described above. It might also be caused by human error, lack of planning, or inadequate change management. (Did you know that the recent two-hour outage of cash registers at Target stores nationwide was caused by an error made during scheduled maintenance?)
  4. An organization will suffer an impact due to the lack of appropriately trained staff. This is different from having a person as a single point of failure. This is about not having enough people trained and available to do critical tasks, especially during a crisis. This can make a bad situation worse. Many people who are designated as responsible for taking certain actions during an emergency are insufficiently trained or unaware of their responsibilities. And any event which impacts employees’ homes and families is likely to see many staff unavailable to carry out their roles in the recovery plan. For more information on the issue of staff unavailability, see our recent post, The Neglected Side of Business Continuity: Problems Not Related to IT.
  5. An organization will be impacted by the unavailability of a key vendor-provided service. Generally, the resiliency of SaaS and IaaS solutions is high, but many organizations that rely on these for critical processes have no true backup solution. Did you hear about last month’s outage involving Google’s various services? Gmail and Google Calendar were down for some users in the Eastern U.S. It’s likely that at some organization somewhere in the coming week, the unavailability of a third-party service and the lack of a viable backup or workaround will cause a significant impact to some business process. This could also be a critical vendor or supplier of products. Many organizations are reliant on a single vendor with no true alternate source for the product.
  6. An organization will be affected by a regional infrastructure outage. This one isn’t too likely to happen over the next week—but power outages are on the rise nationwide. And the chance of a region-wide outage occurring is increasing as hostile countries refine their ability to target U.S. power grids and computer networks. (For details, see this recent New York Times article.) Such outages can affect power, internet, water, phone and other utilities. The loss of these services could impact your ability to use your facilities or implement your relocation strategy. Many companies’ workarounds and recovery solutions depend on cell phones and the internet. If those services go down, the workarounds will no longer function. Back-up power generators are unlikely to be able to provide sufficient power to the necessary workspaces in buildings or locations. People working at home in accordance with the recovery plan are unlikely to have backup generators.
  7. Individual components of an organization will fail. This is about non-IT components, such as critical staff and machinery. It also encompasses bad decisions made by key personnel. Somewhere, somehow, in the coming week, a key person will be absent or make a bad decision, or critical machinery will break down, seriously impacting an organization. In fact, this is the most likely kind of failure to occur.
  8. An organization’s recovery will fail because it has not defined and documented its dependencies for processes and technology. Organizations typically define and document the obvious dependencies but overlook the hidden or automated processes. Technology examples include license services or servers and connections for dependent data or reporting. Process examples include exceptional situations which are necessary (just because a use case is not frequent, does not mean is it not critical). Such gaps are a common reason that recovery plans do not work as expected.

You may never see a black swan, but the chances of your encountering one or more of the above situations is high. By being aware of the dangers and taking reasonable precautions, you can minimize the chances that the event will significantly disrupt your organization.

Further Reading

For more information on this and other hot topics in business continuity and IT/disaster recovery, check out the following recent articles from MHA Consulting and BCMMETRICS:

Comments
    pingbacks / trackbacks
    being unpreparedfacilitating a mock disaster exercise