Attack of the Black Swans: When Strange Things Happen

Richard Long

Every day, an organization somewhere is impacted by an event that is both very negative and deeply weird—so weird no one ever imagined it could happen. Who knows, tomorrow it might be your organization.

In today’s post, we’ll look at the best recovery planning strategies for helping your organization be prepared for these so-called black swan attacks.

BLACK SWAN ATTACKS: IT CAN HAPPEN TO YOU

Usually, in business continuity (BC) and IT/disaster recovery (IT/DR), we focus on devising recovery plans for events that are highly likely to happen and/or would have a highly negative effect if they did happen.

We also emphasize using our resources in the most efficient manner possible, to make sure we get the most bang for the buck in the use we make of our BC and IT/DR dollars.

That is definitely the correct emphasis for every BC program.

However, it’s still the case that “Stuff Happens,” to paraphrase the bumper sticker. Weird things occur. Crazy stuff goes down. Black swans appear and even attack, at times.

Often in life, we like to assume we are in charge, but sometimes Mother Nature, or Mr. Murphy, gets a kick out of proving us wrong.

Every now and then, an unsinkable ship hits an iceberg—and sinks.

Every day, some organization somewhere gets stung by an event they never could have imagined happening to them.

A FLOCK OF BLACK SWANS

Below are a few examples of fluky negative events from my own experience as a BC consultant. Call it a whole flock of black swans.

  • A colleague made changes to some of the settings on his personal firewall and router. Fifteen minutes after doing so, he noticed a spike in traffic from China. This traffic turned out to be automated bots looking for vulnerabilities in his setup.
  • A friend of mine who owns a small sign manufacturing company used to tell me he believed his company was too small to attract the attention of cyber criminals. One day over lunch he revealed to me that his accounting system was down with a ransomware attack. He was unsure whether the company’s backup could be restored.
  • A company that is a client of mine was very confident over its new hardened data center. The DC had complete redundancy in terms of power, and the structure was hurricane proof. The company contemplated any storms that came through with an easy mind. Surely nothing could happen to that DC. It was ready for anything. Then one day, the people working there heard an ominous rumbling sound. It turned out that an external wall had slid inward on the bottom as the result of a community water main leak and break. The pressure of the water had pushed the wall in. As the wall continued moving inward, it knocked over a rack of equipment which then knocked over other racks, creating a spectacular and expensive domino effect.
  • At another client, the stormy weather preceding a hurricane led to the staff’s going home and a team connecting via a conference call. So far, so good. This was all according to plan. Then people started dropping off of the call and falling out of contact, hampering the effectiveness of the incident management plan. The reason was something unanticipated by the planners. As the neighborhoods and homes of people living in low-lying areas began to flood, those people naturally quit working and shifted to trying to protect their homes and families.
  • At one data center I know of, a visitor leaned against the wall and inadvertently pushed a button, causing the entire DC to crash. The button lacked a safety cover.
  • At another company, someone left digital copies of financial and other sensitive data in a rental car, including many people’s personal, private information. The rental car company could not find the device with the data. The organization had to report the loss of this confidential information.

Those are just a few of the fluky negative events I’m familiar with from first-hand experience.

Another type of event many people are confident they personally will never have to deal with is workplace violence. A sophisticated person might think that even if incidents with active shooters crop up in the news with disturbing regularity, the odds of such an event happening at any one workplace are small. This is true, but workplace violence comes in many types and occurs with regrettable frequency, as the National Safety Council’s 2017 statistics on assault at work make clear.

WHAT TO DO

Given that fluky, negative things do happen in life, and that they can even happen to your company, what should you do in terms of your BC preparations?

As suggested above, first tend to any known gaps in your recovery planning. Also, focus on events that are either highly likely to occur or that would have a high impact if they did occur. Always be aware that the unexpected black swan attack can happen. It does so every day somewhere or other. Remember to plan in terms of impacts (such as facility loss, staff loss, or loss of technology) rather than specific events. Don’t ignore an entire class of event. And never rest everything on the optimistic assumption that this or that bad thing will never happen because you never know.

DON’T BE FEARFUL, JUST BE PREPARED

For most organizations, most days are nice and routine. But every single day brings unexpected craziness to some company somewhere. One day this might include your company.

There’s no need to live in fear of the future, but it is wise to realize anything can happen. Don’t grow complacent. Maintain a flexible, adaptive mindset and be prepared to deal with the major types of impacts (such as facility loss, staff loss, and technology loss) no matter what their specific cause.

FURTHER READING

For more information on recovery planning, black swan attacks, and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS:

crisis management exercise examplesdealing with disasters