Halloween Edition: True Stories of BCM Horror

Richard Long

The approach of Halloween reminds us that business continuity management has its spooky side. In today’s post, I’ll share some true stories of BCM horror related to common business continuity threats, and identify the BCM equivalents of such classic movie monsters as Dracula, the Mummy, and the Werewolf.

The Spooky Side of BCM

My daughter has been holding a Halloween movie marathon by a watching a different scary movie each day through the month of October. So far, she was watched Psycho, Hocus Pocus, and the Rocky Horror Picture Show, among others.

The virtual presence in our house of so many ghosts and goblins got me thinking about the spooky side of business continuity.

This wasn’t exactly a stretch since BCM by its nature is about evil things in the world that sometimes lunge at our organizations from out of the dark.

Eventually my thoughts, like a cloud of bats dividing into two groups and entering two separate caves, divided themselves into two groups: a collection of true stories of BCM horror and a list of classic BCM monsters.

Lessons From the Dark Side

Of course, it’s fun to think in terms of scary stories and monsters, but these lists do have an underlying value in terms of helping us improve as BCM professionals and learn more about business continuity threats. Think of them as lessons from the dark side.

The scary stories are things that really did happen to clients of mine. The same problems or ones like them could happen at your organization, so beware.

The BCM monsters are the classic BCM dangers which, even if we haven’t thought about them in a while because of the COVID-19 pandemic, are still out there and remain a menace.

True Stories of BCM Horror

The following is a collection of real-life stories of BCM horror—things that really did happen to clients of mine (or companies I know of). In each case, the same thing or something similar could happen to your organization. Read on if you dare.

  • Once upon a time, an employee at a company made a careless mistake when making changes to some of the settings on a firewall and router. Within a few minutes the staff noticed an unusual spike in traffic from an antagonistic nation overseas. The spike turned out to be automated bots crawling all over the system looking for vulnerabilities.
  • Once there was a small sign manufacturing company that believed it was too small to attract the attention of cyber criminals. One day an employee fell prey to a phishing campaign. As a result, the company was struck by a ransomware attack and its accounting system went down.
  • There was once a company with a hardened data center that enjoyed complete redundancy in terms of power and was thought to be completely hurricane proof. One day, there was an ominous rumble and an external wall in the DC slid inward on the bottom and knocked over a rack of equipment. This rack knocked over many others, creating a spectacular and expensive domino effect. The wall had been undermined by a break in a community water main.
  • During the stormy weather prior to hurricane landfall, the staff of a company went home to prepare their homes while continuing company preparations. The team implementing the incident management plan reconvened online via a conference call. Then the storm intensified, the waters in low-lying areas began to rise, and the team members living in those areas began to drop off the call to deal with their own emergencies. Soon there were significantly fewer people available to continue to manage the preparations, increasing the risk to the company.
  • Once upon a time, some people were visiting a data center. One of the visitors leaned against a wall and inadvertently pushed a button that caused the entire DC to crash. (The button lacked a safety cover.)
  • At another data center, a visitor on a tour accidentally pulled a fire alarm. The halon-based fire-suppression system was discharged, causing a system outage along with potential risk to the people there, since halon is harmful to humans.
  • There once was a company employee who rented a car on a business trip, bringing along in the vehicle a removeable storage device containing the personal private information of many people, including their financial data. After the trip, the employee couldn’t find the storage device and realized it had been left in the rental car. The rental car company was unable to find the device, and the organization had to report the loss of this confidential information.

Are these stories as improbable as those of any horror movie scenario? Maybe so, but they really did happen, and something like them could happen at your organization.

Classic BCM Monsters

Just as the horror movie genre has its classic monsters—Frankenstein’s monster, the Creature from the Black Lagoon, and all the rest—BCM has its classic monsters. These are the dangers that are always lurking out there, even though many BCM professionals have lost sight of in recent months, mostly because they’ve been preoccupied with the COVID-19 pandemic. The novel coronavirus is definitely a monster, but it’s not the only evil creature out there we have to worry about.

As a reminder, here are the classic monsters of BCM—the dangers that are always out there, that you should always be on guard against and prepared for:

  • Workplace violence
  • Cyberattack
  • Human error
  • Civil unrest
  • Loss of third-party vendor or service provider
  • Mismanagement or scandal

For more on these “classic BCM monsters,” see these recent posts on common BCM threats: “8 Bad Things: The Most Common Business Continuity Threats” and “BC’s Big Four: The Most Disruptive Problems in Business Continuity.”

Garlic Not Required

In the weeks leading up to Halloween, my daughter and many other people find it fun to look at scary movies. For BCM professionals, this is a good time to think about the spooky things that can happen to our organizations and the monsters that are out there threatening our companies all year long. To ensure that our organizations remain safe and can continue to function no matter what, garlic necklaces and wooden stakes are not necessary. All you need is to be vigilant and prepared and to devise and implement sound business continuity recovery plans and testing programs.

Further Reading

For more information on common business continuity threats and other hot topics in business continuity and IT/disaster recovery, check out the following recent posts from MHA Consulting and BCMMETRICS:

About
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
potential future problemsCOVID-19 as a BCM professional