Practical, Cost Effective and award-winning

Business Continuity, Crisis Management & Information Security Solutions

Phone:

0800 035 1231 (Mon to Fri 9am – 5pm)

36B Market Street, New Mills

Derbyshire, SK22 4AA, United Kingdom

Last week was a very busy week for the ICO – and nothing to do with GDPR….

First came the announcement on 12th June that Yahoo! UK Services Ltd was being fined £250 000 for the massive data breach in 2014 (disclosed in 2016) affecting 500 million users globally.  Specifically, the ICO’s investigation focused on the 500 000 accounts for which Yahoo! UK Services Ltd was the data controller.  The investigation found that Yahoo! UK Services Ltd had failed to take appropriate technical and organisational measures to protect the data; and that it failed to ensure that its data processor, Yahoo! Inc, complied with the appropriate data protection standards.

Then, the very next day, the ICO was asked to comment on the massive Dixons Carphone data breach, announced that day.  Obviously they could say very little at this stage but did point out that “…when the incident happened and when it was discovered…will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”  With the recent huge increase in the level of fines that can be imposed, following the implementation of GDPR, this is a chilling message for the company.

Finally, also on the 13th, the ICO announced a fine of £80 000 for Gloucestershire Police for revealing the identities of child-abuse victims in December 2016.  In an all too common mistake, an officer sent an email to 56 victims, witnesses and lawyers with everybody’s name visible in the “To” field; thus every recipient could see all other recipients.  This is yet another reminder that information security management is primarily about managing people: not technology.

Major Outage at hostinguk

Web hosting firm hostinguk suffered a major outage at their St Asaph data centre.  Despite having “diverse fibre paths” to the site, the connection to the site was lost just before 9pm last night.  For many customers, the shock of finding that their website was down was compounded by the fact that they couldn’t contact hostinguk because their phones were not working.

Firstly, credit where credit is due.  Unlike may firms in the midst of an incident, hostinguk communicated well throughout the disruption; the status page on their website was regularly updated with detailed information on the progress of the recovery, and social media posts were responded to promptly.

However, there are two very interesting aspects of this incident.  Firstly, the initial estimate for “full service restoration” was “2-12 hours”; in actual fact, service was restored by way of a temporary fix after 17 hours and the permanent repair took a further four hours.  This is an excellent example of the prevalence of “optimistic overconfidence”: people tend to be overly optimistic about favourable outcomes and discount the probability of less positive scenarios.  This phenomenon is often then exacerbated by “anchoring”: it becomes clear over time that the initial estimates are wrong but people are still “anchored” to them and fail to adjust their estimates sufficiently.

Secondly, we return to the issue of “diverse fibre paths”: what does this actually mean?  The reality is that a single event managed to sever both fibres so I would caution against being too reassured by this statement from your providers.

Business Continuity Awareness Week (BCAW) 2018, with the theme “working together to improve organizational resilience”, ends today.  As usual there has been a busy programme of reports published, webinars hosted and live events around the globe; but what always interests us is the real business continuity stories going on around all this.  For some reason, BCAW usually sees a disproportionate number of incidents (apart from BCAW 2013 which was very quiet) – is this because all the resilience experts are busy attending seminars???  We may never see the likes of BCAW 2017, which kicked off as the WannaCry ransomware saga was still ongoing, again; but this year has nevertheless seen a range on interesting and thought-provoking stories.

Starting on a lighter note (unless you happen to be getting married in the near future), over the weekend 12/13th May users of the John Lewis wedding list service were unable to access the website.  Media reports state that this was because of a failure to renew the domain name, but it is not clear how this issue arose.  Anyway, everything was back up and running by Monday and the company has issued a very public apology.

More seriously though, on Tuesday Musgrave Group announced that it was recalling its “Daewoo” branded electric blankets because of a manufacturing defect which “…may cause the blanket to spark or go on fire.”  The averages success rate of electrical product recalls in the UK is only 10-20%: we can only hope that this one is more successful.

As the week progressed we returned to a familiar theme, data breaches, with a particularly serious example.  On Thursday the Information Commissioner’s Office (ICO) announced that the Crown Prosecution Service (CPS) had been fined £325 000 after they lost unencrypted DVDs containing recordings of police interviews.  The DVDs contained recordings of interviews with 15 victims of child sex abuse, to be used at trial.  Further aggravating what was already a very serious breach, the ICO highlighted the fact that this took place despite the CPS having been fined £200 000 in November 2015 for another breach.

Finally, and most disturbingly, were the stories in today’s news of the increased spread of Ebola in the Democratic Republic of Congo.  Hopefully the lessons identified from the devastating 2014-16 outbreak have been taken on board and will be applied to minimise the impact of this latest emergence.

So, just in the space of a week, we have seen examples of four of the most frequent forms of disruption – IT disruption, product quality issues, information security issues and natural disasters.  Clearly the importance of “working together to improve organizational resilience” has never been greater.

 

Based on information from four of the five recognised accreditation bodies (CREST, IASME, APMG and QG Management Systems), there has been another big increase in the number of organisations achieving certification under the UK Government’s Cyber Essentials and Cyber Essentials Plus schemes.  As of last week 7794 organisations had achieved certification through these four accreditation bodies, a rise of 22% in only three months.

With GDPR coming into force later this month, there has never been a better time to get your information security management in order!  Follow the link for more details of how we can assist you with your information security management.

It often feels like the news is filled with stories of more and more devastating natural disasters around the world.  Even here in the UK, the perception is of an increasing incidence of extreme weather events; but, interestingly, data would suggest that this is not the case.

I recently came across the excellent EM-DAT Emergency Events Database (Université catholique de Louvain (UCL) – CRED, D. Guha-Sapir – www.emdat.be, Brussels, Belgium), from which the figures in the following table are taken.

So the number of severe weather events in the UK, the number of people impacted and the economic damage caused have all actually been less in the last ten years, compared to the previous ten years.  In some cases, these reductions are quite significant.  Without launching into the debate about man-made climate change, the practical message for business continuity managers is that the risk to UK businesses of severe weather events would appear to be stable (or event falling slightly).  Nevertheless, many recent surveys have seen it rise up people’s lists of “top risks”.

This is just one example of how biases in how humans think can impact on our ability to accurately estimate risks.  Fortunately this is not such a problem as you might first think – our free download Business Continuity Planning – Which Threats Should You Consider explains why.

 

TSB customers are experiencing a fourth day of disruption, following the migration of TSB customer data from Lloyds’ IT systems over the weekend.  The main impact on customers has been the inability to use internet and mobile banking but, more worryingly, there have been numerous reports of spurious transactions and, for a period on Sunday, at least 400 customers had visibility of other people’s data.

The scenario is reminiscent of the trouble at Tesco Bank in June 2011 when they migrated customer data from legacy RBS systems; on that occasion the disruption also lasted for four days.  As in 2011, much of the criticism from customers has focused on the quality of communication; clearly this has not been helped in the case of TSB by boasts from Sabadell, TSB’s owner since 2015, about the success of its IT integration!

It has been reported this week that thousands of Calor Gas customers have experienced delays in receiving their gas supplies; in extreme cases this has led to customers running out of gas for heating, cooking and hot water (although the number of these is not known).  Calor first announced the problem four weeks ago, blaming a combination of a national shortage of liquefied petroleum gas and the severe weather in early March.  This resulted in a “perfect storm” where increased demand coincided with reduced supply, compounded by the problems of actually delivering to isolated rural communities.

Obviously one can debate how forseeable such an incident was, and whether Calor could have prepared better for such an eventuality by addressing their supply chain resilience.  However, the angry response from customers on social media has focused on a lack of communication, in particular a lack of clarity on when they will receive gas supplies.  Once again, the problem seems to lie as much with crisis communications as with the crisis response itself.

Our blog could sometimes be accused of being a little UK-centric so, in an attempt to redress any imbalance, we thought we would take a little look at some data from the US!

For some years now, Stericycle have produced detailed quarterly reports on product recalls in the US.  Aggregating data from these reports over the last five years yields the following graph:

The (mostly) reassuring message from the graph seems to be that, just like in the UK, the numbers go up and down from year to year but there is no meaningful trend.  Whilst it would be foolhardy to read too much into the slight downward slope; there is certainly nothing to suggest a significant growth in recalls over recent years.  Nevertheless the scale of some of these recalls, particularly some of the recent high-profile automotive recalls, serves as a powerful reminder of the need to plan, train and exercise for these scenarios.

There have been widespread reports of the huge fire that broke out at Ray Mill in Stalybridge, Greater Manchester on Saturday night.  At its height, five stories of the mill were on fire and over 50 firefighters were battling to contain the blaze.  Miraculously there are no reports of any injuries.

Thanks to the efforts of the emergency services, life for much of the local community is now returning to normal, although there are still road closures in place around the mill.  However, the Manchester Evening News reports that “It is believed several dozen businesses and other organisations were based in the mill”: it will clearly not be a normal week in the office for any of these.  At the very least organisations who were based in the mill will need temporary work space for a period of time; but some may have suffered much more severe impacts, with one business owner quoted in the paper saying he has lost millions of pounds worth of stock.  The effects may also spread wider than those organisations based in the mill, with potential knock-on effects on both their customers and suppliers.

Ironically, smaller organisations like these, who are most vulnerable to disruption, are also least likely to have undertaken any business continuity planning.  Business continuity for small businesses need not be expensive or time-consuming, as this case study shows, and can be the difference between survival and failure in situations like these.

In the week that the publication of “Lessons Learned Review of the WannaCry Ransomware Cyber Attack” concluded that the impact on the NHS of last May’s attack was preventable; there is some good news on the cyber security front….

The number of organisations achieving certification under the UK Government’s Cyber Essentials and Cyber Essentials Plus schemes has continued to grow significantly.  Based on information from the four recognised accreditation bodies (CREST, IASME, APMG and QG Management Systems); as of this week 6394 organisations had achieved certification, up from 4574 six months ago (a rise of 40%).  A glance at the list of names suggests that all sizes of organisation and sectors of the economy are embracing the scheme.

Clearly though, there are still many organisations who have not recognised the need to improve information security: follow the link to find out how we can help your organisation.