Practical, Cost Effective and award-winning

Business Continuity, Crisis Management & Information Security Solutions

Phone:

0800 035 1231 (Mon to Fri 9am – 5pm)

36B Market Street, New Mills

Derbyshire, SK22 4AA, United Kingdom

Clearly the news from China over the last few days of the emergence and spread of Coronavirus has been very worrying.  The news today that patients in Scotland are being tested for Coronavirus make the threat all the more stark.  Reliable data on infection rates, and severity of the disease is impossible to come by at this early stage.  We therefore thought it might be instructive to look back at how the swine ‘flu pandemic played out in 2009 and draw lessons from that.

The swine ‘flu story broke in the UK in late April 2009 with the news of a serious outbreak of disease in Mexico and confirmation from the World Health Organisation (WHO) that this was a new strain of ‘flu.  By 1st May swine ‘flu was confirmed to have reached 12 countries in 3 different continents and the first death was reported outside of Mexico.  The WHO upped the alert state to Level 5, suggesting that a Pandemic is imminent.

In early June the WHO declared a global flu pandemic, due to the rapid increase in cases in the UK, Australia, Japan and Chile.  At this stage there were estimated to be 30 000 cases worldwide, with around 800 cases in the UK.  Perhaps most worringly, the number of cases in the UK was doubling each week; and continued to do so into July.

Up until now we had still been working on planning assumptions prepared in 2007 in expectation of avian ‘flu.  Then, on the 16th of July, the UK Department of Health issued new planning assumptions, based on analysis and modelling of the most up to date data from the UK and abroad. The news was generally positive: in particular the estimated case-fatality rate was revised down to 0.1-0.35%.  However, the model still predicted that roughly 30% of the population will become ill at some stage.

As we now know, the pandemic did not pan out like that: the “first wave” of infections was peaking just as the guidance was issued, and the much-feared “second wave” was somewhat less intense.  The estimated total number of cases in England by the end of 2009 was between 500 000 and 1.5 million.  So the striking lesson from 2009 is that, even as more data on Coronavirus becomes available in the next few weeks, any epidemiological projections need to be treated with caution.

Even in the absence of accurate predictions about the progress of the disease, we can still apply some sound general principles to planning for potential business disruption; these include:

  • Identify any staffing bottlenecks and address as appropriate (eg by documenting procedures, cross-training staff and succession planning);
  • Be realistic about your capacity for homeworking: how will this limited capacity be prioritised?
  • Be prepared for schools and other public services shutting down to prevent the spread of disease; and
  • Review vulnerabilities in the supply chain and discuss contingencies with key suppliers.

Even if the current threat fails to materialise in the UK; time spent now on updating, testing and exercising contingency plans will not be wasted.

 

GDPR Fines Starting to Bite

A report published recently by DLA Piper looks at the impact of GDPR, 18 months on from coming into force across the EU.  So far 160 000 breaches have been reported, including:

  • 40 000 in the Netherlands;
  • 37 000 in Germany; and
  • 22 000 in the UK.

The report states that the fines imposed to date total about £100m, with the largest penalty so far being the €50m fine imposed on Google by the French authorities.  However, the UK Information Commissioner’s Office has already announced its intention to fine BA £183m and Marriott Hotels £99m; so these figures are clearly going to rise in years to come.  Moreover fines may only be a small fraction of the total costs to the company of a data breach: the IBM/Ponemon Institute 2018 Cost of Data Breach Survey found that the largest component of the average $3.86m cost of a data breach was lost business ($1.45m).

Meanwhile Doorstep Dispensariee Ltd, a London pharmacy, became the first UK company to be issued with a fine under the General Data Protection Regulation rules in December.  The company was fined £275 000 for its “cavalier attitude to data protection” in regard to the disposal of records about vulnerable care home residents.  According to reports, approximately 500 000 documents which included patient names, dates of birth, NHS numbers, medical information and prescriptions were left at back of premises.

Visit the Information Security section of our website to see how we can help you to meet your obligations under GDPR.

There is a strong sense of “situation no change” as the 2020s began with three high-profile IT problems in the UK Financial Services Sector.

Firstly, the on-line banking services and mobile apps for Lloyds, Halifax and Bank of Scotland (all part of the Lloyds Banking Group) were all disrupted on New Year’s Day.  The disruption is believed to have begun around 0400 and was resolved by midday.

Then, on the 2nd of January, Travelex announced that it had taken down its UK website following the discovery of a “software virus” infection on New Year’s Eve.  This then had a knock-on effect on a number of major banks who are reliant on Travelex, including Tesco Bank, HSBC and Virgin Money.  Once again, this incident, highlights the importance of managing continuity in your supply chain.  At the time of writing (6th Jan) the Travelex UK website still has the message “Our online, foreign currency purchasing service is temporarily unavailable due to planned maintenance. The system will be back online shortly.”

Meanwhile on the 3rd of January, stories began circulating about problems at Yorkshire and Clydesdale Banks (both part of the same group).  It emerged that payments, including salaries, that people had been expecting had not appeared in their accounts.  The company was reasonably prompt in acknowledging that there was a problem, and assured customers that any charges incurred would be refunded.  However, as in previous banking disruptions, there has been criticism of the company’s crisis communications.  The bank stopped replying publicly to customer questions on Twitter in the midst of the disruption; and customers have complained about long waits to speak to anybody by phone.

We have blogged repeatedly (most recently in June 2019) about the problems that Whirlpool has experienced with their long-running recall of tumble dryers.  Now, unbelievably, they have announced a recall of half a million washing machines and within the first 24 hours there have been “technical problems” with the recall website.  Unsurprisingly this has driven thousands of people to try to contact the company by phone causing further issues.

So often we see instances like this where a challenging incident for an organisation to manage is made considerably worse by poor crisis communications.  Way back in 2011 we blogged about the communications problems that NI Water experienced during the loss of water supply to thousands of homes.  Fast forward eight years and it appears that nothing has changed: only last month we blogged about the problems that customers had experienced in getting in touch with the bank during the  IT disruptions at TSB in April 2018.

It doesn’t have to be this way!  When supply chain issues closed nearly all of KFC’s 900 UK outlets in February 2018, a highly effective communication response took the sting out of what could have been an extremely embarrassing incident for the company.  Understandably, much of the focus in reporting of the incident has been on the humorous “FCK” campaign, delivered through everything from social media to newspaper adverts.  However, the company also deserves praise for good practical communications planning, as evidenced by their ability to handle six months’ worth of media enquiries in one week.

Good crisis communications cannot, on its own, solve a crisis; but poor crisis communications can certainly make it a lot worse!

The Business Continuity Institute (BCI) published their latest Supply Chain Resilience Report earlier this month.  Now in its eleventh year,  the 2019 report very much confirms the patterns seen in previous years:

  • Excluding organisations who were not sure if they had experienced a disruption(!); 67% of respondent organisations experienced one or more supply chain disruptions in the last 12 months, exactly the same as in 2018;
  • Financial losses were broadly similar to previous years, with 54% of respondents reporting cumulative losses of under €50 000 but a significant proportion (13%) reporting losses over €1m
  • Roughly 50% of disruptions occurred amongst Tier 1 suppliers.

There appears to be one encouraging trend though, in that only 43% of respondents reported having no insurance cover for the financial losses of these supply chain disruption; which is down from 47% in 2018, 51% in 2017 and 57% in 2016.

It is also interesting to look at the causes of disruption in the supply chain, with the top 5 from 2018 appearing again in exactly the same order:

  • Unplanned IT/telecoms outage (44%);
  • Adverse weather (35%);
  • Cyber attack/data breach (26%);
  • Loss of talent/skills (21%); and
  • Transport network disruption (16%).

The persistence of these top 5 causes gives a clear focus on the areas to concentrate on when assessing key suppliers’ resilience.

More IT Problems at TSB

You couldn’t make it up: only days after the publication of a highly critical report into a massive IT failure in April 2018, TSB experienced further IT problems last week.  Customers started noticing delays to payments arriving in their accounts on Thursday.  TSB attributed the delays to a “processing error”, and advised that this had been remedied by early on Friday.  There are also unconfirmed reports of wider disruption to internet banking and the TSB mobile app.

As we have repeatedly blogged about before, all large banks suffer periodic IT disruptions: it would be somewhat surprising given the complexity of their operations if they didn’t.  Therefore, as well as minimising the technical risks of a disruption, banks must plan, train and exercise for dealing with disruptions as and when they occur.  The most concerning point in the media reports of this recent incident is the problems customers apparently had in getting in touch with the bank when they experienced problems.  This issue was specifically highlighted in the recent report into last year’s IT failure; but last week’s events provide no evidence that any action has been taken to address this.

Follow the link for more information on crisis communication planning.

My attention was captured yesterday by an interview on the Radio 4 Today Programme with the CEO of National Grid.  In the course of explaining the background to the widespread power outages last Friday, he first described the almost simultaneous loss of two producers of this scale as “rare, unique” and later as “pretty unique”.  However, he also stated that it had occurred once before during his 28 year career at National Grid!

Even a naive analysis of 2 occurrences in 28 years would suggest an annual probability between 5 and 10% which would place it in the “Possible” category according to the UK Government’s guidance for likelihood scoring in Community Risk Registers.  A more sophisticated analysis would indicate that you could not rule out an underlying probability greater than 10%, which equates to a likelihood rating of “probable”.  Whichever way you look at it, it’s not “rare” (0.01-0.1%); and the UK Government guidance does not even attempt to quantify “unique”.

Whilst the above discussion may seem pedantic and theoretical, the language used to talk about probability does have real consequences in how we manage risk.  Labelling last week’s scenario as “pretty unique” appears to have resulted in a situation where, although there was a contingency plan to shed load to preserve the integrity of the grid (and this appears to have worked well); there was no accompanying communications plan to inform affected customers and the general public what was going on in a timely fashion.

Go to our Downloads section for more guidance on crisis communications.

The Information Commissioner’s Office (ICO) has today issued a notice of its intention to fine British Airways £183.39M for infringements of GDPR.  The proposed record-breaking fine relates to a well-publicised cyber incident in 2018, wherein user traffic to the British Airways website was diverted to a fraudulent site.  Personal data of approximately 500,000 customers were affected by the incident: the ICO’s investigation found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.  Although the headline figure is eye-watering, it still only represents a fraction of the maximum 4% of global revenue allowable under GDPR.

Meanwhile, we reported recently on the ransomware attack on Eurofins Forensic Services at the start of June which not only had devastating consequences for the firm itself; but has also impacted on the UK criminal justice system.  The company, which handles 50% of Police forensic work in the UK, now reports that operations are returning to normal.  However, the BBC and other media are reporting that a ransom was paid by the company to restore access to their data.  Needless to say, Eurofins was not prepared to comment on this.  Interestingly, a recent report by Forrester Research found that many firms are paying ransoms; indeed it states that paying a ransom can ‘be a valid recovery option based on business need and circumstances’!

According to a recent report by Forrester Research, ransomware attacks on businesses are up 500% on last year!  The report also states that many firms have felt obliged to pay ransoms, as attackers have become more sophisticated in targeting backups; indeed it states that paying a ransom can ‘be a valid recovery option based on business need and circumstances’.  This is clearly at odds with official guidance, which still advises against having any dealings with criminals.  Anyway, two recent high-profile ransomware incidents illustrate the potentially devastating impact of an attack.

Aluminium manufacturer Norsk Hydro was hit by a ransomware attack in March which paralysed 22 000 computers across its 170 sites globally.  Production had to be temporarily halted in some business units whilst others were able to continue, but only by operating manually.  The company estimated that the attack had cost up to $52m in the first quarter of the year, but had to postpone the formal announcement of results by several weeks as it was still restoring its accounts systems.  More recent reports on the BBC suggest that the cost has now reached $57m.  Fortunately though, with revenues of around $10b annually, and a cyber insurance policy in place, the company should live to fight another day.

The attack on Eurofins Forensic Services at the start of June has not only had devastating consequences for the firm itself; but has also impacted on the UK criminal justice system.  Eurofins Forensic Services carries out a range of DNA testing, toxicology analysis, firearms testing and computer forensics services for police forces across the UK.   Late last week the National Police Chiefs’ Council took the decision to temporarily suspend all submissions to Eurofins; but it is unclear if other providers have the spare capacity to pick up their 50% share of the market.  If not, there could be significant delays to criminal trials over the coming months.

Visit the Information Security section of our website to find out more about how we can help you to secure your data.

The last two weeks have seen two very important product recalls (back) in the news…

We last blogged about the Whirlpool tumble dryer recall back in June 2016.  At that stage the recall had already been going on for more than 6 months, and the company was receiving much criticism for the length of time it was taking to carry out repairs to affected products.  We never dreamt that 3 years on, the recall would still be hitting the headlines!  However, Whirlpool was back in the news last week, when the government announced that it believed that up to 500 000 of the faulty dryers may still be in use in the UK.   The government also estimated that the fault has caused 750 fires over an 11-year period!

Meanwhile, just days earlier we received the shocking news that two patients had died in hospital after contracting listeriosis, believed to have been caused by listeria in pre-packed sandwiches.  According to Public Health England, the sandwiches were supplied by The Good Food Chain who had been supplied with meat produced by North Country Cooked Meats which subsequently produced a positive test result for the outbreak strain of listeria.  As of today, eight hospitals have reported a total of nine cases, with 5 fatalities.

These two incidents perhaps represent extreme examples of the differing challenges of a product recall in different sectors.  Recalls of consumer goods are notoriously difficult, given the problem of tracing who owns affected products.  In fact, if whirlpool has traced all but 10% of the dyers sold they have done extraordinarily well; although that must be set against the time taken and the massive publicity the problem has received.  The government’s Office for Product Safety and Standards (OPSS) is urging Whirlpool to “reach consumers in more creative ways” but it is unclear how much more can be achieved at this late stage.  Really the challenge for all firms in the sector is to build traceability into the distribution of consumer goods in the first place: maybe there is a cunning technological solution?

By contrast, we know exactly where the affected sandwiches have gone: the BBC website lists 43 NHS Trusts, all of whom have withdrawn products from the Good Food Chain.  The problem here is the rate at which the contamination affects people, requiring information to be shared throughout the supply chain at lightning speed.

Clearly then your product recall strategy needs to be tailored to your industry sector and, as with any other contingency plan, needs to be thoroughly exercised and supported by appropriate crisis communications.