Practical, Cost Effective and award-winning

Business Continuity, Crisis Management & Information Security Solutions

Phone:

0800 035 1231 (Mon to Fri 9am – 5pm)

Suite 3, The Cotton Mill, Torr Vale Mills, New Mills, Derbyshire, SK22 4HS, UK

Twitter experienced a major outage last night, with tens of thousands of users around the world unable to use the platform for over an hour.  The issue appears to have been resolved now and Twitter have stressed that there is no evidence of a security breach; attributing the outage to an “inadvertent change” to their systems.

Whilst not a huge incident in its own right, it is a timely reminder of the vulnerability of cloud-based apps.  There is a widespread perception that the hosting of these services is so resilient that they do not experience outages.  However, this is shown not to be the case by an analysis of public announcements about outages in popular internet services over the period 2009 to 2015 including:

  • Ebay
  • Gmail
  • Hotmail
  • Netflix
  • Twitter; and
  • Youtube

Gunawi et al (2016) found a total of 597 unplanned outages across the 32 services that they studied; ie almost 3 outages per year for each service.  Only 7 of the 32 services achieved 99.9% uptime, and 2 didn’t even achieve 99% uptime.  It would appear then that the idea of “five-nines uptime” (less than 5 minutes of downtime per year) is still some way off!  It must also be remembered that this only includes outages that were reported in the media.

Awareness of the reliability of the cloud is of increasing importance as organisations move towards cloud-based hosting of their critical corporate systems.  Whilst it obviates the need for traditional IT DR planning, moving to the cloud certainly does not guarantee 100% uptime.

According to the latest figures from the International Standards Organisation (ISO), covering the period up to the end of 2019, there have been significant increases in the number of certifications to ISO 22301 and ISO 27001 globally:

  • ISO 22301 “Valid Certificates” rose 12% to 1690; and
  • ISO 27001 “Valid Certificates” rose 14% to 36 360.

Unfortunately no direct comparison is possible with earlier years as the basis of the survey was changed in 2018.

The UK and India remained the most popular countries for ISO 22301 (305 and 142 certificates respectively); and the top three was completed this year by S Korea with 118 certificates.  Meanwhile the top three countries for ISO 27001 were unchanged from last year:

  • China – 8360 certificates (up 16%);
  • Japan – 5250 certificates (up 3%); and
  • UK – 2800 certificates (up 15%).

Whilst any increase in the uptake of these standards is encouraging, the numbers of ISO 22301 still remain very low.  It will be interesting to see what effect the Covid-19 pandemic has had on 22301 certifications when the ISO survey is published next year.  Will the experience of this crisis have persuaded more organisations of the need to conduct business continuity management in a formal, systematic way; or will the cost and distraction of Covid-19 lead to a significant reduction in certifications?  It will also be fascinating to see if any evidence emerges that certified organisation have fared better than their peers in these very challenging times.

Follow the links for more details of ISO 22301 and ISO 27001 and how we can assist you in achieving certification.

Donald Trump has been roundly criticised for his most recent comments downplaying the severity of Covid-19.  It appears that he has inferred from the fact that he appears to have had a mild form of the disease (although he is not out of the woods yet) that all Covid-19 infections are mild and there is really nothing to worry about.  Whilst the swagger and bombast is pure Trump; this growth in confidence following near misses and minor incidents is actually very widespread.

Somebody may have spotted it previously but, as far as I am aware, the first widespread discussion of this phenomenon was in Diane Vaughan’s analysis of the Challenger Space Shuttle disaster.  Speaking to technical staff at NASA following the crash, she made the peculiar finding that the more aware engineers were of previous near misses with the solid-fuel boosters on the space shuttle, the more confident they were in the safety of the spacecraft!

In the intervening years, many similar examples have emerged.  I particularly remember the experience of discussing business continuity with organisations in London in the months following the 7 July bombings in 2005.  Where one might have expected them to have been more concerned with protecting their organisations following the attack; many, perhaps the majority, took the opposite view that they had ‘survived’ a major terrorist incident so they were clearly well prepared.  Looking ahead to the end of the Covid-19 pandemic, whenever that may be, will firms have a renewed focus on resilience or will they take the survival of their business as evidence that they are resilient enough already?

As we said in yesterday’s blog about High Reliability Organisations, it is important to view every near miss and minor incident as a warning of potentially more serious problems and a valuable learning opportunity.

21 years ago today 31 people died and over 250 were injured when two trains collided at Ladbroke Grove.  First and foremost our thoughts are with the many people who are still affected by the accident years later.

As well as being one of the worst train crashes in Britain over the last few decades, the tragedy came to symbolise systemic flaws in the running of the UK rail network.  In particular, concerns were focused on Railtrack, who were at the time responsible for the UK rail infrastructure.  Only two years earlier (and two miles away) seven people had died in a crash at Southall; and the Hatfield and Potters Bar crashes followed shortly afterwards.

The Cullen Inquiry found that many factors contributed to the Ladbroke Grove disaster, but principally highlighted:

  • A lack of driver training; and
  • A failure to act following numerous previous safety incidents at the signal where the crash occurred.

This failure to respond appropriately to previous incidents and near misses has been observed in many other disasters, from the loss of the Challenger Space Shuttle to the TalkTalk data breach of 2015.  In fact, based on decades of observing how organisations in high-risk industries operate safely, Weick and Sutcliffe propose “Preoccupation with Failure” as the first of their five principles of “High Reliability Organisations” (HROs).

It was also widely reported following Ladbroke Grove that the culture within Railtrack accorded little weight to the views of engineers; and that the engineering function was not adequately resourced.  This chimes with much of the commentary following the Deepwater Horizon explosion, about the hollowing out of BP’s engineering capability over a period of years preceding the incident.  This point is also addressed in two of Weick and Sutcliffe’s principles of HROs: “Sensitivity to Operations” and “Deference to Expertise”.

The lasting legacy of Ladbroke Grove is the much safer rail network that we now enjoy.  Sadly though the broader lessons from researchers like Weick and Sutcliffe have not yet been universally adopted, as evidenced day by day in the Grenfell Tower inquiry.

Cyber Threat to UK Universities

The National Cyber Security Centre has issued a specific alert to higher education institutions after a recent spike in attacks.  In particular, both Northumbria and Newcastle Universities have come under attack in the last few weeks.  These attacks come at the most critical time in the academic year, as universities recruit new students and prepare to welcome people back on campus.

Northumbria University first became aware of a “cyber incident” on 28th August, although this was only made public on the 31st.  There was an immediate impact on students with the student portal and on-line learning systems being unavailable.  Critically, the incident also caused disruption to exams and to a clearing hotline.  As of 10th September the university reported that the on-line learning system was available again but other key systems such as accommodation and timetabling were still impacted.  An update yesterday advised that most systems were now up and running but there were still intermittent issues with, for example, the website.

Only two days later, neighbouring Newcastle University also became aware of widespread IT problems.  It has since been confirmed that this was a ransomware attack with a sample of files posted on-line.  Once again disruption was very widespread, although Office 365 and the Virtual Learning Environment remained available.  An update on 3rd September advised that recovery of systems would most probably not begin for at least another week, and a further update on the 4th reporting that SAP had been restored but that “The nature of the problem means this will be an on-going situation for some time and it will take several weeks to address.”  Few further details have been announced since then, with the last holding statement, issued on 14th September, simply stating that investigations are ongoing.

Clearly these attacks could not have come at a worse time for universities already struggling to deal with the effects of the Covid-19 pandemic.  You may also be interested in our recent blog posts about UK universities being impacted by a cyber attack on Blackbaud and the University of California, San Francisco responding to a ransomware attack.

We have studiously refrained from giving a running commentary on the Covid-19 crisis in our blog, but I was intrigued to hear the Archbishop of Canterbury’s comments reported this morning on the need to delegate elements of the crisis response to a local level.  This struck a particular chord because I used to use the following quote about delegation from another religious leader, Pope Pius XI, in crisis management training courses:

“It is an injustice and at the same time a great evil and disturbance of right order to assign to a greater and higher association what lesser and subordinate organisations can do.”

If the Archbishop and the Pope agree that delegation is important then that is proof enough for me!  This also begs the question what other insights into crisis management we might gain if we sought the advice of our religious leaders?

This is certainly not a new book (the most recent edition came out in 2018), but I only recently became aware of its existence and relevance to risk and crisis management.  Richards Heuer enjoyed a distinguished career in the CIA and wrote the book primarily for his fellow intelligence professionals (and consumers of intelligence such as politicians).  However, the central focus on making sense of complex and confusing situations, where the impact of mistakes is very high, has obvious relevance to the fields of risk and crisis management.

Heuer approaches a broad sweep of psychology, as it relates to intelligence analysis, beginning with three chapters on our “Mental Machinery”.  Of particular interest is his discussion of how we store and retrieve memories.  This provides the foundation for the core of the book “Tools for Thinking”.  These tools include various strategies for generating hypotheses, on the basis of limited information, and choosing amongst competing hypotheses.  As regards the latter, he repeatedly emphasises the need to focus on seeking evidence that enables you to reject a hypotheses, rather than looking for confirmation of what you already believe to be true.  The section concludes with Heuer’s most significant contribution to practice, a step-by-step process for the “Analysis of Competing Hypotheses”.

The penultimate section of the Book, “Cognitive Biases”, arguably repeats some material that is available elsewhere but, once again, Heuer’s practitioner viewpoint illuminates elements that are not routinely highlighted elsewhere.  In particular his discussion of how initial evidence of uncertain accuracy, even if it is subsequently demonstrated to be false, can still colour our judgement is a useful warning to anybody engaged in crisis management; as are his observations on the attention that we pay to the consistency of evidence.  Meanwhile the discussion of our endless search for cause-effect relationships and his analysis of people’s interpretations of verbal descriptions of probability are both very relevant to risk management.  The concluding chapter, “Improving Intelligence Analysis”, is perhaps less directly relevant to risk and crisis management, but serves well to wrap up the various themes discussed throughout the book.

A number of prominent UK universities are amongst hundreds of organisations globally whose data has been stolen in a ransomware attack on cloud-computing provider Blackbaud.  Remarkably, it has emerged that Blackbaud was attacked back in May but waited two months to inform its users.  It has also emerged that they paid an undisclosed ransom in return for “confirmation” that the stolen data had been destroyed.  Unsurprisingly, Blackbaud are being widely criticised for both the payment of a ransom to criminals and the delay in informing customers.  Given their poor handling of the incident it is debatable how reassured we can be by the company’s claims that:

  • “The majority of our customers were not part of this incident”; and
  • There is “no reason to believe that the stolen data was or will be misused”.

Universities and charities typically use Blackbaud to manage alumni and donor relations so, in many cases, the personal data stolen is fairly limited.  However there are exceptions; it is reported that the University of York has told its students and alumni that student numbers, addresses, phone and email addresses, details of occupation and employer details were among the data stolen.

Whilst the current focus is on the failings of Blackbaud, there are ongoing wider concerns over information security issues within the higher education sector.  According to a recent survey by Redscan (to which 86 UK institutions responded):

  • Only 54% of university staff had received any information security training; and
  • Over half of universities had reported at least one data breach to the Information Commissioner’s Office (ICO).

This tallies with the UK Government’s Cyber Security Breaches Survey 2020, which found that 80% of Further and Higher Education establishments were aware of a breach or attack.  Given the value of the intellectual property, and the quantity of sensitive personal data on staff and students, that universities hold; these figures are very worrying.

The BBC have published a fascinating birds-eye view of a ransomware attack at the University of California San Francisco this week.  Acting on a tip-off, the BBC were able to follow the on-line ransom negotiations as they happened, culminating in the payment of $1.14m.  We can only speculate, but the willingness of the university to deal with criminals suggests that the data that was being ransomed:

  • Had not been properly backed up; and/or
  • Had not been anonymised/encrypted.

Of course, followers of our blog will not be surprised to hear of another organisation paying a ransom: we blogged about this trend back in June.  The Hiscox Cyber Readiness Report last year found that one in six firms that were targeted paid a ransom of some sort, and this could very well be an underestimate: another survey by Malwarebytes put the figure at nearly 40%.  It has been widely reported that Travelex ended up paying a ransom of $2.3m following the high-profile attack on their systems at the start of the year.  Whilst, on the practical side, a survey by Coverware found that 96% of ransom payments were rewarded with a successful decryption tool; there are still profound ethical and reputational issues around paying out to criminals in this way.

Rather than have to make the invidious choice about whether or not to pay a ransom, surely it is better to invest ahead of time in your information security.  Follow the link to find out how we can help you to put a robust information security management system in place for your organisation.

There are many interesting lessons to learn in the unfolding saga at on-line sports retailer Wiggle…

Customers first started raising concerns over two weeks ago about orders being placed on their Wiggle accounts (and payments taken) without their knowledge.  Some people also reported that they had been locked out of their accounts.  The company’s initial response was characterised by a complete failure to engage with customers’ concerns.  As of Monday they have publicly acknowledged that there is a problem, but the tone of their communications is still defensive, focusing on the fact that “Our systems remain secure” and “customers’ login details have been acquired outside of Wiggle’s systems.”

The most likely scenario seems to be that, using personal details stolen elsewhere, fraudsters were able to log in to people’s Wiggle accounts where individuals had re-used login details and passwords from other services.  The fraudsters were then able to place orders and change account details (including login details) on these accounts.  Whilst Wiggle seem to be placing great significance on the fact that the data was not stolen from them, and that there was therefore no data breach, that is of little interest or comfort to affected customers.  Moreover, “credential stuffing attacks” such as these are a notifiable data protection incident in their own right (Wiggle has confirmed that it has reported the incident to the ICO).

Clearly there are important lessons here for all of us as consumers, principally about not re-using login details for multiple sites.  The incident also highlights the challenge for on-line retailers in striking the correct balance between security and convenience: it has surprised many people that the fraudsters were able to order goods to be sent to a new address without having to re-enter any card details. But the primary lesson for all organisations is that information security incidents will continue to occur and that you need to be ready to respond quickly when they do.  Critically, that involves having processes in place for investigating reports of suspicious activity in a timely fashion and for communicating effectively with customers.