My attention was captured yesterday by an interview on the Radio 4 Today Programme with the CEO of National Grid. In the course of explaining the background to the widespread power outages last Friday, he first described the almost simultaneous loss of two producers of this scale as “rare, unique” and later as “pretty unique”. However, he also stated that it had occurred once before during his 28 year career at National Grid!
Even a naive analysis of 2 occurrences in 28 years would suggest an annual probability between 5 and 10% which would place it in the “Possible” category according to the UK Government’s guidance for likelihood scoring in Community Risk Registers. A more sophisticated analysis would indicate that you could not rule out an underlying probability greater than 10%, which equates to a likelihood rating of “probable”. Whichever way you look at it, it’s not “rare” (0.01-0.1%); and the UK Government guidance does not even attempt to quantify “unique”.
Whilst the above discussion may seem pedantic and theoretical, the language used to talk about probability does have real consequences in how we manage risk. Labelling last week’s scenario as “pretty unique” appears to have resulted in a situation where, although there was a contingency plan to shed load to preserve the integrity of the grid (and this appears to have worked well); there was no accompanying communications plan to inform affected customers and the general public what was going on in a timely fashion.
Go to our Downloads section for more guidance on crisis communications.
The Information Commissioner’s Office (ICO) has today issued a notice of its intention to fine British Airways £183.39M for infringements of GDPR. The proposed record-breaking fine relates to a well-publicised cyber incident in 2018, wherein user traffic to the British Airways website was diverted to a fraudulent site. Personal data of approximately 500,000 customers were affected by the incident: the ICO’s investigation found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information. Although the headline figure is eye-watering, it still only represents a fraction of the maximum 4% of global revenue allowable under GDPR.
Meanwhile, we reported recently on the ransomware attack on Eurofins Forensic Services at the start of June which not only had devastating consequences for the firm itself; but has also impacted on the UK criminal justice system. The company, which handles 50% of Police forensic work in the UK, now reports that operations are returning to normal. However, the BBC and other media are reporting that a ransom was paid by the company to restore access to their data. Needless to say, Eurofins was not prepared to comment on this. Interestingly, a recent report by Forrester Research found that many firms are paying ransoms; indeed it states that paying a ransom can ‘be a valid recovery option based on business need and circumstances’!
According to a recent report by Forrester Research, ransomware attacks on businesses are up 500% on last year! The report also states that many firms have felt obliged to pay ransoms, as attackers have become more sophisticated in targeting backups; indeed it states that paying a ransom can ‘be a valid recovery option based on business need and circumstances’. This is clearly at odds with official guidance, which still advises against having any dealings with criminals. Anyway, two recent high-profile ransomware incidents illustrate the potentially devastating impact of an attack.
Aluminium manufacturer Norsk Hydro was hit by a ransomware attack in March which paralysed 22 000 computers across its 170 sites globally. Production had to be temporarily halted in some business units whilst others were able to continue, but only by operating manually. The company estimated that the attack had cost up to $52m in the first quarter of the year, but had to postpone the formal announcement of results by several weeks as it was still restoring its accounts systems. More recent reports on the BBC suggest that the cost has now reached $57m. Fortunately though, with revenues of around $10b annually, and a cyber insurance policy in place, the company should live to fight another day.
The attack on Eurofins Forensic Services at the start of June has not only had devastating consequences for the firm itself; but has also impacted on the UK criminal justice system. Eurofins Forensic Services carries out a range of DNA testing, toxicology analysis, firearms testing and computer forensics services for police forces across the UK. Late last week the National Police Chiefs’ Council took the decision to temporarily suspend all submissions to Eurofins; but it is unclear if other providers have the spare capacity to pick up their 50% share of the market. If not, there could be significant delays to criminal trials over the coming months.
Visit the Information Security section of our website to find out more about how we can help you to secure your data.
The last two weeks have seen two very important product recalls (back) in the news…
We last blogged about the Whirlpool tumble dryer recall back in June 2016. At that stage the recall had already been going on for more than 6 months, and the company was receiving much criticism for the length of time it was taking to carry out repairs to affected products. We never dreamt that 3 years on, the recall would still be hitting the headlines! However, Whirlpool was back in the news last week, when the government announced that it believed that up to 500 000 of the faulty dryers may still be in use in the UK. The government also estimated that the fault has caused 750 fires over an 11-year period!
Meanwhile, just days earlier we received the shocking news that two patients had died in hospital after contracting listeriosis, believed to have been caused by listeria in pre-packed sandwiches. According to Public Health England, the sandwiches were supplied by The Good Food Chain who had been supplied with meat produced by North Country Cooked Meats which subsequently produced a positive test result for the outbreak strain of listeria. As of today, eight hospitals have reported a total of nine cases, with 5 fatalities.
These two incidents perhaps represent extreme examples of the differing challenges of a product recall in different sectors. Recalls of consumer goods are notoriously difficult, given the problem of tracing who owns affected products. In fact, if whirlpool has traced all but 10% of the dyers sold they have done extraordinarily well; although that must be set against the time taken and the massive publicity the problem has received. The government’s Office for Product Safety and Standards (OPSS) is urging Whirlpool to “reach consumers in more creative ways” but it is unclear how much more can be achieved at this late stage. Really the challenge for all firms in the sector is to build traceability into the distribution of consumer goods in the first place: maybe there is a cunning technological solution?
By contrast, we know exactly where the affected sandwiches have gone: the BBC website lists 43 NHS Trusts, all of whom have withdrawn products from the Good Food Chain. The problem here is the rate at which the contamination affects people, requiring information to be shared throughout the supply chain at lightning speed.
Clearly then your product recall strategy needs to be tailored to your industry sector and, as with any other contingency plan, needs to be thoroughly exercised and supported by appropriate crisis communications.
Business Continuity Awareness Week (BCAW) 2019 ends with the news today that Boeing has completed an upgrade to the 737 Max software, following the fatal crashes in Indonesia and Ethiopia. Obviously the most important issue in all of this is the 346 lives that were tragically lost in the two crashes; but the question we consider in this article is what is the long-term cost to Boeing itself? Sadly, given the relative frequency of fatal air crashes we have quite a lot of comparative data on the cost to airlines of these events and this was analysed in detail in a study by Oxford Metrica in 2005.
In the first two days of trading after the Ethiopian Airlines crash on 10th March, Boeing’s share price fell by 11%; representing a loss to shareholders of nearly $27 billion. A negative reaction like this is completely to be expected, although it is somewhat higher than the average immediate loss of share price to airlines following a fatal crash observed in the Oxford Metrica study. Perhaps more significantly, Boeing’s share price has continued a general downward drift ever since, ending trading yesterday down 16% on its pre-crash share price (a loss of $39 billion).
The Oxford Metrica study found that two to three months after a crash the airlines separated out into two groups: those whose share price had already begun to bounce back; and those whose share price continued downwards. By this stage investors have largely reached a settled judgement about the future prospects of the company and, critically, the competence and trustworthiness of the management team. The bad news for Boeing is that if their share price does not start rebounding in the next few weeks, they are likely looking at a significant permanent loss in the value of the company.
Our daily blog series for Business Continuity Awareness Week (BCAW) 2019 continues with an update on information security….
Based on information from four of the five recognised accreditation bodies (CREST, IASME, APMG and QG Management Systems), there has been another big increase in the number of organisations achieving certification under the UK Government’s Cyber Essentials and Cyber Essentials Plus schemes. As of this week, a total of 13 565 organisations were certified through these four accreditation bodies, a rise of 74% since this time last year. As can be seen in the graph below, there is still no evidence of interest in the scheme tailing off.
Follow the link for more details of how we can assist you with your information security management.
We’re still only on the second day of Business Continuity Awareness Week (BCAW) 2019 and we have another important news story…
It was announced yesterday that Cow & Gate are recalling a batch of “Cheesy Broccoli Bake Stage 3 (10+ months) because it may contain small pieces of blue rubber, which makes this product unsafe to eat.” If you are in any way concerned and want to see full details of the recall, these are available on the FSA website.
As usual though, we are primarily interested in the broader issues. We noted in January that there had been a noticeable rise in food product recalls between 2017 and 2018; and there is little sign of a fall-off this year, with 20 recalls already in the first four months of 2019. In particular, there appear to be a growing number of recalls due to contamination with plastic, metal or other foreign objects in the last year or two.
As ever, we would remind everybody working in the food sector to follow best practice guidance (eg from the British Retail Consortium) on product recalls; and to ensure that recall plans dovetail with the wider business continuity management framework, in particular the crisis communications plan.
I don’t know how it happens, but you can usually rely on one or more big news stories during Business Continuity Awareness Week (BCAW); most spectacularly the Wannacry attack on the eve of BCAW 2017. This year, two days into BCAW, we have the announcement of the WhatsApp surveillance attack. Whilst, in some ways, the company appears to have handled the incident well – promptly notifying users and patching the security issue – there are potential problems ahead:
- WhatsApp actively promotes the security of its platform so this could make a significant dent in their brand image;
- WhatsApp have not established how many users have been affected – media reports have generally suggested very small numbers; and
- It’s also not clear (at the time of writing) whether the spyware can reach beyond the confines of WhatsApp.
If it turns out that either the scale of the attack is much greater, or that the reach of the spyware is much broader than initially reported; WhatsApp’s initial communications will be the focus of much scrutiny as people judge whether they sought to deliberately downplay the incident.
It is the first day of Business Continuity Awareness Week (BCAW) 2019 and we would like to start the week by talking about supply chain disruptions.
At the start of the month the Business Continuity Institute (BCI) published a review of their Supply Chain Resilience reports from 2010 through to 2018. Despite the BCI’s headline claim of “fewer supply chain disruptions”, looking at the data I would say it is more a case of “situation no change”. Looking specifically at the number of organisations reporting at least one supply chain disruption over the period 2012 to 2018 (data from 2010 and 2011 is in a slightly different format) and discounting respondents who replied “don’t know”; the picture looks pretty static:
Obviously, it is impossible to tell if last year’s apparent fall is the start of a genuine downward trend. The top three causes of disruption over the whole period are also very familiar: IT/telecoms outages, severe weather and transport network disruptions.
Although less widely reported, the review does find some evidence of potentially important long-term trends. Unsurprisingly the cots of supply chain disruptions appears to be going up over time. Perhaps more unexpectedly, the number of “key suppliers” that organisations report is gradually falling (although there is no deeper analysis of this apparent trend). Finally, and most importantly, there is evidence of a gradual improvement of the consideration of supply chain issues in business continuity management programmes; with more organisations looking for suppliers to align with recognised good practice guidance and also an increase in the use of joint exercises to assess the effectiveness of suppliers’ arrangements.
We will be blogging away on business continuity stories all week; follow the link to the BCI’s BCAW homepage to find details of other events and activities.
A recent academic study by Daniele Bianchi and Onur Kemal Tosun analysed the market reaction to 41 deliberate (ie criminal) security breaches that occurred in large US firms between 2004 and 2016. The authors found that firms experiencing such a security breach experienced a loss in value of between 1 and 1.5% over a period of 2-3 days around the first public announcement of the breach. Given that the firms involved were amongst some of the largest corporations in the US, this equates to losses of billions of dollars to shareholders for each incident. Interestingly, the study also found that security breaches had long-term effects on the companies affected, specifically they observed:
- Reduced spending on Research and Development activity; and
- Reduced dividends to shareholders
Over a five-year period after the breach. Finally, and perhaps surprisingly, the authors also found that:
- The pay of CEOs in affected firms increased after a breach relative to unaffected firms; and
- Security breaches had no effect on the rate of CEO turnover.
This would seem to contradict recent high-profile examples, such as TalkTalk and Equifax; where CEOs left shortly after breaches.
Follow the link to our Downloads section to see more data on “The Cost of Disruptions”.