Practical, Cost Effective and award-winning

Business Continuity, Crisis Management & Information Security Solutions

Phone:

0800 035 1231 (Mon to Fri 9am – 5pm)

Suite 3, The Cotton Mill, Torr Vale Mills, New Mills, Derbyshire, SK22 4HS, UK

According to figures published recently by the International Standards Organisation (ISO), there was another steep rise in the number of certifications globally to both ISO 222301 and ISO 27001 last year.  As of the end of 2020, there were:

  • 44 486 valid ISO 27001 certificate (up 22% on 2019); and
  • 2205 valid ISO 22301 certificates (up 30% on 2019).

When we blogged last year about the significant increase in 2019 we were very unsure as to what impact Covid-19 would have on attitudes towards certification; but these data suggest that the experience of the last 18 months has really increased interest in implementing these management systems.

The breakdowns by country were similar to previous years.  The top three countries for ISO 27001 are unchanged from last year:

  • China – 12 403 valid certificates;
  • Japan – 5645 valid certificates; and
  • UK – 3227 valid certificates.

As regards ISO 22301, there were some interesting patterns by country:

  • The top two were unchanged from last year with the UK having 336 valid certificates and India having 169;
  • Singapore moved back into third place (displacing South Korea) with 160 valid certificates; and
  • Turkey moved into fourth place with 136 valid certificates after a four-fold increase in certifications over the last two years.

Follow the links to find out more about  ISO 27001 and ISO 22301 and how we can assist you in achieving certification.

It is rare to get detailed information on the costs of incidents; so the recent financial update from Ocado Retail, covering the period around the fire at their Erith fulfilment centre, is particularly interesting.  Comments by the company’s senior management, also raise a question mark over how much they have learnt from previous fires.

A fire broke out at their Erith site on Friday 16th July, following a crash between three robots; and firefighters battled through the night to tackle the blaze.  Fortunately nobody was injured; but the disruption to the fulfilment centre, which usually handles 150 000 customer orders a week, had a prolonged impact on Ocado Retail’s delivery capacity.  Even ramping up capacity at other sites, it is estimated that 300 000 orders were lost over the next few weeks, equating to £35m of revenue.  This dwarfs the estimated direct costs of the fire of approximately £10m.

In the media coverage of the incident, it was remarked upon that this was Ocado’s third warehouse fire in three years.  It was also noted that this was the second fire to be caused by the robots that populate their warehouses: a robot catching fire destroyed the Andover fulfilment centre in 2019.  In an interesting remark, Tim Steiner the Chairman of Ocado Retail is quoted as saying:

Everyone is reassured that the lessons of Andover were well learnt, that Erith was well contained and that we can eliminate what caused the Erith fire to never happen again.

Whilst the immediate cause of the fires was different at Andover and Erith, the sheer fact of having three fires in three years suggests that maybe a more thorough root cause analysis is required to identify any underlying issues.

We blogged last week about the sharp rise in energy prices in the UK and the fact that this was leading some energy-intensive industries to shut-down production.  The situation has now escalated markedly, with the news that our main producer of fertiliser, CF Industries, has shut down production; leading to a massive shortage of CO2 for the food and drink industry.

The shocking thing though is that we experienced a Europe-wide shortage of CO2 as recently as June 2018.  Whilst our blog post at the time focused on the impact on beer production during England’s successful World Cup campaign; the more serious impact on the wider food and drink industry was widely reported too.  Having come so close to disaster three years ago, why has nothing been done to mitigate the risk?

I would suggest (at least) two factors are at play here.  Firstly, it’s a perverse twist of human nature that exposure to near misses in this way tends to make us feel less, rather than more, vulnerable!  For instance, analysis of the Challenger Space Shuttle disaster found that the engineers who were most aware of the catalogue of previous problems with the solid-fuel booster rockets were actually the most confident about the safety of the shuttle.

Secondly, we observe in our business continuity work, that organisations frequently struggle with the business impact analysis.  This is the critical step of identifying what are the most time-critical activities for an organisation and what resources (eg CO2) are required to carry them out.  Clarity on these resource requirements is the basis for both risk mitigation activities and contingency planning for possible disruptions.  It would appear though that, even after the warning in 2018, many in the food and drink industry failed to grasp the criticality of ensuring a reliable supply of CO2.

We are advised today that the UK Government is working to urgently restore CO2 production, and we may still avert a crisis.  Hopefully, this time around, the lessons identified in 2018 will become lessons learned; with food producers making substantive changes to ensure supply chain continuity.

Electricity prices in the UK were already increasing because of a combination of the rising cost of fossil fuels, outages of nuclear power plants and an unseasonable shortage of wind.  However, the sudden shock of a fire at a National Grid site in Ashford, Kent shutting down a 2GW interconnection with France sent prices rocketing a further 19% yesterday.

The fire at the Interconnexion France-Angleterre site broke out in the early hours of Wednesday.  The site was evacuated and, fortunately, there were no reports of casualties.  Initial estimates are that the interconnection will be completely offline until 25th September; and will then be operating at only half capacity until March next year.  We have interconnectors with Belgium, Ireland and the Netherlands, as well as another one with France; but, in total, these only have a capacity of 4GW so the loss is significant.  Moreover, most of our imported electricity normally comes from France, where it is cheaper, so it is bound to have a lasting effect on prices.

It seem unlikely that the fire will directly lead to widespread power outages.  It appears that the steep hike in prices will force some large industrial users to shut down production, thereby reducing demand.  However, it provides a stark reminder of the fragility of our electricity infrastructure and the need to contingency plan for power outages beyond the typical 30-minute or 1-hour blackout.

The media last week was full of dramatic images of flooding in London: the disruption to Tube stations and two major hospitals causing particular concern.  But, exactly two years ago, we were facing an even more serious flooding incident here in the High Peak.

Sustained rainfall through late July 2019 had filled Toddbrook Reservoir to overflowing, and saturated the surrounding moorland.  A heavy downpour on 31st July was the final straw and, on the morning of 1st August, local people noticed that the spillway of the dam was damaged.  A major incident was declared and residents of Whaley Bridge were evacuated whilst the Emergency Services, aided by the RAF, raced to empty the reservoir whilst simultaneously shoring up the dam.  Rain continued to frustrate their efforts but, by 6th August, water levels had been reduced sufficiently to start letting residents return to their homes.

Two separate inquiries followed, to investigate the root causes of the failure: you can see a summary of these here.  As I write, work has not yet begun on rebuilding the dam; but it is hoped that the reservoir will be open to the public again in 2024.

Databarracks have just published their 2021 Data Health Check.  You may think “So what?” – we are constantly bombarded with surveys on different aspects of information security management.  I would argues that the Data Health Check is interesting for two reasons:

  • It is explicitly UK focused; and
  • The survey has been carried out every year since 2008.

It therefore provides a particularly rich picture of information security trends within UK organisations.  The period from 2008 to 2021 is dominated by two main trends:

  • The increase in cyber attacks; and
  • The move to cloud computing.

Back in 2008, cyber attacks caused around 5% of data losses; but by 2021 this had risen to over 25% of data losses (it is only exceeded now by human error).  Meanwhile, focusing on one specific form of attack, the number of organisations that were victims of ransomware has increased from 9% to 29% in just the last five years.  Interestingly, the survey looks specifically at how organisations have responded to this trend, finding that over half of organisations now have a specific policy on the payment of ransoms:

  • 21% have a policy to never pay a ransom;
  • 9% will pay as a last resort;
  • 13% will pay if the ransom is covered by insurance; and
  • 14% will pay if the ransom is less than the cost of recovery.

Whilst the fact that over a third of organisations acknowledge that they will pay a ransom in some circumstances may seem surprising, it accords with:

  • Previous research suggesting that roughly half of firms pay ransoms; and
  • The recent high-profile examples of payments by Colonial Pipeline and JBS Foods.

Turning to the evolution of cloud computing, only 20% of organisations do not have any cloud-based systems; and almost 10% have nearly all of their systems in the cloud.  However, alongside this cloud migration, there is a growing realisation of the risks of cloud computing: 77% of organisations now use additional backup and recovery capabilities for cloud services (up from only 28% in 2016).  Following the major fire at OVH’s Strasbourg site in March, we may see a further rise in this figure in next year’s survey.

On 6th July 1988, 167 men died following a devastating fire on the Piper Alpha platform, operated by Occidental Oil in the North Sea.  Only 61 people survived, some of whom leapt over 100 feet from the burning platform into the sea.  As ever, our thoughts are with those survivors and the bereaved families.

The Cullen Inquiry, which investigated the disaster, was scathing about Occidental’s approach to safety prior to the incident:

“The management adopted a superficial attitude to the assessment of the risk of major hazard.” 

Not only did this attitude create the conditions where accidents were more likely to happen, but it also meant that the crew were poorly prepared to respond when one did:

“The explosion on Piper Alpha that led to disaster was not devastating…as the resulting fire spread…it seems the whole system of command had broken down.”

“The offshore Incident Manager took no initiative to save life…in my view the death toll…was substantially greater than it would have been if such an initiative had been taken.”

This was not, fundamentally, a failure by the individuals involved on the day; but a wider corporate and industry failing:

“The failure of the Offshore Installation Managers to cope with the problems they faced on the night of the disaster clearly demonstrates that conventional selection and training of OIMs is no guarantee of ability to cope.”

The disaster marked a watershed in the oil and gas industry, where health and safety now receives much greater attention and, in particular, the selection and training of Offshore Installation Managers has been revolutionised.  Sadly though, as you look at comments from more recent public inquiries (such as Grenfell Tower and the Manchester Arena); it appears that the lessons have not necessarily been learnt in other industries.

There has been extensive coverage over the weekend of the massive ransomware attack, that began at the US-based IT firm Kaseya.  The attackers managed to infect a software update for Kaseya’s VSA product that went out to customers on Friday with REvil ransomware.  This not only affected these firms, but also their customers.  One of the most high-profile European casualties so far is the Swedish Coop supermarket chain, which had to close over half of its 800 stores because point-of-sales systems had stopped working.  Whilst Coop is not a customer of Kesaya, it is believed that one of their software suppliers is.

Kesaya acted swiftly to shut down cloud-based services and to advise clients to shut down their on-premises VSA servers; but it appears that considerable damage had already been done.  Kesaya are stressing that only a small number of their customers are affected; but experts estimate that over 200 companies globally have been infected.  At the time of writing, cloud-based services were still suspended and clients running VSA on-premises were still waiting for a security patch.

The Kaseya incident is part of a growing trend of “supply-chain attacks”, where criminals propagate ransomware along the supply-chain to infect multiple victims.  The method has proved highly successful so far, which will likely encourage more of these attacks in the future.

 

The Manchester Arena Inquiry Volume 1: Security for the Arena was published last week.  It is now over four years since the attack, and the proceedings of the Inquiry have been widely reported as they happened; but this volume brings together all the evidence about security prior to 22nd May 2017 and, crucially, provides a number of recommendations.

Sadly, the report catalogues a huge range of failures by the various organisations responsible for providing security for the Manchester Arena.  As with the Grenfell Tower Inquiry, these include:

  • Confusing and poorly understood contractual arrangements;
  • Failure to comply with legal and regulatory requirements;
  • Failure of regulators to identify and take action on non-compliance; and
  • Inadequate training for many staff groups.

The Chair of the Inquiry, Sir John Saunders, concludes that these factors contributed significantly towards the high death toll.

The most interesting part of the report for me is Sir John’s views on the process used by these organisations to assess the risk of a terrorist attack.  Both SMG, who operated the Arena, and Showsec, who provided security at events, had developed written risk assessments; which included various terrorist threats amongst the hazards considered.  Sir John identifies many flaws in these documents, particularly around the need to make them specific and current by using all available information; as well as highlighting that they were not really used as a management tool in any meaningful way.  He then goes on to highlight, as many other have done before, that a standard 5×5 risk matrix is fundamentally unsuited to a assessing the risk of low likelihood events with extreme impacts (such as a terrorist attack):

“I have considerable reservations about this approach being used in connection with the threat from terrorism.”

Low likelihood and very high impact is not in any sense equivalent to very high likelihood and low impact, as implied by the common practice of simply multiplying the two ratings together to give an overall (but meaningless) “risk score”.

However, having correctly identified the problem, I feel that Sir John fails to offer a suitable solution in his recommendations.  He offers three possible solutions, the first being to simply ignore the likelihood when considering terrorist threats; implying that all conceivable terrorist attack methodologies must be mitigated in some way, however implausible.  The second option is a modified version of this, proposing that likelihood is only used in distinguishing between different terrorist attack methodologies.  This is a sensible modification, focusing attention and resources on mitigating the more likely threats; but still not an optimal solution.  Finally, he suggests using a greater range of severity scores; although he doesn’t say exactly how great a range (10, 50, 100?)

All of these proposed solutions miss two fundamental points:

  • It is fundamentally wrong to assess one class of risks in a completely different way to all others; and
  • Sadly, we have masses of information about the impact of terrorist attacks.

Picking up on the first point, one could also experience mass casualties (and fatalities) at an arena from a fire or a crush of bodies: using a different risk assessment approach for one specific type of risk (terrorism) would likely lead to a distortion in the allocation of resources for mitigating different threats.  Given the vast amount of data available on historical terrorist attacks, and the sophistication of tools for modelling new attack methodologies, it is perfectly possible to perform fully quantitative assessment of terrorism risks.  Other risks to public safety at events can be modelled in exactly the same way, allowing resources to be directed to the risk mitigations that are most cost-effective in preventing injuries and fatalities.

It is unfortunate that this golden opportunity to drive a paradigm shift in risk management has not been seized.

 

In this final blog post looking back at the 1996 Manchester bombing, we discuss the recovery of the hundreds of small businesses caught up in the devastation.  Those affected by the attack included:

  • 100 shops in the Royal Exchange;
  • 150 shops in the Corn Exchange;
  • 40 small offices;
  • 15 pubs/cafes; and
  • 1 clairvoyant.

The impact on these businesses was profound:

  • They lost access to their premises for many weeks;
  • Stock, fixtures and fittings were destroyed; and, in some cases,
  • Staff were injured.

Small businesses are always vulnerable to unavailability of key staff and disruption to cashflows; but in this instance their problems were exacerbated by a number of additional factors:

  • The length of time taken to settle insurance claims;
  • Landlords required them to sign new 5 or 10 year lease agreements, even if they only wanted temporary premises;
  • The owners of the Corn Exchange terminated all leases; and
  • The owners of the Royal Exchange decided to completely renovate the site over the next two years.

Many businesses would undoubtedly have gone bankrupt if it hadn’t been for a tremendous community effort to assist them.  Within days, special help lines were set up by the council and chamber of commerce; and many larger firms offered temporary accommodation.  Banks offered advice and special loans.  The Lord Mayor’s Emergency Appeal Fund raised over £2m, including individual donations of £250 000 each by local businessmen David Alliance and John Zochonis.  The main contribution of the fund was to disburse vital hardship payments and loans to help businesses restock in the immediate aftermath of the attack.

Gradually the recovery gathered pace.  35 businesses from the Corn Exchange were relocated to ‘The Coliseum’ when it opened in August; and another 50 small businesses were relocated to ‘The Emporium’ the next month.  By January 1997, all but 70 businesses had been relocated.  There is no definitive figure for the number of businesses that failed in the year after the bombing but, contrary to some much higher figures that circulate from time to time on the internet, the best guess is between 20 and 30.  This outcome represents a real triumph for the business community of Manchester, but the fact remains that small businesses will always be vulnerable to this sort of disruption.