archive

Executive Summary

In September 2000, British farmers and truck drivers launched a dramatic campaign of direct action to protest a fuel duty. Their campaign followed a similar one by farmers, truckers, and fishermen in France, which had resulted in concessions from the French government.

The UK protesters blockaded fuel refineries and distribution depots, and, within days, created a fuel crisis that paralyzed CI sectors and brought the country to a virtual halt. The impact of the protest was much deeper than anticipated because it struck at a particularly vulnerable point of the UK economy -- the oil distribution network, which had been organized along just-in-time delivery principles. This, combined with anticipated shortages by fuel consumers and consequent panic buying, magnified the impact of the protests on practically all CI sectors in the UK.

CRITICAL INFRASTRUCTURE IMPACTED

The fuel price protests exposed the interdependencies of practically each CI sector of the UK economy on continuous fuel supply and resulted in direct and indirect impacts on CI in the UK.

Financial and Banking Sectors

Limited information exists concerning the impact of the fuel protests on banking and financial services. The sector was dependent on the transportation industry for the movement of money and financial notes.

Disruptions to the transportation sector during other incidents have affected the ability of banks to supply automatic teller machines (ATM) with cash, resulting in ATM service outages. However, the banks stated that there were no serious interruptions in daily operations. They did not have to resort to any drastic action after securing a place on the government's priority fuel list for the armoured vehicles, which transport money around Britain.

SC Magazine

The number of conventional phishing attacks dipped slightly last month but the amount of crimeware designed to steal personal data increased, according to the Anti-Phishing Working Group (APWG). There were 14,135 phishing attacks reported to APWG in July, down from 14,135 in June.

The number of phished brands also dipped to 71 last month, from 74 in July, as attackers shifted from targeting large companies to smaller financial institutions, APWG researchers reported. The number of malicious keylogging applications designed to steal passwords grew to 174 in July, up from 154 in June while the number of password-stealing URLs grew to 918 from 526.

By Hamish Bryce Published: August 17 2005 13:53 

Reports of explosions, London under attack, hundreds of casualties, many feared dead. Emergency services deploy and respond according to well-established plans. Not the events of July 7 but a scenario a few months earlier in April codenamed Atlantic Blue, an international exercise aimed at testing the response of departments and agencies to an incident eerily reminiscent of last month's bomb attack. 

Atlantic Blue and other exercises designed to prepare the capital for catastrophes have served us well - the emergency services' handling of the July attacks was successful and deserves our whole-hearted praise. But what now? What lessons have we learnt and how can we prepare for future threats? 

BBC website 5/8/05

Emergency service workers killed or injured during a terrorist incident may not be covered by personal insurance policies, a union has warned. Unison, representing emergency service workers, says insurance companies should drop exclusion clauses.

Policies covering accident and offering mortgage protection should be checked by policyholders carefully, it said. Exclusion clauses could leave emergency workers and their families high and dry if they are injured or killed. Fire crews in Somerset have already threatened to go on strike after claiming they may not be insured for dealing with a terrorist attack. The action has since been called off to allow further talks. Unison said it did not want the sacrifices that members of the emergency services were making to result in their families suffering financial hardship.

Terrorism exclusion

It pointed out that its own insurance policy offered to members provided full cover and called for other insurers to do the same. Jane Milne, Association of British Insurers says: "Most types of insurance are readily available without terrorism exclusions" "We are asking all insurance companies to look at their policies and if they have such exclusion clauses to drop them," said Sam Oestreicher, a Unison national officer.

The insurance industry itself admitted that some policies had exclusion clauses and advised policyholders to study the small print or contact their insurance company or broker. "We would like to reassure emergency workers and other customers that most types of insurance are readily available without terrorism exclusions," said Jane Milne at the Association of British Insurers. "The major personal types of insurance, such as life, household and comprehensive motor insurance, provide cover for the effects of a terrorist incident as a standard feature of the policy."

END 

If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599. 

In the past few days there has been a lot of media attention on Business Continuity and the need to improve the numbers of companies planning for disruption.

The Continuity Forum has been at the forefront of this activity with Russell Price and John Sharp being featured widely across BBC Radio and TV, ITV News and Bloomberg. The Continuity Forum was also featured on the front page of the Financial Times and Associated Press spread the story still further.

30th June 2005

Today at the Continuity Forum ‘Raising the Standard’ Event, Nicki Dennis of the BSI, took the opportunity to announce the formation of the special BCM Committee which will be driving through the final stages of the new BSI standard for Business Continuity expected next year.

The formal 'kick off' of this BCM working group will be held at the Institute of Directors, in Pall Mall, on the 22nd August with the first meeting scheduled to be held on the following day.

John Sharp, our Policy Director, will represent the Continuity Forum on this committee and we invite any with contributions on issues relating to the development of this new milestone for BCM to mail John directly HERE!.

The audience unanimously welcomed the news and the Continuity Forum will continue to report on the development of this group and the issues as it progresses towards the introduction of a FULL British Standard for Business Continuity.

END

__________________

If you have any comments on this article or would like to find out more about the work of the Continuity Forum please contact Sara McKenna, John Sharp or Russell at the Continuity Forum directly on 020 8993 1599 or info@continuityforum.org

As announced on this website on the 30th June, British Standards Institution has formed a technical committee to commence the development of a British Standard for Business Continuity Management.

The first meeting of the committee will take place on the 23rd August and John Sharp, Policy & Development Director of Continuity Forum, who chaired the team that developed the BSI Guide to BCM, (PAS56), will sit on the committee along with Continutiy Forum Chairman, Russell Price.

Over the next 12 to 18 months the UK has a unique opportunity to build on the foundation of PAS 56, which has sold over 4500 copies worldwide, and create a workable BCM Standard.

As BCM has developed and it becomes more mainstream it has been recognised that some uniformity of approach is required. No organisation is an island, they reply upon suppliers, outsourcers and intermediaries, i.e. their partners, to assist them in delivering their products and services to their clients and customers. These partners serve many organisations across all sectors and they will be called upon to have BCM processes in place by many of their customers.

If the processes comply with a BS BCM Standard then organisations will have greater confidence in their trading partners and the partners will minimise their cost of BCM compliance by using a single certification process.

The creation of a BCM standard raises many questions:

- What form should that standard take and what should be included?

- What, if any, evaluation criteria should used to ensure that an organisation has achieved compliance with the standard?

- How should organisations be certified and audited?

- Can it apply to public sector organisations?

- How do we avoid the standard being for the 'big boys' only and not applicable for the SME market?

- How do we avoid more red tape being imposed on an already pressurised SME management?

The Continuity Forum provides you an opportunity to have your say. By joining in our BCM standards debate you will be able to share with other participants your views and indirectly provide input to the BSI deliberations.

To support this debate we will be holding a number of general face to face meetings addressing issues related to the developing standard. These will commennce in the Autumn after the formal launch of the Standards Committee in August.

We will also be hosting through the Forum Discussion area of this website an on-line group which will facilitate further professional debate and provide an opportunity to share ideas and materials relevant to the profession.

END

If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599.

Business needs to look in the mirror to discover who needs to do more

Following the terrible attacks on London, there has been increased concern over the levels of planning in London, but it seems to us that the media has been quick to point the finger at those doing MOST to correct the situation rather than lamblast those ignoring the advice that has been repeated time and time again.

This synopsis by Dr David J. Smith MBA LL.B(Hons) FBCI former Editor of the Business Continuity Management (BCM) Good Practice Guidelines 2002 and a key contributor to the British Standards Institute BCM Good Practice Publicly Available Specification (PAS56) 2003 outlines various approaches that can help organisations prepare for business/service availability and continuity.

It is only a matter of time before London's financial heartland is attacked by terrorists, the police chief responsible for the area says.

City of London Police Commissioner James Hart told the Financial Times potential targets had been staked out several times since 11 September. "Hostile reconnaissance" had been disrupted, but no suspects had been arrested over this so far, he said.

Mr Hart also said that only 50% of firms had Business Continuity or contingency plans in place. 'When, not if' The mindset of the would-be terrorist meant that the financial centres of western governments were prime targets, he said. "If you want to hurt the government, hurt people at the same time, and you want to cause maximum disruption...where better to hit than at the financial centre?"

Mr Hart also pointed out that the City of London had been a target for terror attacks for 30 years, highlighting the number of times the area had been hit by the IRA. "I think it is a matter of when, rather than if." P

otential targets included prominent sites and business - "anywhere where the maximum damage can be inflicted on the financial systems," he said.

Sites where an attack was likely to cause large numbers of casualties and maximum disruption were also likely targets, the police commissioner added.

Continuity Forum Comment

Commissioner Harts comments coming so soon after the attacks on the 7/7 clearly indicate the level of concern of police and security services have over the risks of further terrorist violence in the capital. Of particular interest to us is the raising of the level of planning within organisations at a time when the risks could not be higher.

Organisations of all types must ensure that they have effective Business Continuity Plans in place and that staff are aware of the emergency procedures.

In our opinion and that of our legal counsel, organisations not implementing Business Continuity Management and rehearsing their emergency procedures are clearly negligent with regard to their duty of care to personnel and other stakeholders. This negligence leaves them open to both extended losses and significant claims for damages and loss, which could cripple the company following an incident.

We would ask that people working not just in the City, but across the country start asking the employers who have yet to make provision for Business Continuity WHY?

Directors need to act now to resolve the issues of planning and ensure a proper and responsible focus on protecting their staff and the interests of other stakeholders. I

It should be noted that following 7/7 legal claims are now in the initial stages of seeking damages. We have already reported that many insurance policies do explicitly exclude losses from terrorist acts and we further recommend that policies are reviewed and updated if required, particularly in relation to the personnel issues.

On a more positive note, we have been working for over three years with both the City of London and the Corporation of London and in our opinion there is probably no area of the country better prepared to deal a major incident.

We have already run a number of events in association with both the City Police and the Corporation providing support and information to organisations and there will be further sessions in the coming months. For further information on these please contact us directly.

END 

If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599. 

MCI, Inc. has announced that it has expanded its disaster recovery capabilities for government customers to include back-up voice services that will restore incoming communications within minutes.

By Roger Blitz Financial Times 

Lyndon Bird is uncomfortable saying it, but the business that helps industry to prepare and cope with large, unexpected incidents is benefiting from one of those periods of growth when terrorism dominates world attention. 

More than 20 years in the business continuity industry has taught him not to expect these growth spurts to last long.  “There was a period when the IRA campaigns were a major concern, but that died away and people were less concerned about it,'said Mr Bird, who runs Continuity Planning Associates, a consultancy. 

The attacks on New York on September 11 caused another big upturn in business, but even that lasted only six months. This latest surge in demand following the London attacks may be another blip, but the signs are that businesses are taking seriously the need to beef up their security to ensure they can keep going should there be another attack. Medium-sized businesses have been making up the bulk of the 75 per cent increase in inquiries since August 1 at Continuity Forum, an independent group offering support, advice and best practice. 

Larger businesses have, in part for regulatory reasons, already spent millions on security and continuity planning.  “There has been more concern expressed by medium-sized organisations and these are the ones who had not been taking business continuity seriously,'said Mr Bird. 

Russell Price, of Continuity Forum, said:  “[Medium-sized companies] are now taking a greater interest, they are struggling in some respects to understand what they should be doing.'Smaller businesses remain unwilling or, more likely, unable to invest in business continuity and security. Mr Price said one retailer in Russell Square found that a lot of his passing trade vanished after the Metropolitan Police sealed off an area containing his business because of forensic examination of one of the four bomb explosions on July 7.  

“Many small businesses are on the edge. This might be enough to put him into receivership,'Mr Price said.

Many inquiries from small and medium-sized businesses are about insurance, but Mr Price said since September 11 there was a reluctance from insurers to provide cover.  “The insurance companies are making it clear in policies that terrorism is excluded and that cover for other areas, such as loss of IT systems, might not be available.'Inquiries from SMEs are naturally focusing on the more affordable items of security and continuity, such as CCTV, glass-protective film and, for entertainment premises, security guards. The costs start to mount for protective barriers and specialised security.

The temptation for some businesses is to spend security money for the sake of it, rather than taking what Mr Price calls a more integrated approach to risk.

“A lot of companies are spending money to make them feel better rather than adopting a strategy to protect themselves. There needs to be a more strategic management of risk through the business continuity management process  “It's not just terrorism. In fact, the vast majority of businesses are more likely to be seriously affected by IT, personnel, power and water damage issues.'Besides, the costs may be not as great as they once were.

“Only the largest and most profitable companies could afford to do it, but now there is much more available to people,'said Mr Bird.  “Organisations are more able to negotiate competitive and more sensible back-up arrangements for accommodating their IT systems and services. The industry, the suppliers of services, people who supply alternative accommodation and desks, the front office-type services, they have become more available to people then they were,'he added. 

END  

If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599. 

Computer Weekly 12/7/05 

Your trading partners  plans for business continuity can be as vital as your own. Arif Mohamed looks at positioning yourself for maximum competitive edge Good business continuity planning can give a company an edge over its competitors. 

Apart from the assurance that the business will run regardless of natural disasters or external hacker attacks, a company with a good plan can use it as a selling point. In fact, customers have driven the requirement for good business continuity planning over the past few years, says Gartner research vice-president Simon Mingay.  “One of the biggest drivers has been that customers have asked:  Have you got a plan? Show me the plan. What is the scope of it and how do you aim to keep it up to date? 

Mike Stichbury, head of business continuity services at BT Business, says,  “We frequently come across small and medium-sized companies that are asked for copies of their business continuity plans by clients who want to be assured they have sufficient procedures in place to protect against interruption to service.  

Mingay says most companies are alerted to business continuity planning by a catalyst.  “They might have an incident or a close call, or someone in the supply chain or a competitor has an incident, or a new executive comes in and decides to make it an issue. There could be a change in the regulatory regime, or an auditor who makes a comment, or a customer who starts asking questions, he says. Mingay says the issue of business resilience concerns many customers, and is a particular worry in financial services, with life sciences and pharmaceuticals following closely. One major benefit of business continuity planning is that companies stand to offer customers and potential customers assurance that their business is robust, which may be something their competitors cannot do. 

Business continuity planning can be a selling point for IT internally, and for the business externally, says Chris Stewart, technical consultant at EM C s Solutions Group, which offers business continuity consultancy.  “When you are looking at business continuity you want to make sure you are continuing to provide all the critical services the business relies on. IT services are one of those, but you are also going to have external services that you require from other companies, and you may be providing critical services to other businesses,  he says. With this in mind, an IT department will gain the edge if it can carry out risk assessments from planned or unplanned incidents and calculate how much data can be recovered and the time it will take, says Stewart. In addition, the IT department will get the company s executives onside if it can demonstrate a methodology, showing design and best practice, implementations and testing, and recovery and failover plans, he says. Industry-specific regulatory requirements, such as Sarbanes-Oxley, Turnbull and US healthcare legislation HIPAA, have acted as a significant catalyst for adopting a business continuity plan. 

Callum Sinclair, a solicitor with law firm Maclay Murray & Spens, says,  “Certain bodies deemed vital to running the country such as emergency services, the NHS and certain transport providers, are required to maintain continuity plans under the Civil Contingencies Act 2004.  “Beyond this, there are various additional industry rules and guidance which apply, to a greater or lesser extent, to financial services companies, PFI/PPP providers and others.  But what a company is required to do in terms of having a business continuity plan varies greatly by sector. 

In some sectors there ire few regulations, and in others, such as financial services, requirements are manifold, says Richard Chapman, solicitor at law firm Berwin Leighton Paisner.  “Regardless of sector, directors always have o act in the best interests of the company, and make appropriate measures to protect the company s assets,  he says.  “One way is to take out in insurance policy to cover databases, communications or customer records. All businesses should see what appropriate ways :here are to protect their assets.  One major issue surrounding business continuity is the involvement of business partners and suppliers, which often play a key role in the supply or business chain. Medium-sized as well as large companies are increasingly integrating their IT systems into their partners  systems, says Mingay.  “Organisations are much more tightly integrated into a trading ecosystem, and IT is fulfilling much more of that role than it did previously. Information is now being largely transferred automatically through the supply chain,  he says. 

Companies should therefore demand from their suppliers a high level of preparation for interruptions to business.  “Business interruptions will affect customers far more quickly than before,  says Mingay.  “You should be concerned about your own suppliers, and h~ asking more detailed questions about their business continuity planning. Just because they are big, do not assume they have a plan.  Many companies rely on their business and outsourcing partners to be resilient, as their services are core to the business. Because of this, business continuity issues are often addressed within a contractual framework, to ensure the core business is able to continue if the partner goes down. In creating a contractual framework for business continuity planning,  “Keep it simple and flexible and ensure you get the involvement and commitment from everyone in the business. You need to create the right organisational culture and adopt a holistic approach.  Chapman says,  “In outsourcing transactions, you would commonly put in the contract that your supplier is required to have business continuity in place. You will also want to have a disaster plan in place that links in with yours.  

Stichbury says,  “To get the best possible protection, organisations need to consider which elements of their business and supply chain are mission-critical and the potential impact should one of these fail or be hindered in any way. Armed with this information it is easier to negotiate service level guarantees with subsequent compensation should your supplier s services fail.  Sinclair adds,  “Where the strategy involves working with a partner - handling off-site IT back-ups and disaster recovery, for example be certain the contract includes assurances in relation to service levels. 

These should include specific requirements for response times and service availability.  “However, it is also important to have a good working relationship with such partners, with regular meetings and updates to help foster in-depth knowledge of processes and systems.  “There are data protection implications around using a third party for disaster recovery, as the information held in off-site backups may fall within the remit of the Data Protection Act 1998. Details of any third party providers should be included in information such as privacy statements and fair use notices.  

Chapman says that where a disaster recovery location is situated abroad, transferring personal information across national boundaries may also have data protection implications, being subject to international data protection laws. But Mingay says,  “Regardless of onshore or offshore, the issue is the same. As we move towards outsourcing, from an IT point of view, organisations absolutely need to concern themselves with the business continuity and disaster recovery plans that the provider has, and not assume that because they are going with an external service provider, that they have made provision for them, if there is nothing in the contract.  “It is a common problem that people have made assumptions of the level of capabilities of their partner. It is not always the fault of the provider. It is sometimes the fault of the client, who is looking at ways they can take costs out of the deal, and that may involve reducing their business continuity. You pay for what you get.  

CASE STUDY 

Carphone Warehouse mirrors its datacenters 

Retailer Carphone Warehouse wanted to ensure it had effective business continuity. It offered consumers services that required its communications network to be up and running around the clock, each day of the week Last year the company built a new datacenter that mirrored its core environment, but is also capable of running live services. 

Carphone Warehouses’ infrastructure and operations director Attiq Qureshi, says the company now regularly switches key services between the sites, whenever they add capacity or carry out maintenance. The firm signed a 10-year deal in September 2004 with business continuity service provider Globix to ensure the datacentre and its networks run at all times. The contract included service level agreements that cover network performance at 99.99% uptime, hardware failure response, and round-the-clock application monitoring. I think it has given us a competitive advantage, We now have two large datacentres, so we can move between the sites. It has given us growth and raised the profile of business continuity systems in the business,  says Qureshi Carphone Warehouse has an audit committee made up of some of its most senior executives, who are now very interested in the company s business continuity plans. 

The company was required to communicate its capabilities and plans to telecoms regulator Ofcom. Carphone Warehouse also informed the Financial Services Authority, for insurance purposes.  “We were urged on by our insurers, and now that we have business continuity, we have got some fantastic savings on our insurance as a business,  says Qureshi.  “From an insurance point of view, customers need to know that we can continue to provide telecoms services and billing, can activate a new phone and bar it if the phone is stolen, and can give them accurate and timely bills,  he says. 

Continuity Forum Comment 

Recent events have added impetus and focus to the management issues surrounding BCM and we are already seeing a reaction similar to that following 9/11 where organisations rushed to show that they were active and positive towards Business Continuity Management and Security. However, this knee-jerk reaction to events needs to be considered against a broader backdrop of resistance and partial planning. 

The tendency to improve the 'easy' side BCM planning, the one with a host of suppliers - IT must be balanced by the other side. We have spoken with probably more people and organisations than any other in the sector and the consistent theme is that there are STILL significant issues in getting organisations to develop broad enough plans. 

Artificial parameters are being set on the BIA phase of the planning limiting the scope and effectiveness of the process and often huge omissions are left unaddressed by both Public and Private Sector organisations. The issues outlined above are great to plan for and resolve, but they represent only a proportion of the planning needed. What about your people? do they know what to do? What about the Supply Chain and key partners? Has a critical dependency been left unresolved? Has effective  liaison with Emergency Services, Local Authorities and the Insurance companies been undertaken? When was the last Rehearsal or full BCM plan review? 

Remember, Business Continuity Management is an ongoing process and needs regular review and update, it should cover all critical processes, not just IT ones and connect with the people working within the organisation. 

Our Benchmarking study shows that even amongst the best of breed adopters of BCM there are areas consistently left out and according to Murphy’s law you can bet that is where disaster will strike - life tends to be like that! On speaking with one Public Authority recently we were told that they were confident of being fully compliant with the Civil Contingencies Act, due to come into effect in November, yet when we asked about how they had handled some of the key local services, such as Care for the elderly and those in schools etc, we were told that they had 'concentrated only on the Authorities Buildings.

It came as a shock to them to find out that the scope of the Act goes far beyond a bit of Facilities Management, but it was a greater shock to us to hear that after 2 years (of notice) people had still failed to actually understand the importance and scope of Business Continuity Management to the Organisation. 

By the way the only IT system that was within the plan was that dealing with Council Tax! Business Continuity Management is a tremendously powerful and effective process, but there does need to be an honest and COMPLETE assessment of the organisations responsibilities and needs for it to be truly effective. 

We are working hard to address these issues and progress is being made, but please do realise that it is the executives responsibility NOW not to artificially limit the scope of activities involved in the BCM process, but rather develop an integrated, structured understanding of how ALL the processes and resources will be affected during an event and then link them back to the needs and responsibilities of the Stakeholders. Failure to do this will only leave you high and dry when you need Continuity most! 

END  

If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599.