Kroll

How resilient is your business?

Written by: Dave Waller Posted: 16/08/2018

BL57_resilienceFrom extreme weather, terror attacks and fire, to cyber attacks, hacking and human error, businesses are having to prepare, more than ever, for the unknown 

It’s amazing how fast reality can be ripped open. Just ask the people of the British Virgin Islands. Up to 6 September last year, tourists were flocking to the island paradise, drinking rum punch, chartering yachts and generally having a blissful time.

Then Hurricane Irma swept in. Winds raged to an average of 185mph, gusting to 215mph, smashing glass, tearing off roofs, even stripping the bark from the trees – leaving the island like a post-nuclear wasteland. Eighty-five per cent of the islands’ buildings were severely damaged or destroyed. 

The BVIs are, of course, not just a quiet island enclave, but an international finance centre. When you’re trying to punch numbers in the wake of the most powerful Atlantic winds ever to make land, the idea of ‘business as usual’ is quickly blown out of the window.

Stephen Alexander is a Partner at Mourant Ozannes, one of many Channel Islands-based companies with offices in the BVIs. He recalls people’s disbelief at the destruction. “It was catastrophic,” he says. “The damage was to the tune of $3.47bn. The risks posed to our firm were multiple – our office space, the local infrastructure and the risk to human life.” 

Alexander is based in Jersey, but prior to that, in 2008, he was working in the Cayman Islands, and saw there how the area was still recovering from the storms that had flattened and flooded it four years previously. “Many firms went out of business in Cayman in 2004,” he says. “And I suspect many will now in the BVIs.”

Hurricanes may not be a tangible day-to-day threat for most businesses, but the nature of increasingly global and connected businesses means there’s no shortage of other dangers. Some of those risks are physical – while only certain operations will be prone to extreme weather events, others may suffer terror attacks, fire or flood. Others are more hidden.

Take the cyber threat – nation states, professional hackers, your own team and your supply chain could all wind up causing you devastating problems you can’t even see.  

As Chief Digital Officer at Sure International, the Channel Islands’ telecoms provider, Justin Bellinger sees those cyber threats up close. The biggest culprits are directed denial of service (DDoS) attacks, he says, where nefarious elements direct impossible volumes of traffic towards a site to disable its servers – which could be crippling for an e-commerce business. 

Others face more subtle attacks. “We see phishing attempts all day, every day,” he says. “People targeting individuals to get them to click on a link – or leaving a malware-infected USB key in reception. 

“It’s terrifying, especially when you look at what being compromised means. The best case is your machine is harnessed as part of a botnet to attack someone else. At worst, your machine is locked and you have to pay someone in bitcoin to decrypt it.”

We’re in danger of stoking the towering pyre of fear here, but the risks don’t end there; they just get more abstract. Financial services companies now face greater regulatory risk – the danger of failing to comply to the ever-growing web of red tape covering everything from the financing of terror to data breaches. 

Under the new GDPR rules, for example, a data leak can trigger a fine of up to four per cent of a firm’s global turnover or €20 million, whichever is highest. “In the Sony Playstation breach of 2012, the company was fined $250,000,” says Bellinger. “If that had happened after GDPR, that may have been over $1bn.”

And if these threats weren’t bad enough already, each carries a knock-on risk – of clients losing confidence in the victim’s ability to handle their affairs. In the best-case scenario, that means dusting yourself down and learning a tough lesson. In the worst, it’s the end of your business.

“The impact on reputation can be the most severe, and it’s long-term,” says Malin Nilsson, Managing Director of Duff & Phelps’ regulatory consulting team in Jersey.

“Even if you can turn a problem around, your reputation could be so tarnished that clients and staff start looking elsewhere. Mossack Fonseca’s footprint declined right after the Panama Papers in 2016, lots of staff left, and the company eventually closed down. They paid the ultimate price.”

Such stories help explain why, when faced with an increasingly complicated and connected world, businesses are realising they need to do all they can to mitigate risk. That means putting in measures to prevent the worst happening – as well as establishing plans for what happens if it does. 

Protect yourself

Basic preventative measures include creating firewalls and other forms of internet security – or diversifying your locations and services, so that a problem in one area doesn’t affect others. One of the most important steps is to train staff, so they’re aware of potential threats and know to spot and report them. 

Bellinger believes there’s a reason phishing attacks are such an effective threat. “People are the weakest link,” he says. Passwords must be properly considered and sophisticated enough to deter hackers, desks should be kept clear, and valuable data shouldn’t be left unprotected on desktops, USB sticks or in good old briefcases. 

There are broader measures too, including signing up to global standards, such as ISO 27001, which covers the protection of data – everything from physical protection of servers, such as barbed-wire fences, to back-ups and recovery plans. 

It’s proving increasingly appealing to clients – ISO 27001 gives them the assurance that a given provider has considered the finer details of data protection. And it means the accrediting body has already asked the company 50 pages of questions about its security, so it means they don’t have to. 

But response is just as important as preparation. Perhaps even more so. The critical consideration for any business is that, even if something unthinkable did happen, the service to clients continues almost as if nothing had happened. 

This could include running back-up servers in another jurisdiction, having a back-up broadband provision, or storing your data with a third-party provider. If you’re victim of a hack, you may want to remove your infrastructure entirely from the internet, in order to get some containment; or you may want to stay connected in order to monitor the attack and gather evidence of it happening. 

Human element

But just as important as the facilities is, again, the human element. Plans have to be documented, reviewed and shared so that people know exactly how to behave. Who deals with media enquiries, for example? If something bad has happened, they’re bound to come asking questions. 

If you don’t get this straight, you may quickly find things slipping even further beyond your control. 

“We’re not geared up to deal with the stress of a hack or our business going down,” says Bellinger. “It’s basic human psychology. When we’re threatened, we go into panic mode, our fight-or-flight kicks in and our focus turns to a distance of 30 yards – spear-chucking distance. That’s entirely natural, so it’s critically important that we have all response procedures documented and tested so that we can respond.” 

The question is whether businesses are up-to-speed on all this. Teijo Peltoniemi is Head of Digital at KPMG in the Channel Islands, and in that role he regularly services both global and local clients in his speciality of cybersecurity and privacy. He believes that, in an age where firms are increasingly reliant on IT systems and the internet, companies have yet to grasp the seriousness of cyber threats. 

“Firms tend to have plans in place for operational risk, but don’t think of information security as part of that,” he says. “They need to raise the information security risk to board level. By considering it a business risk, not just an IT risk, they’d make it a more inherent part of their risk management.” 

Malin Nilsson echoes these concerns regarding the average company’s readiness to face the media. Companies could, of course, drive themselves mad trying to mitigate every possible risk. Bellinger cites one business that wouldn’t base its disaster recovery in the Channel Islands in case there was a catastrophic failure in the nuclear infrastructure in France. 

But while it would be naive to think a company can – or should – plan for every eventuality, companies simply can’t afford to bury their head in the sand and assume the unthinkable won’t happen to them. 

Nilsson sums up the issue succinctly. “Prevention is better than cure,” she says. “And it’ll cost a lot less.” 


Add a Comment

  • *
  • *
  • *
  • *
  • Submit

Our Magazines

Issue 1 - Feb/Mar 2009Issue 2 - Apr/May 2009Issue 3 - Jun/Jul 2009Issue 4 - Aug/Sep 2009Issue 5 - Oct/Nov 2009Issue 6 - Dec 2009/Jan 2010Issue 7 - Feb/Mar 2010Issue 8 - Apr/May 2010Issue 9 - Jun/Jul 2010Issue 10 - Aug/Sep 2010Issue 11 - Oct/Nov 2010Issue 12 - Dec 2010/Jan 2011Issue 13 - Feb/Mar 2011Issue 14 - Apr/May 2011Issue 15 - Jun/Jul 2011Issue 16 - Aug/Sep 2011Issue 17 - Oct/Nov 2011Issue 18 - Dec 2011/Jan 2012Issue 19 - Feb/Mar 2012Issue 20 - Apr/May 2012Issue 21 - Jun/Jul 2012Issue 22 - Aug/Sep 2012Issue 23 - Oct/Nov 2012Issue 24 - Dec 2012/Jan 2013Issue 25 - Feb/Mar 2013Issue 26 - Apr/May 2013Issue 27 - Jun/Jul 2013Issue 28 - Aug/Sep 2013Issue 29 - Oct/Nov 2013Issue 30 - Dec 2013/Jan 2014Issue 31 - Mar/Apr 2014Issue 32 - May/June 2014Issue 33 - July/August 2014Issue 34 - September/October 2014Issue 35 - November/December 2014Issue 36 - January/February 2015Issue 37 - March/April 2015Issue 38 - May/June 2015Issue 39 - July/August 2015Issue 40 - September/October 2015Issue 41 - November/December 2015Issue 42 - January/February 2016Issue 43 - March/April 2016Issue 44 - May/June 2016Issue 45 - July/August 2016Issue 46 - September/October 2016Issue 47 - November/December 2016Issue 48 - January/February 2017Issue 49 - March/April 2017Issue 50 - May/June 2017Issue 51 - July/August 2017Issue 52 - September/October 2017Issue 53 - November/December 2017Issue 54 - January/February 2018Issue 55 - March/April 2018Issue 56 - May/June 2018Issue 2018 - City Edition - 2018Issue 57 - July/August 2018Issue 58 - September/October 2018Issue 59 - November/December 2019Issue 60 - January/February 2019Issue 61 - March/April 2019Issue 62 - May/June 2019Issue 63 - July/August 2019Issue 64 - September/October 2019Issue 65 - November 2019 - January 2020Issue 66 - February/March 2020Issue 67 - April/May 2020Issue 68 - June/JulyIssue 69 - August/SeptemberIssue 70 - October/NovemberIssue 71 - December/JanuaryIssue 72 - March/AprilIssue 73 - May/June/JulyIssue 74 - August/September/OctoberIssue 75 - November/December/JanuaryIssue 76 - February/March 2022Issue 77 - April/May 2022Issue 78 - June/July 2022Issue 79 - August/September 2022Issue 80 - October/November 2022Issue 81 - December/January 2022/23Issue 82 - February/March 2023Issue 83 - May/June 2023Issue 84 - July/August 2023Issue 85 - October/November 2023View more

Special Editions

Issue 1 - 2018Issue 2 - 2019Issue 3 - 2020Issue 4 - 2020Issue 5 - 2021Issue 6 - 2021Issue 7 - 2022View more
Kroll

Most Read News

Guernsey stays top for captives ..

29 February 2024

2022 Top Trust Companies ranking ..

04 November 2022

Crestbridge names Europe Director ..

28 February 2024

IQ-EQ names Head of Private Wealth ..

20 February 2024
Kroll

It's easy to stay current with blglobal.co.uk.

Just sign up for our email updates!

Yes please! No thanks!