How resilient is your business?

Written by: Dave Waller Posted: 16/08/2018

BL57_resilienceFrom extreme weather, terror attacks and fire, to cyber attacks, hacking and human error, businesses are having to prepare, more than ever, for the unknown 

It’s amazing how fast reality can be ripped open. Just ask the people of the British Virgin Islands. Up to 6 September last year, tourists were flocking to the island paradise, drinking rum punch, chartering yachts and generally having a blissful time.

Then Hurricane Irma swept in. Winds raged to an average of 185mph, gusting to 215mph, smashing glass, tearing off roofs, even stripping the bark from the trees – leaving the island like a post-nuclear wasteland. Eighty-five per cent of the islands’ buildings were severely damaged or destroyed. 

The BVIs are, of course, not just a quiet island enclave, but an international finance centre. When you’re trying to punch numbers in the wake of the most powerful Atlantic winds ever to make land, the idea of ‘business as usual’ is quickly blown out of the window.

Stephen Alexander is a Partner at Mourant Ozannes, one of many Channel Islands-based companies with offices in the BVIs. He recalls people’s disbelief at the destruction. “It was catastrophic,” he says. “The damage was to the tune of $3.47bn. The risks posed to our firm were multiple – our office space, the local infrastructure and the risk to human life.” 

Alexander is based in Jersey, but prior to that, in 2008, he was working in the Cayman Islands, and saw there how the area was still recovering from the storms that had flattened and flooded it four years previously. “Many firms went out of business in Cayman in 2004,” he says. “And I suspect many will now in the BVIs.”

Hurricanes may not be a tangible day-to-day threat for most businesses, but the nature of increasingly global and connected businesses means there’s no shortage of other dangers. Some of those risks are physical – while only certain operations will be prone to extreme weather events, others may suffer terror attacks, fire or flood. Others are more hidden.

Take the cyber threat – nation states, professional hackers, your own team and your supply chain could all wind up causing you devastating problems you can’t even see.  

As Chief Digital Officer at Sure International, the Channel Islands’ telecoms provider, Justin Bellinger sees those cyber threats up close. The biggest culprits are directed denial of service (DDoS) attacks, he says, where nefarious elements direct impossible volumes of traffic towards a site to disable its servers – which could be crippling for an e-commerce business. 

Others face more subtle attacks. “We see phishing attempts all day, every day,” he says. “People targeting individuals to get them to click on a link – or leaving a malware-infected USB key in reception. 

“It’s terrifying, especially when you look at what being compromised means. The best case is your machine is harnessed as part of a botnet to attack someone else. At worst, your machine is locked and you have to pay someone in bitcoin to decrypt it.”

We’re in danger of stoking the towering pyre of fear here, but the risks don’t end there; they just get more abstract. Financial services companies now face greater regulatory risk – the danger of failing to comply to the ever-growing web of red tape covering everything from the financing of terror to data breaches. 

Under the new GDPR rules, for example, a data leak can trigger a fine of up to four per cent of a firm’s global turnover or €20 million, whichever is highest. “In the Sony Playstation breach of 2012, the company was fined $250,000,” says Bellinger. “If that had happened after GDPR, that may have been over $1bn.”

And if these threats weren’t bad enough already, each carries a knock-on risk – of clients losing confidence in the victim’s ability to handle their affairs. In the best-case scenario, that means dusting yourself down and learning a tough lesson. In the worst, it’s the end of your business.

“The impact on reputation can be the most severe, and it’s long-term,” says Malin Nilsson, Managing Director of Duff & Phelps’ regulatory consulting team in Jersey.

“Even if you can turn a problem around, your reputation could be so tarnished that clients and staff start looking elsewhere. Mossack Fonseca’s footprint declined right after the Panama Papers in 2016, lots of staff left, and the company eventually closed down. They paid the ultimate price.”

Such stories help explain why, when faced with an increasingly complicated and connected world, businesses are realising they need to do all they can to mitigate risk. That means putting in measures to prevent the worst happening – as well as establishing plans for what happens if it does. 

Protect yourself

Basic preventative measures include creating firewalls and other forms of internet security – or diversifying your locations and services, so that a problem in one area doesn’t affect others. One of the most important steps is to train staff, so they’re aware of potential threats and know to spot and report them. 

Bellinger believes there’s a reason phishing attacks are such an effective threat. “People are the weakest link,” he says. Passwords must be properly considered and sophisticated enough to deter hackers, desks should be kept clear, and valuable data shouldn’t be left unprotected on desktops, USB sticks or in good old briefcases. 

There are broader measures too, including signing up to global standards, such as ISO 27001, which covers the protection of data – everything from physical protection of servers, such as barbed-wire fences, to back-ups and recovery plans. 

It’s proving increasingly appealing to clients – ISO 27001 gives them the assurance that a given provider has considered the finer details of data protection. And it means the accrediting body has already asked the company 50 pages of questions about its security, so it means they don’t have to. 

But response is just as important as preparation. Perhaps even more so. The critical consideration for any business is that, even if something unthinkable did happen, the service to clients continues almost as if nothing had happened. 

This could include running back-up servers in another jurisdiction, having a back-up broadband provision, or storing your data with a third-party provider. If you’re victim of a hack, you may want to remove your infrastructure entirely from the internet, in order to get some containment; or you may want to stay connected in order to monitor the attack and gather evidence of it happening. 

Human element

But just as important as the facilities is, again, the human element. Plans have to be documented, reviewed and shared so that people know exactly how to behave. Who deals with media enquiries, for example? If something bad has happened, they’re bound to come asking questions. 

If you don’t get this straight, you may quickly find things slipping even further beyond your control. 

“We’re not geared up to deal with the stress of a hack or our business going down,” says Bellinger. “It’s basic human psychology. When we’re threatened, we go into panic mode, our fight-or-flight kicks in and our focus turns to a distance of 30 yards – spear-chucking distance. That’s entirely natural, so it’s critically important that we have all response procedures documented and tested so that we can respond.” 

The question is whether businesses are up-to-speed on all this. Teijo Peltoniemi is Head of Digital at KPMG in the Channel Islands, and in that role he regularly services both global and local clients in his speciality of cybersecurity and privacy. He believes that, in an age where firms are increasingly reliant on IT systems and the internet, companies have yet to grasp the seriousness of cyber threats. 

“Firms tend to have plans in place for operational risk, but don’t think of information security as part of that,” he says. “They need to raise the information security risk to board level. By considering it a business risk, not just an IT risk, they’d make it a more inherent part of their risk management.” 

Malin Nilsson echoes these concerns regarding the average company’s readiness to face the media. Companies could, of course, drive themselves mad trying to mitigate every possible risk. Bellinger cites one business that wouldn’t base its disaster recovery in the Channel Islands in case there was a catastrophic failure in the nuclear infrastructure in France. 

But while it would be naive to think a company can – or should – plan for every eventuality, companies simply can’t afford to bury their head in the sand and assume the unthinkable won’t happen to them. 

Nilsson sums up the issue succinctly. “Prevention is better than cure,” she says. “And it’ll cost a lot less.” 

Add a Comment

  • *
  • *
  • *
  • *
  • Submit
VG - Time to change

It's easy to stay current with

Just sign up for our email updates!

Yes please! No thanks!