Respond to a Wide Spread Ransomware Attack with Business Continuity Planning.

The timing of the Cyber Attack which affected many NHS trusts, doctors surgeries and other organisations across the globe does not appear to have been random.

Reports started to emerge in the U.K. after lunchtime on a Friday, a notoriously difficult time to deal with anything in the workplace!

Many organisations begin to close down for the weekend or at least reduce the services and coverage they offer.  The health service is no different and although they operate 24/7, private organisations in the supply chain who support them may not.

Recovering from a Ransomware Attack

Ransomware is very difficult to deal with when a machine has been infected and most well prepared organisations rely on their information backup process to allow them to securely erase an infected machine and restore as much data as possible, to avoid paying the ransom.

The difference with this attack was the scale, which spanned across multiple organisations across the globe.

Here is where, even with an effective backup facility, the scale of the incident made service disruption unavoidable.

While many other organisations were affected, the biggest impact was probably felt by patients in the NHS, who reported delayed operations and appointments on Friday.

Business Continuity Management is Essential?

When an incident causes so much disruption that it has an impact on the organisation’s customers (patients) it’s time to invoke a Business Continuity Plan to minimise those effects.

That’s exactly how Saffron Cordery, director of policy and strategy at NHS Providers, was reassuring listeners on BBC Radio 4’s PM programme.

“Trusts will activate silver command” she said, while also telling listeners that trusts have Business Continuity Plans in place.

In recent years the concept of Business Continuity Management has become embedded in the consciousness of the public sector, and those in the supply chain.

It’s impossible to plan for every possible event, but implementing a Business Continuity Framework, such as ISO 22301, sets the groundwork for people at all levels of your organisation to manage a disruptive event.

Business Continuity at all Levels

The BCI’s Good Practice Guide (GPG) is widely recognised in Business Continuity Management and discusses three important aspects to planning.

Strategic

At Director or Board level, the strategic planning and BIA (Business Impact Assessment) focuses on the high level products or services that the organisation provides and sets the expectation for continuity, usually through Policy.

Tactical

At a tactical level the continuity and recovery effort can be coordinated and managed.  Trained BC staff can evaluate what processes are needed to maintain continuity of the product and service process provision to the customer, as decided at the strategic level.

Operational

Actions and activities are undertaken to continue or recover those activities at an operational level.  Here everyone plays their small part in the overall plan.

It is vital, therefore, that Business Continuity is embedded at every level of the organisation and is considered in every decision that is made, even during normal operating conditions.

But, also as important to the success of a Business Continuity plan such as the NHS, is including and aligning the supply chain, by ensuring the activities and roles they provide, to enable it to meet its strategic goals are included in the overall BCM framework.

A good Business Continuity Management Programme is comprehensive and ever-evolving.

Learning Business Continuity Lessons

Finally, after the pain of managing an incident and restoring services, there are always lessons that can be learnt including:

  • How to prevent that disruptive event occurring in the future.
  • Whether the business impact analysis was accurate.
  • How to improve the quality and access to information required to execute the recovery plan.
  • How to improve the awareness and education of those involved.
  • How effective the recovery plans were for this particular incident.

Our team at Assent Risk Management includes Business Continuity Professionals who have helped organisations conduct business impact analysis, establish recovery plans and implement a full framework to ISO 22301.

Contact us to see how we can help you become more resilient in the face of cyber threats.

More reading

BBC News, NHS trusts will activate silver command:

http://www.bbc.co.uk/news/av/health-39903559/nhs-trusts-will-activate-silver-command