COVID-19 and operational resilience: Building fail-safes into your company



by Laurie Graham, Director Cyber Intelligence at 6point6 by Laurie Graham, Director Cyber Intelligence, 6point6

Operational Resilience is a key outcome of protecting businesses and their customers. The Bank of England, the PRA and the FCA have worked closely together to make sure the UK financial services landscape can withstand challenges and threats. The consultation period was due to close on the 3rd April 2020, with final regulation due to come into play in the third quarter of 2020, and with an implementation date for the second half of 2021. The key activities are to identify crucial businesses services, set impact tolerances for ‘severe yet plausible scenarios’ and analyse readiness.

However, the ongoing Coronavirus pandemic has caused the Bank of England to extend the consultation deadline to October and highlighted other industries that need to build resiliency like banks. Once the immediate issues are dealt with, though, we believe we need to be accelerating the implementation of the Operational Resilience deliverables and to expand it further than just financial institutions. 

It’s the risk-averse view and readily apparent that we need first class resilience planning as soon as possible. In fact, we need coordinated market-wide resilience planning to be enforced too. We can sensibly learn from fairly recent historic experiences in our operational resilience preparation.

The WannaCry attack and operational resilience

The 2017 WannaCry and NotPetya attacks had a global reach and caused significant impacts across several sectors, including the NHS, shipping and pharmaceuticals. High-profile data breaches, for example those affecting Ticketmaster and Dixons Carphone in 2018, pointed to the increased intent of attackers to gain huge volumes of customer data, and sophisticated attacks against banks in both Mexico and India in 2018 demonstrated that the financial sector is equally at risk. Similarly, the disruption from 2018’s TSB IT upgrade functioned as a crucial reminder that organisations need a greater level of resilience to a broader range of operational threats outside of merely cyber alone.

A risk that threatens operational resilience also threatens financial resilience; the role that managers carry out in controlling operational risk is thus crucial in minimising financial losses and in maintaining the ongoing provision of business services.

Moreover, risk factors impacting business operations have grown exponentially over the last few years, with increases in instances of cybercrime, hacking and digital attacks. These are compounded by many organisations being hampered by legacy IT systems, and exposure to unpredictable events (such as the coronavirus epidemic). How leaders manage these events and business recover and protect clients will determine their ability to maintain trust and reputation. A firm able to show its shareholders, clients and customers that it can maintain core services safely and efficiently through a situation involving operational disruption will glean market advantage and be more sustainable over the long term.

The impact of coronavirus

With the Coronavirus pandemic ongoing, cyber is a bigger threat than ever before. Cyber criminals are likely to take the opportunity to increase distributed denial of service attacks on company’s websites and to send out phishing emails. Call centres will have depleted staff as a result of coronavirus isolation rules, meaning there is an increased risk of account fraud if bad actors take advantage of the chaos. Home-working is also increasing pressure on helpdesk and IT systems, and often users are installing their own software of deferring security patches for their computers, all of which increases the risk for businesses.

Businesses’ impact tolerances will cover issues from natural hazards, physical sabotage, third party failure, data security failure and, of course, cyber attacks. It is cyber that represents the biggest unknown – the others are more easily mitigated. Whilst businesses can be covered by cyber insurance in the short-term, it won’t help with the reputational fallout from not protecting customers. The recovery from that is much harder than any of the others.

The standard response to any regulatory push is to do the minimum required. However, with coronavirus threatening businesses across sectors, market-leading operational resilience is not just a source of competitive advantage, but a necessary for continued business survival in this unstable environment.

This is why it is vital for the Operational Resilience deadlines to be brought forward and applied across other sectors, so that we can ensure businesses are making long-term decisions about operational resilience, and are not just responding to the coronavirus outbreak with stop-gap strategies.


Newsletter

Time is precious, but news has no time. Sign up today to receive daily free updates in your email box from the Data Economy Newsroom.


Building fail-safes in the meantime

Regardless of the deadline for operational resilience, businesses must look to build fail-safes into their organisations wherever possible so as to ensure they can continue to provide crucial online services and technology to their customers — as well as their clients — at this time.

Companies should build robust crisis and incident management, business continuity and disaster recovery plans and ensure that they have been tested.   They should also be in contact with their suppliers, and work out if processes still work with much of the workforce remote- working. Keeping employees informed about phishing attempts is vital to ensure none of them click on unknown or suspicious links, while multi-factor, and network segregation should be implemented to build your defence in depth.

Make sure you do the basics well first,  VPNs, network infrastructure devices and any devices used for remote work should be updated and installed with up to date software patches and security configurations. IT personnel should be stress testing VPN and your services so they can cope with high demand. Additionally, you should categorise your user base into A, B and C users.  “A” user should be your critical staff that needs priority access to maintain the business if the amount of users hits capacity or you have a cyber breach and need to limit access. 

Businesses need to increase monitoring during this period on privileged access accounts by optimising behavioural analytics tools for detecting suspicious activity for anyone handling critical data and alter security monitoring systems to improve monitoring rules for triggering alerts. Organisations also need to increase emergency management capacities by reallocating resources, checking backups and testing failover capabilities. Remaining vigilant will be key at this time of change.

There are many sources of help

Meanwhile, technology companies are in a good position to help organisations mandated to achieve operational resilience to get there as soon as possible. There are many ways companies can find support in ensuring the design and implementation of operational resilience is sustainable and cost-effective for them.

Insights from third-party professionals with expertise in the building blocks of operational resilience can be enlisted to help businesses achieve the resilience they are aiming for. They can use companies’ existing frameworks to assess a company’s operational resilience, maturity and capabilities, establish a mandate for resilience and deliver the operating model.

As well as this, a wealth of technology tools can also be used when looking to improve operational resilience; digital platforms can enable an organisation to scale for and respond better to an emerging situation by operationalising and testing  disaster recovery and business continuity and incident response plans. Cloud service providers offer scalable  ready-made solutions that enable businesses to adjust their business models almost in real-time, and above all, offer greater resilience.

Operational resilience is increasingly key in a fast-paced, technologically evolving landscape, and the outbreak of COVID-19 makes this all the more vital. Businesses need to begin to embed resilience thinking into their strategies and change management frameworks so that they can protect and sustain the core businesses services that are key for clients and customers even during times of change.

Read the latest from the Data Economy Newsroom: