Security matters: What would you do if no one turned up?

Listen to this article

00:00
00:00

You get to the office one morning and it’s like the day after a bankruptcy. Desks are empty, PC screens are blank and, strangest of all, not a single telephone is ringing.

That is because the same thing is happening up and down the supply chain and across the customer base.

Hardly anybody is at work. Half the people who ought to be are suffering – probably dying – from a virulent contagion.

Most of the rest are nursing the sick. Some are behind bolted doors at home, too terrified to go out.

Even your right-hand man cannot help you – he’s stuck on a foreign runway in an aircraft that’s been quarantined.

That vision of bankruptcy now starts to look more like an accurate premonition. The reality is surely on its way ...

You might have come across this scenario already, courtesy of Mr FUD, aka Fear, Uncertainty and Doom, the cold-caller making his sales pitch from security-land with his knapsack full of horror-stories, security devices and consultancy agreements.

The difference is that the picture I paint is not the start of a sales pitch. It is based on a document from the UK Cabinet Office offering guidance on planning for a possible bird flu epidemic.

When First – the worldwide Forum of Incident Response and Security Teams – held a recent corporate executive meeting, its members identified global terrorism as the second most serious risk to critical corporate functions.

But the number one danger was reckoned to be avian flu, the potentially fatal virus called H5N1.

Figures from the World Health Organisation show that at the end of May, 218 people have caught H5N1 from direct contact with infected birds, of which 124 have died. The fear is that the virus will mutate and pass from person to person.

Companies are just beginning to recognise the incredible impact a bird flu pandemic and the resulting panic would have on global business activity.

The UK Financial Services Authority is taking the threat so seriously that it is urging companies to devise contingency plans should the disease start to spread among humans.

Those who are listening have already started to take actions such as:

● Giving a senior staff member responsibility for tracking biological threats by signing up to an Early Warning Service and giving them the duty to review and update business continuity plans in the light of new information.

● Identifying who are the fourth and fifth understudies, not just the first and second, for people in key positions.

● Keeping workforces aware of the avian flu threat and what preparations are being made.

● Ensuring that staff can work from home with broadband access and that critical systems can be accessed externally using thin client technology.

● Ensuring that key customers, partners and suppliers have updated their contingency plans to address the threat from avian flu.

A big concern is that most companies’ contingency plans depend on staff working from home, relying on cable and DSL providers for connectivity.

It is not yet clear what the consequences will be if the so-called last mile access to workers’ homes gets clogged quickly and fails under the strain.

Of course, avian flu might never evolve to human-to-human transmission, or if it does, the strain could turn out to be less virulent and non-fatal.

But, by definition, disaster planning requires preparing for the worst.

Given that more than 80 per cent of businesses which suffer a catastrophic event fail to survive more than a few months because they did not prepare, it is clearly not worth betting your company’s survival on it never happening to you.

Ian Cook works for Pentest, an IT security company providing consultancy services to organisations across the UK, Europe and North America. He is also vice-chair of FIRST.org, the not-for-profit specialist in early warning, incident response, secure practices and forensics.

ian.cook@pentest.co.uk

Copyright The Financial Times Limited 2017. All rights reserved. You may share using our article tools. Please don't copy articles from FT.com and redistribute by email or post to the web.