“The hack at Hollywood Presbyterian forced doctors to use pen and paper in an age of computerization. News reports said its fax lines were jammed because normal e-mail communication was unavailable, and some emergency patients had to be diverted to other hospitals. Investigators said administrators were so alarmed that they may have paid ransom first and called police later” http://www.reuters.com/article/us-california-hospital-cyberattack-idUSKCN0VS05M
In an age, where we rightfully spend huge amounts of resources in preventing attacks, organizations seldom examine their ability to deal with the consequences once the attack has taken place.
But the truth is that business continuity shouldn’t rely only on our ability to prevent the malicious intent from happening, but should also be based on the first few minutes or even hours of how our personnel will react to the threat.
As upper management plan for these events, they should ask themselves a few questions:
- Did we invest in reaction and not only prevention?
- Are our people prepared for these threats?
- Are we as upper management prepared? Do we know how we are going to react?
Unfortunately, in many cases the answer is no.
I agree with all those that are raising an eyebrow as they read this post saying that prevention is crucial and we should be investing in that domain, but let’s put it as it is. You are not going to prevent all the threats from happening, so you better start working on your contingency planning and understanding of how your organization is preparing for these…
You should start by:
- seeing your contingency plans are in place
- auditing
- testing all those involved
- practicing together
- war-gaming
I believe in all of these as preparation to events, because through them, you canlearn how your organization is prepared for predefined events, you canlearn how your organization “thinks” during crisis which in turn effects your decision making process and in many cases shows you how your organization deals with the unexpected.
So, I suggest that the next time you sit down with people from your organization, examine their reactions to different events and maybe even prepare a war-gaming program, because when the threat materializes, every minute counts towards saving lives, infrastructure and eventually money.