Summary document for DRIE Atlantic presentation held on May 19, 2021 on the topic of Business Continuity Emerging Trends – Absorbing & Adapting In A Changing Environment.
Speaker: Marie Lavoie Dufort
Host: Emad Aziz
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
Business Continuity Emerging Trends - DRIE Atlantic - Summary
1. Atlantic BCAW 2021, Webinar Summary Sheet
Join DRIE Atlantic! To register, please email drieatlc@gmail.com or like us on Facebook @drieatlc and LinkedIn linkedin.com/DRIEATLC
1
Business Continuity Emerging Trends
Absorbing & Adapting in a Changing Environment
The information presented in the webinar is inspired by:
Industry white papers
News and published articles
Feedback and anecdotal evidence from industry professionals
COVID-19 Global Pandemic Observations
Grey Swan – Unlike “black swan” events, i.e., those that are hard to predict and have very high impacts, it is
now thought that the pandemic is a “grey swan”– an event that was possible and known, had potentially
extremely significant impacts, but was considered unlikely to happen.
Risk not top of mind – The Business Continuity Institute (BCI) Horizon Scan Report from 2020 stated that non-
occupational disease ranked 2nd from bottom of the list of future concerns for Resilience professionals. In
2019, PriceeaterhouseCoopers (PwC) published its global crisis survey stating that 95% of respondents
believed a crisis was imminent in the next two years, but that list of crises did not list pandemics.
Plan or no plan? – Organizations that had a tested pandemic plan (documented strategy for how an
organization plans to provide essential services when there is a widespread outbreak of an infectious disease),
were able to respond more quickly and competently. Most plans created prior to the pandemic likely did not
factor in global impact (i.e. supply chain issues, market impacts), lockdowns and quarantines, and the fact that
return to normal was would be prolonged.
Communication overload – COVID-19 revealed many flaws in crisis communication processes within
companies. Organizations and individuals were inundated with frequently changing fact-based information on
the pandemic from official and unofficial sources. It was not uncommon for organizations to create their own
criteria and dashboards to determine if operations should close or reopen. Organizations with the capacity to
do so relied on their own monitoring capabilities to detect trends and provide counsel to senior management.
Home sweet home – COVID-19 forced companies to rapidly shift to work-from-home and other remote
working strategies, something that was not culturally or widely accepted before. There were several logistical
challenges including:
a. Many had never tested their capabilities on a mass-scale or extended duration.
b. Processes and communicating with internal/external stakeholders were not pre-planned.
c. Technology teams rushed to rapidly deploy solutions (e.g. laptops) to support remote work stressing
supply chains.
The BCM profession was sidelined at the onset of the pandemic but is now receiving increased attention
and support – COVID-19 was officially declared a pandemic on March 11, 2020. However, by the end of
January 2020, only 49.2% of Business Continuity professionals had been engaged in their organization’s
response, primarily because Management teams were dealing with the strategic elements of the response
before, they engaged operational teams.
2. Atlantic BCAW 2021, Webinar Summary Sheet
Join DRIE Atlantic! To register, please email drieatlc@gmail.com or like us on Facebook @drieatlc and LinkedIn linkedin.com/DRIEATLC
2
Lesson 1: Pandemic Resiliency Recommendations
Analyze
Time sensitive vs. essential: Map your time sensitive, critical and essential business activities and understand
the dependencies that support you in the delivery of those services. The map should “link” dependencies to
show how a single disruption can snowball into other business activities.
Exercise:
Assumptions: Don’t just test the plan, but also test the assumptions going into the plan. What if a critical
resource is unavailable? Or is competed for by another business unit?
Rehearse: Organizations who had recently rehearsed a pandemic plan were most prepared for COVID-19.
Regular real-life tests and simulations are the only way to ensure your organization is ready.
Crisis communication: Put a crisis communications team in place and exercise them regularly. Communication
with all stakeholders (internal and external) is a key success metric.
Plan
Focus on impact-based planning, i.e., planning should not be too focused on specific risks, rather the plan must
be adapted to cope with the unexpected (including incidents that take longer to fully materialize).
Update your planning documents: The Business Impact Assessment (BIA) and Business Continuity Planning
(BCP) will require a review as the dependencies you relied upon may have changed (e.g. primary sites are
unavailable and most employees are already working from home). Additionally, most BCP’s will require a review
of standing down procedures or return to “new normal”.
Alternate sites: Consider how you will respond to future disruptions affecting your employees and alternate
workplaces. Do you understand who is dependent on primary or secondary work sites to work and why? What
happens if regional employees are affected by a telecommunications or power outage, how will you shift work
then? How will you exercise alternate working capabilities in a remote work scenario? How will you exercise
with other suppliers or agencies?
Leadership engagement: Make the most use of senior leadership attention while you have it. The pandemic has
raised the profile of Business Continuity and organizational Resilience disciplines and demonstrated the valuable
role of Business Continuity within organizations. When strategic decisions needed to be made at the onset of
the pandemic, did your senior leadership understand the connection between business continuity and a crisis?
Were they aware if their organization has an effective pandemic plan? Involve Leadership early and emphasize
what is most critical to the enterprise will be a driving factor for business continuity at the table.
Cyber Security Observations
Cyber criminals exploiting the pandemic – Cyber attacks modernized and intensified with examples of virus-
themed sales of malware, a dramatic increase in the creation of malicious COVID-19 related sites and an
increase in phishing scams.
Lack of incident response plans – Organizations that went into response mode (not necessarily informed by
tested/validated capabilities) during the pandemic, afforded hackers the ability to exploit vulnerabilities. For
example, home offices are not as protected as the fortified office sites that have more secure firewalls, routers,
and access management run by their cyber security teams.
3. Atlantic BCAW 2021, Webinar Summary Sheet
Join DRIE Atlantic! To register, please email drieatlc@gmail.com or like us on Facebook @drieatlc and LinkedIn linkedin.com/DRIEATLC
3
Fast tracking Digital Solutions – To continue servicing internal and external stakeholders in the “new normal”
companies have had to innovate very quickly. A new survey from McKinsey finds that responses to COVID-19
have speeded the adoption of digital technologies by up to seven years. Threat actors also changed their tactics
however and took advantage of this period of change to attack across all sectors.”
Ransomware is the cyber weapon of choice –The popularity of crypto currency has made ransomware a
lucrative choice for hackers.
Big game hunting – Critical infrastructure, government services such as health and labor, and large organizations
are increasingly being targeted by cyber attacks. These attacks have evolved in sophistication because they are
being perpetrated not only by the criminal element, but also by nation states actors and for-profit hackers
peddling their tools on the dark web. Now you don’t need technical expertise to launch cyber attacks, you can
simply “hire a hacker” and split the profits.
Lesson 2: Cyber Security Recommendations
Data classification & privacy controls – You need to understand what different types of data exist within your
organization. Top 3 questions to ask are:
1. Who can access this data?
2. How is the access recorded?
3. Is the data shareable with others?
Targets, Tactics and Techniques are frequently changing – Hackers and malicious software are finding new ways
to compromise –therefore we must implement strong mitigation strategies to counteract this. Short and long-
term wins include:
1. Investing in continuous monitoring of systems, especially those that allow access into the corporate
network.
2. Subscribing to cyber security reports.
3. Following best practices.
4. Performing frequent software updates.
5. Training your front line - Employees should receive up-to-date and relevant training on vulnerabilities when
working remotely to ensure they and the data they work with is protected from unauthorized use and
access.
Updated cyber incident response plans – Recent events have showed us that the lines between private and
work life are blending, and plans need to reflect this. For example, do you have a procedure for responding to
out of office” breaches? The key points in the plan should include:
1. Should your cyber security team have the authority to access personal devices for forensic investigations?
2. What is the role of law enforcement in your plan?
3. What are the expectations for employee(s) whose personal assets were used in a cyber attack?
4. How are employees supported pre/during/post incident?
5. How should employee direct media-related inquires?
6. Are employees legally liable or at risk of losing their jobs for vulnerabilities within their home network or
personal devices?
7. What is the escalation protocol to notify stakeholders?
4. Atlantic BCAW 2021, Webinar Summary Sheet
Join DRIE Atlantic! To register, please email drieatlc@gmail.com or like us on Facebook @drieatlc and LinkedIn linkedin.com/DRIEATLC
4
Supply Chain Observations
Financial regulators leading the way – Regulators in the UK are leading the way in operational resilience by
mandating that financial institutions who use vendors in the delivery of important business services should work
effectively with those vendors to set and remain within impact tolerances.
o Companies now must identify important business services including those that have the greatest
detrimental impacts to customers and market integrity.
o Vendors cannot have a one-size-fits-all approach. They will have to adapt their services to individual
customer requirements and tolerances.
Global Logistical Delays – Globalization has created a complex web of dependencies affecting upstream and
downstream delivery of goods and services. It has become increasingly obvious that many organizations can
only identify their critical suppliers and lack the visibility and the tools to quickly identify, track and manage
suppliers below the first level.
Suez Canal Tanker Blockage – When the Ever Given, a 220,000-ton ship, became lodged in the Suez Canal, it
took only 24 hours for impacts to start rippling through the global supply chain and expose its fragility. By the
time the ship was freed, an estimated 350 tankers were stuck on either side of the canal and delays averaging
five to six weeks had become common. North American industries like home supply stores, medical equipment
suppliers and grocery stores were impacted.
Lesson 3: Supply Chain Recommendations
Cross-functional team assessment – Develop a risk-based assessment process to identify applicable risks that
could impact your supplier arrangements. You also need to understand the risk these arrangements possess (i.e.
concentration risk, reliance risk, business continuity risk). As part of the assessments, build relationships with
your suppliers and always strive to assess their business continuity, disaster recovery and third-party
management practices to ensure they meet your requirements.
Contingency plans – Be proactive and create contingency plans that can support you in the event of an
unforeseen supplier incident, starting with the suppliers that have the greatest potential to impact your ability
to operate.
Break down the silos – Business Continuity, Procurement, Risk and Technology should collaborate throughout
the contract lifecycle. All groups understand different aspects of the risk and complexities of a supplier
arrangement.
Actively monitor – Making technology investments today allows companies to better manage supply chain risk –
giving them greater access to timely data, and transparency into their entire supplier network. If you cannot
invest in technology, a more agile approach is to create a cross functional team who congregates during
incidents or on a pre-defined basis to monitor the supplier environment.
5. Atlantic BCAW 2021, Webinar Summary Sheet
Join DRIE Atlantic! To register, please email drieatlc@gmail.com or like us on Facebook @drieatlc and LinkedIn linkedin.com/DRIEATLC
5
References
• The future of business continuity and resiliency, BCI: Link
• Pandemic response report, from the BCI: Link
• 6 hidden costs of misinformation and disinformation in global security and business continuity, Factal Blog: Link
• As of March 2020, 27.2% of companies do not have a BCP plan in place and 24% are currently in the midst of
drafting one, Mercer: Link
• 51% of companies around the world have no plans or protocols in place to combat a global emergency like
COVID-19, Mercer: Link
• Since the World Health Organization (WHO) declared the COVID-19 outbreak a pandemic on March 11, IBM X-
Force has observed a more than 6,000 percent increase in COVID-19-related spam, IBM: link
• IBM study: A vast majority of organizations […] are still unprepared to properly respond to cybersecurity
incidents, with 77% of respondents indicating they do not have a cybersecurity incident response plan applied
consistently across the enterprise, IBM: Link
• The popularity of crypto currency and ransomware-as-a-business model has made ransomware a lucrative
choice for hackers. Global ransomware damage is predicted to reach $20 billion USD by 2021, Splunk: Link
• Why toilet-paper demand spiked 845%, and how companies kept up with it, Business Insider: Link
• Canadian Consumers Prepare for COVID-19, Statistics Canada: Link
• The ship that blocked the Suez Canal may be free, but experts warn the supply chain impact could last months,
CNBC: Link