Happy New Year, it's time to plan for the worst

In 2015, it will not be enough for information security professionals to guard against the technical threat.

Past months have been tumultuous and tragic from a global news perspective. We have seen terrorist attacks, sieges, floods, heatwaves and fires.

This year, it's time to ask: could my organisation get back on its feet if something on this scale came to our doorstep?

Australia’s second largest internet provider, iiNet, came face-to-face with an unusual challenge earlier in the month. It was forced to shut down servers in its Perth data centre for almost seven hours because it got too hot.

Air temperature in the city peaked at almost 45C, practically crippling iiNet’s air conditioning systems. The outage affected thousands of users across Western Australia, New South Wales, Victoria and South Australia.

What would you do in this situation? Do you have a continuity management plan that explains how to act should disaster strike?

Would you be able to survive without your core services being available for up to seven hours because of extreme weather? What would happen if 80 percent of your workforce became sick because of a pandemic?

There are a variety of large-scale risks - not just the technical risks we are used to dealing with - that we could all face, and we should have plans in place to help us through these tough times.  

One of the many facets of being an information security professional is an obligation to assist your business in continuity planning.

Since the core function of being an infosec professional is to mitigate risk, you’ll need to convince the executive board of the need to start a business continuity management program if you don’t already have one.

A simple risk assessment contextualising these media news items against what they might mean to your business is a good way to start.

The point is, while many of these are unlikely to befall any single business, the impact would be catastrophic if they did.

My tip is to focus on the risk assessment and make sure it is the impact analysis that you put the most effort into. Once you have done this and have executive buy-in, you can then design your continuity strategy, develop plans for how you would deal with each different kind of event and - most importantly - test the plan thoroughly.

Only once you have tested the plan can you be sure that should the worst happen, you can still survive in a way that is sustainable and allows you to recover to a position where you can rebuild your core services and continue to operate.

Key people need to know what to do and how to behave should the worst happen. Involve them in the continuity testing exercises and make sure that the plan is available and socialised to all employees that need it.

The Queensland government‘s “All Hazzards” approach to risk assessment is an excellent place to start and there are many resources that can help you plan for the worst on their website.

Build and test your business continuity plans for 2015 as soon as you can; this will ensure you can survive should the unthinkable happen.

Remember that risk is a combination of threat, likelihood, vulnerability and impact, however, these events are unfortunately becoming more frequent, and hence, the risk rating is trending upwards.

In 2015, be safe, keep your business safe and plan for the worst.