The news channels have been abuzz all weekend with the news of the Swine Flu outbreak in Mexico. There are concerns that this could become more widespread globally and indeed even reach epidemic scales. Without wanting to sound alarmist I recommend that you review your own business continuity plan to ensure your organisation can continue operations should large numbers of staff contract this virus. However, try and review your BCP with a view to looking at the impact any infectious disease would have on your organisation and not focus specifically on Swine Flu.
A regular issue I see with many disaster recovery plans is that they focus primarily on the unavailability of the IT systems or infrastructure. Very few plans include processes or procedures to deal with the impact of key staff not being available for work.
So take this particular outbreak as an opportunity to proactively review your BCP and make the relevant changes where necessary. I suggest you look at areas such as;
- Sources of information. During an epidemic there will be lots of coverage, most of it will be hype. It is important that you have a reliable source of information so you can react accordingly and inform your own staff of the facts.
- Leading off from the above point, staff will be anxious to check on news reports and updates on the epidemic. This desire to get information will be an ample opportunity for criminals to use the news as a means to get people to click on links or attachments in spam emails or emails containing malware. So ensure you have a way to update your email defences and to block access to suspect websites to protect your users and your network from these criminals.
- Large numbers of staff may become sick and unable to attend work, or indeed may decide to work from home to reduce their risk of infection. Does your plan include how to keep your operation going in a “lights out” scenario.
- You will also need to ensure that your own remote access infrastructure can cope with increased volumes of traffic. Or you may need to ensure that only key staff can avail of remote access when required.
- You should also consider the impact an epidemic could have on your suppliers. Your suppliers may not be able to deliver their products or services to you due to their own staff being ill or indeed perhaps being located in a quarantined area. Have you alternatives suppliers that can step into the breach temporarily? Or can you manage your own production line accordingly.
- What if you cannot deliver your product or services to your customers? Have you ways to contact your customers to provide alternative delivery dates, mechanisms or products? Can you provide services or products from alternative offices?
- Finally, what happens when the crisis is over and everybody returns to work. Can your systems cope with the sudden rise in capacity as everyone logs onto their emails for the first time in a number of days?
As infosec professionals our jobs are not to hope for the worst to happen but we should ensure that we have planned for it.