Would effective Information Risk Management have helped businesses cope with BT’s recent major outage?
Risk is everywhere in business. Part of managing risk is being prepared for it becoming a reality. When BT suffered a major broadband outage in October this year, hands up who didn’t have an effective business continuity plan in place and dearly wished they had?
3 October 2011. BT has confirmed that an issue at a major exchange in Birmingham is causing problems for broadband customers across the UK. Customers have reported problems from as far afield as Belfast.
Technical risk or information risk?
Some would pigeonhole this type of incident as a technical risk. But, where ‘technology’ is supporting ‘information’ the two risk areas are pretty much joined at the hip. So the BT service (technology) was enabling a business function (exchange of information). The failure of technology had a direct impact on the availability of information (e.g. email or cloud based services), which I would classify as an information risk.
Realisation of the information risk impacted a business function and caused a risk to impact the business – in this case loss of revenue through lost productivity or similar (obviously business specific). I would concede that where technology does not support information (production facility perhaps) there is a difference.
Information risk management is misunderstood
Many businesses don’t get ‘information risk’. The board often doesn’t see it in the same light as other business risks, mainly because they think information risk is all about IT and therefore it’s for the IT department to sort out. Once we have had an opportunity to explain what information risk is about most boards quickly change their mind!
Information security is a national priority
There is a big push from central government to improve the standard of information risk management (or cyber security using the new ‘sexy’ terminology). A National Cyber Security Strategy is in draft form and waiting for Ministerial approval. The strategy and the accompanying implementation plan is likely to call for business to do more in this area voluntarily but there are rumours of the ‘stick’ being used if change is not swift enough.
The Office of Cyber Security & Information Assurance (OCSIA, part of the Cabinet Office), BIS and CESG are touring the big blue chips with the aim of convincing the big players to do more by explaining the threat. This has PM approval as Cyber Security is seen as bringing ‘prosperity’ to the UK in a number of different ways.
- Increase in tax revenue to the treasury if IP theft and industrial espionage to UK business is reduced from the estimated £17bn/year.
- Reduced cost to government of delivering public services. If the citizen ‘trust’ government to delivery services on line (as per Martha Lane-Fox plan) as opposed to face to face.
- UK seen as a good place to operate a cyber-based operation â€”brings in investment from outside the UK.
- UK seen as a centre of excellence for Cyber Security enabling UK to export products and services.
In my view though effort should also be expended trying to convince the SME market to up its game as its likely the economic recovery will now be powered by SME’s not Government or the big blue chips. In many cases SME’s are the innovators and it is these small companies that may be most vulnerable to IP theft or industrial espionage. If the SME’s are to lead us into the economic prosperity its the SMEs that need to up there game.
The opportunity for UK Plc.
At the board level information risks (or technology risks) don’t have many advocates. Consequently there is little senior level involvement to manage the associated business risks that are an inevitable consequence of an information-related incident like the recent BT outage.
It’s important to remember that there’s a positive opportunity for any board here too. Get your information risk management strategy right and you’ll not only protect your information; you’ll strengthen your business for the future too.