PEAR: Protecting every asset in responding to an incident
So far in this series we have looked at the importance of looking after People and Environment in a time of crisis, so the attention now turns to the third word of the PEAR acronym: Asset.
Is your physical asset – be it a building, oil rig, aircraft or other – safe? Are people or the environment at risk due to the status of your asset? Are workers already off the asset, or do they need to leave as quickly as possible? How are you doing that? Are there plans in place for how staff should react to say, for example, protestors causing a commotion in reception? Does your security team know what to do?
While people may not be at risk from the initial incident, the status of your asset could be putting them in danger. If there are no concerns for the structural integrity of the asset, say so. Similarly, if there are concerns, say so. Be transparent. Don’t hide behind the fear of people finding out something you don’t want them to.
The temptation in a time of crisis is to keep shtum, but in all likelihood whatever you’re trying to suppress is information that will reach the public domain at some point. At least if you are talking about it first, you are in a stronger position when it comes to controlling the narrative. You are filling that vacuum that I mentioned previously.
While many will already have a handle on the physical assets, they can be intangible too – particularly with the ever-evolving tactics cyberattackers are using to access our data on a personal and professional level.
An increasing number of clients have turned their attention to exercising cyber-based scenarios, and it is an area of emergency response that more and more organisations are sitting up and taking notice of. And the statistics show why, with a report from the UK Department for Science, Innovation and Technology issued last month finding half of businesses and around a third of charities in the country reported experiencing some form of cyber security breach or attack in the previous 12 months.
The same research – the Cyber Security Breaches Survey – found the stats were even higher for businesses of a medium or large size, with 70% and 74% respectively having had to deal with an incident.
While businesses will incur costs ranging from lost time when staff were unable to work to the cost of upgrading their IT security and even paying hackers, the reputational repercussions and long-term impact should be at the top of any document concerned with how to deal with a crisis.
It’s been said before, and I’m happy to copy and paste it: how you respond to a crisis can define how you and your organisation are perceived for a significant period of time.
Indeed, it could be argued that your audience for a cyber incident is more wide-ranging than that of one involving a physical asset. For example, among the elements at risk are:
- Private details of employees, contractors and third-party members of staff
- Confidential information relating to your business and its practices
- Customer information
- Relationships with suppliers and vendors
Each stakeholder needs to feel that companies have the situation under control and their data is not at risk, regardless of its sensitivity. You need to communicate as to how safe your – and their – assets are, regardless of whether the incident involves the tangible or not.
That said, there are occasions where it’s too late to do anything about the incident itself, and it’s about the aftermath and lessons learned, and how different sectors can help each other.
The British Library was subject of a cyberattack last autumn, which resulted in just under half-a-million individual documents being obtained, with analysis of what was taken still ongoing. The Library recently released a paper looking at the incident and how it responded, in the hope that other organisations can learn from their misfortune.
While there are, as you would expect, library-specific elements, it is interesting to see the lessons they have learned that could have an impact across institutions, regardless of the industry they are in.
One recommendation that stood out was their suggestion to “retain on-call external security expertise: Having a specialist external security advisor on retainer allows for additional resilience, improved speed of response, and depth of analysis in the earliest stages of an incident”.
While many organisations have media, HR and other experts on call to deal with incidents such as those involving people and the environment, is this an area some companies could be stronger in? The statistics would suggest so.
The transparency shown by the British Library is something to be commended, and something many could learn from. For example, there have been numerous weather-related incidents in recent years, particularly in the North Sea which can be one of the harshest places to work.
Those of us onshore only have a picture in our heads of what it is really like out there, and while there are viral videosthat do the rounds every so often showing platforms and vessels being battered by wind and waves, more companies are providing an insight into what it’s like.
This video from Equinor explains how their Hywind Tampen windfarm copes in inclement weather, while I’ve written previously of TotalEnergies’s decision to release video footage which showed two workers trying to secure a helicopter to the Elgin Platform as it was hit by Storm Otto.
A windfarm that automatically stops in strong winds, and a video showing two workers “who could have died” as they tried to protect their asset: two examples of major companies demonstrating the importance of protecting their physical assets.
While in the past it would only have been tangible assets bosses would have to worry about, the rise of hacktivism – the act of breaking into a computer for politically or socially motivated purposes – has meant the need for organisations to review all potential weaknesses in their operations is critical.
What would you do in the event of an incident affecting your assets? Perhaps more importantly, what would your people do? It’s all very well a handful of people who have written the plan know how to respond, but it’s imperative those that would be involved in the response are aware of procedures.
Their actions could have a criticial impact on the big one – Reputation.