We specialize in chaos.
In fact, we create chaos by developing simulated crisis exercises that test and validate crisis teams at all levels of an organization. In this blog I’m going to discuss three crisis scenarios that we have found to be of serious concern to organizations in various sectors.
There are three kinds of chaos-creating scenarios we’ve identified as being of very grave concern to organizations of all sizes in various sectors. Each scenario begs a crucial question for every organization to ask of itself.
1. The Insider
Chaos brought to an organization by an insider, that is, someone who’s already part of an organization, is one of the biggest concerns according to most CSO’s (Company Security Officer’s).
As we see it, there are two types of insiders. The first is the “spy” whose agenda is often influenced by greed or is susceptible to some form of blackmail. The impact from the loss of trade secrets due to this type of insider is often hard to assess when initially discovered. Reputation can be severely impacted if the breach is significant in scale and relevance. It may take several years to assess the real impact of such a loss. Lack of sufficient management oversight and awareness are two common gaps that make it difficult to predict in advance an event of this magnitude.
The second type of insider is the one who perpetrates lethal violence in the workplace or carries out some other form of criminal act that endangers life and impacts reputation. The most common kind of insider in this category, especially in the United States, is the active shooter. This kind of insider is often dissatisfied and often has a form of mental health issue that has gone unnoticed. This kind of crisis too is hard to detect in advance as most active shooters work alone which reduces their chances of being caught in the planning stages of an attack. Obviously, an active shooter, or any kind of disgruntled employee that wants to harm people or assets, can have a major impact on an organization that is ill prepared to manage such tragedy.
QUESTION: How do you prepare for insider threats?
2. Natural Disasters
Due their unpredictability, natural disasters still rank high on the list of scenarios that could have a major impact on an organization’s ability to function and even on its reputation if it is discovered that it was ill prepared to respond and recover. Business continuity and disaster recovery remain growth industries. Ranked by insured losses, the costliest natural catastrophe in 2018 was the Camp Fire in California that caused $12.5 billion in insured losses.
QUESTION: Does your organization have a continuity plan and is it validated regularly?
3. Cyber-Security (External Threats)
Neiman Marcus, Target and eBay (to name a few) are US-based organizations that have been impacted by cyber-attacks. There are many more and not just in the US. Cyber security-related scenarios are often complex due to the nature of an organization’s IT infrastructure and the make-up and amount of departments that are responsible for the various aspects of cyber preparedness. One of the most prominent challenges with regards to this scenario is ensuring the swift formation and organization of the incident response team combined with the other critical role players from the organization. Time is of the essence and situational awareness amongst all stakeholders is a critical component to the management and recovery of such events. Practicing the “what if’s” is essential.
QUESTION: Have you ever conducted a corporate-wide cyber-security exercise? What did you learn?
So, when scenario planning, it is imperative that we understand what our risks are to enable us to have a clearer picture of the challenges and potential impact. A good tool for analyzing risk is the TVRA (Threat Vulnerability Risk Assessment). A TVRA will identify threats and vulnerabilities to assets. The TVRA process should also provide a ranked list of scenarios that are most prevalent to your institution and its ability to operate. Once we identify the risks (scenarios) we can start the process of conducting exercises that realistically simulate those scenarios to better understand how we would handle those specific situations.