Expect the Unexpected

We have all learnt over the past few months to expect the unexpected.

So many businesses were unprepared to deal with the impact that a virus could have on their employees, customers, suppliers and communities, and yet this should not have been the case. Pandemics have long been a staple of many organisations’ risk registers and, ideally, companies should have had business continuity plans in place to mitigate the risks. However, many it seems did not.

We found that even organisations that had business continuity plans in place had given little thought as to how they would manage the unique implications of a pandemic - how would they continue trading in lockdown and social distancing conditions, organise supply chains, support staff and manage stakeholder communications? Perhaps not surprising as we have not seen a pandemic of this magnitude in our lifetimes, but these conditions are not that far removed from a war or terror attack scenario so this should have been thought through.

Time to Reflect

Now is the perfect time for businesses to reflect on how they managed the challenges, ensure lessons learnt are properly captured and used to inform decision-making for similar situations in future. Businesses should think about what worked well for them and what could be improved upon before they forget what the experience was really like.

During lockdown we found many businesses that were not even able to redirect their phones, and yet this is a simple process that every company should be able to do instantly.

Many companies were forced to post hastily drafted announcements on their websites, some of which are still up today. The returns notice on a well-known sporting goods company website still states returns are made in-store, immediately below which they state stores are closed due to COVID-19 and offer no visible alternative.

Planned communications trumps rushed messages

Clear communication plans for employees, customers, suppliers, regulators and investors should be a key part of your business continuity planning. Having pre-prepared draft announcements for a range of events that can be quickly refined and released if, and when, needed will always be better than rushing them out in the heat of the moment.

Now, more than two months into lockdown, many businesses have re-directed telephones, put solutions in place to enable non-furloughed staff to work from home, and are well-versed in virtual meetings. The danger is that companies think the work is done and they no longer need to focus on business continuity planning.

Resilience

Businesses whose employees are now able to work from home will certainly have better resiliency and be able to cope with snow days, protesters closing roads and other minor disruptions, but they will not necessarily be ready for disasters which take down on-premise servers, such as a fire, flood, power failure or simply a fault with the server itself. Resiliency from these types of issues can be achieved by moving your IT systems onto a cloud platform, but even that does not solve all your continuity issues and will not protect you from a cybersecurity event or data breach.

Cybersecurity breaches are inevitable

Pre-lockdown, over 4.5 million cybercrimes each year were being committed in England and Wales alone, with 2 in 5 businesses being affected. Phishing attacks, where fraudulent emails are used to harvest data or dupe people into making bogus payments, accounted for 80% of reported incidents. Many more went unreported.

During lockdown, we saw an exponential rise in cybercrime with cyber criminals specifically targeting home-working employees using their own devices on unsecured home networks and exploiting the fact that employees are no longer surrounded by colleagues to discuss whether the email they received from the CEO at 4.50pm asking for an urgent cash transfer to be made is genuine or not. Only last week Easyjet reported that the data of nine million customers had been hacked.

Good planning is critical

Even the world’s biggest companies with best-in-class firewalls, anti-virus software and staff training are vulnerable to cybersecurity attacks.

Having a business continuity plan to deal with unexpected interruptions is not only sensible, but a fiduciary responsibility. The best defence is early detection and a cyber incidence response plan ready to swing into action to quickly contain the breach and limit the damage it can do. These should be dove-tailed with business continuity and IT disaster recovery plans. If the cybersecurity event resulted in a data breach, the inevitable investigations will begin, along with the process of difficult customer communications. Pre-prepared crisis management plans and communications will go a long way toward achieving the best outcome in difficult circumstances – just ask Easyjet.