I haven’t yet started doing requests, but this week I was asked by my father to write on an incident that occurred in an organisation we are both involved with. The organisation is a “gap year” organisation, which sends school leavers overseas for a year where they learn about another country.
The incident involved one of the gap year students who is presently doing their year in a Latin American Country. He happened to be in a nightclub at the same time as the President. Allegedly, after having perhaps, a little ‘too much’ to drink, he said to his friends that he was going to shoot the President in the head. Unfortunately for him, one of the Presidential bodyguards overheard this and he was instantly thrown in prison and although on bail, is awaiting trial. Even although he had probably had too much to drink, it was a pretty stupid thing to do.
In looking at lessons from this incident, one of the things which occurred to me was, does our planning take into account people doing stupid things or even worse, deliberately causing harm to the organisation?
If someone wants to deliberately cause harm to an organisation then the best person to do this is an insider. They have the knowledge of where the organisation is most vulnerable, plus they have easier access to the organisation’s facilities, IT systems or its products than an outsider.
As business continuity people have you considered the following within your plans?
1. In your risk assessment have you considered the worst case of what an insider could do to you, especially that they have the knowledge to override the controls you have put in place to prevent this happening?
2. Have you thought through what acts could be caused by stupidity or lack of knowledge? The person may not cause the incident on purpose but, by taking shortcuts or not carrying out the correct procedures, may cause an incident.
3. In writing plans for responding to an incident, have you ever thought that those named in the plans, respond as part of an incident team or work from a different location, may not behave, as you want them to? On the day when you call out the members of your incident team they may make themselves unavailable to be contacted. Have you taken into account ‘what if’ staff who planned to work in another location suddenly in large numbers go off “sick” as they don’t want to work at the alternative location.
4. Have you thought through ‘what if’ one of your members of staff wants to take revenge on their colleagues and managers if they have been sacked or discipline? I have seen this happening all too often in the USA where a disgruntled or sacked employee will go back into their workplace and kill or attempt to kill colleagues and their managers. I am sure this happens in other countries as well. I believe many USA firms have procedures in place for this. Do business continuity and security managers in other countries where this does not happen so often, have plans in place for acts of revenge by disgruntled employees?
I sometimes think when writing plans we always write them thinking the best in people – that they will do what is asked of them and would never deliberately harm the organisation, either through stupidity or causing deliberate harm. Perhaps we should review our risks assessments and plans to include this “what if”.
“There’s nothing as strange as people,”