In our latest guest blog, Graham Jordan, IT Partnership Analyst at Gateshead Council and a valuable part of the CyberNorth operational group, shares his thoughts on business continuity, cyber security and grab bags!
It was around 2019 that I attended two events that set me on the path of thinking about business continuity and cyber. The first was one of Sue Ormerod’s IT Directors’ Forum meetings with James Royds and the other was the start of a series of events that MHCLG (the Government department responsible for councils) had organised for national information security experts to talk to council emergency planners and cyber team leaders.
This was my first exposure to the Government’s four key risks for emergency planning that councils and Local Resilience Forums were required to develop plans for:
- Terrorism
- Environmental (floods etc.)
- Pandemic
- Cyber
My key take away from emergency planning colleagues was that they plan for consequences not causes – such as multiple casualties, whether caused by a bus crash or train derailment. In cyber terms, this translates to “it doesn’t matter what caused the outage, your systems aren’t available”.
At this time we’d only had a handful of cyber incidents in councils and case studies were thin on the ground, the agenda was led by cyber techies and the language used was still very technical in nature. Business continuity colleagues were often missing from the room if they didn’t also occupy the emergency planning role.
It was clear that some translation was needed for non-technical audiences. That led to further work including working with CyberNorth to crowdsource a cyber business continuity starter guide as part of Northumbrian Water’s excellent Innovation Festival, presentations for Schools North East and more of our own Enabling Safe Business events.
Unfortunately, since the beginning of 2020 we’ve had some significant cyber incidents in the north east and beyond. However, what has helped massively is the willingness of organisations to share their lessons learned, many of which have been around the organisation’s preparedness and response and the need for IT to be supported yet left to look after the technical response.
The national conversation has pivoted from being about IT response to organisational resilience. Topics such as ‘do you know what your priority services are’, ‘what are your key systems supporting those’, ‘who are your key people’ and ‘what would you do if system X wasn’t available…’ are now more commonplace in discussions.
One of the most significant national outcomes of this change of focus was launched at the end of last month. Building on lived experiences, Government and NCSC guidance the Local Government Association has created an online “cyber grab bag“. It’s an organisation-level ‘go to’ reference guide of what to do and (crucially) what not to do in the first days and weeks of a cyber incident, offering guidance organised across seven themes, many of which are not technology-related:
- Healthy teaming
- Coordinating with law enforcement
- Informing and supporting
- Delivering your services
- Safely restoring technology and systems
- Protecting data
- Working with your senior stakeholders
Although the grab bag is aimed at councils, almost everything in it is transferable to other sectors.
What’s in your cyber grab bag? – Have you left it in your office?
Graham Jordan manages the north east’s public sector community of practice for information security – ISNorthEast. Much of his work over recent years has focused on bridging the gap between IS, business continuity and emergency planning.