Some of my fondest childhood memories involve parental proverbs offered with a raised brow and a half-smile. I can still hear my mother, “son, an ounce of prevention is worth a pound of cure.” When I was a kid, those disarmingly simple and wise words translated into: don’t go out with a wet head, eat your vegetables, or zip up your winter coat.
Today, after having the honor to serve at the U.S. Department of Homeland Security, those words are imbued with a much greater meaning and gravitas. Being prepared must be fundamental to every company’s corporate culture — is your company ready for the next terrorist attack, natural disaster, network breach, pandemic, etc.?
Last week AT&T conducted it’s largest-ever network disaster recovery exercise at RFK Stadium in Washington, D.C. The exercise is conducted several times per year to test the communications giant’s ability to bounce back from a plethora of emergency situations — from hurricanes to wildfires to terrorist attacks. AT&T has conducted these field tests over fifty times since it established its Network Disaster Recovery program or NDR. These tests help the company identify which systems have sufficient redundancy and safeguards and which systems need improvement.
Is your company regularly conducting tests and exercises? Are you ready?
According to a recent study conducted by AT&T, the answer to that question is a deafening “no!” The annual study found that even in the post-9/11 environment, one out of five companies had not even implemented a business continuity program. Some 30% of the businesses surveyed do not consider implementing such a plan as a priority. And, nearly half of those businesses that have a business continuity plan fail to regularly test it.
Hey Mom, please pass me some more spinach, I need to bulk up!
Corporate executives who allow their companies to continue operating without a fully implemented and regularly tested business continuity program are playing Russian roulette with their careers, the safety and well-being of their employees and customers not to mention their shareholders’ investments.
The foreseeable dangers to a corporation have become countless: cyber attacks, hurricanes, and an influenza pandemic, to name just a few. Yet, the “it won’t happen to us” mentality still plagues America. The reality is that it could happen and will happen and the costs could be catastrophic: lost sales, reputation damage, dilution of stock value, lawsuits, consequential damages, etc.
The only question is whether your business will be ready when the next hazard occurs?
During the same week that AT&T was conducting its network disaster recovery program, Twitter was hacked. Confidential internal documents were stolen including employee salary information, internal meeting reports and financial projections. This was the third publicly known attack on Twitter this year. Over this past July 4th weekend, a cyber attack took down websites of government agencies and companies in the United States and South Korea. In the early spring of 2009, cyber spies penetrated the US electrical grid planting programs that could disrupt the system; yet the private companies in charge of the infrastructure were unaware.
In the face of these dangers, the federal government continues to take the initiative. Earlier this month, President Obama designated over $1.8 billion from a recent 2009 war spending bill to plan and prepare for the nation’s response in the case of an influenza pandemic. In May of 2009, President Obama committed his administration to the protection of our information networks and critical infrastructure, vowing to build strong relationships with key groups in both the private and public sector. The government cannot go at it alone.
Under the National Infrastructure Protection Plan (NIPP), the Department of Homeland Security identified 17 critical infrastructure and key resource sectors, including: agriculture and food, defense industrial base, energy, healthcare and public health, banking and finance, water, chemical, commercial facilities, information technology communications, shipping, and transportation systems. Businesses in these sectors must take robust steps to ensure, regardless of the hazard, the continuity of their business operations. Critical to that effort is regular tests and exercises that stress test mission critical systems, identify shortcomings and areas for improvement and assess employee knowledge of what to do when a hazard strikes.
This week at an annual conference for federal judges and court officials, Homeland Security Secretary Janet Napolitano warned of, “an increasing cascade” of cyber-terrorism attacks and a renewed flu pandemic that could severely strain government institutions this fall. The private sector is not immune and must heed Secretary Napolitano’s warning.
Though not from mom, Shakespeare’s quote from The Tempest, “what’s past is prologue,” is apropos. Corporate America’s responsibilities have grown exponentially since the horrific Al Qaeda attacks nearly eight years ago and its leaders must face these new, diverse and complex burdens. It is not too late to test your company’s continuity plan. Before this fall conduct a pandemic exercise and make sure that all of your employees refresh themselves on your company’s continuity policies and procedures.
Soon the emergency that could never be will be front page news. As FBI Director Robert Mueller often says, it’s not a question of if there will be another attack, it’s when. Hopefully, you will have eaten all your vegetables.
Scott Louis Weber is a partner at the law firm Patton Boggs LLP and is the former Senior Counselor to the Secretary of the U.S. Department of Homeland Security.