Despite our best efforts to avoid or prevent incidents and avert disasters, they remain a possibility. Being prepared puts us in a better position to survive and thrive, keeping essential business processes and systems running despite the event (continuity and resilience), recovering non-essential ones as soon as practicable afterwards (recovery and resumption), and generally coping with whatever comes our way (contingency).
Preparedness means being ready in case something unexpectedly goes seriously wrong. Whereas we may cope perfectly well with relatively minor events, more serious incidents or disasters such as the following require better preparation:
- Power cuts, surges and dips;
- Fires, overheating or smoke damage;
- Floods and leaks;
- Earthquakes, cyclones, tornadoes, volcanic eruptions or terrible storms;
- Hacks and social engineering attacks;
- Overloaded IT systems, out of capacity;
- Malware infections, spyware, ransomware;
- Mistakes by system administrators or users, plus “accidents” of all sorts;
- Essential people unavailable e.g. off sick;
- Failed IT changes or upgrades;
- Cloud and Internet failures;
- Serious frauds.
Although we aim to prevent incidents and disasters, there are many risks and our preventive controls are imperfect, hence we can’t guarantee to prevent them all. We need to be capable of surviving almost any incident or disaster. While we can’t truly plan for all such eventualities, it is important that we prepare ourselves as best we can through awareness and training (including exercises), continuity and resumption planning and emergency supplies.
- Introduce and provide background information on information security events, incidents, disasters, responses, business continuity, resilience, recovery, contingency etc.;
- Expand on the associated incident and disaster management processes, including anticipating, reporting, calmly responding to, resolving and learning from them;
- Encourage people to spot and report information security concerns, issues, events, incidents and near-misses, promptly.
Think about your learning objectives in this area. Does your organization have particular issues, challenges, requirements or obligations your awareness program should emphasize in relation to incidents and disasters? Is there anything special, characteristic or unique about your preferred approach, organization structure, reporting arrangements etc.?
Incidents and disasters awareness
A security awareness and training module about managing information security incidents and disasters.