Disasters are usually a result of organisations failing to prevent a crisis from getting worse, says Peter Power, Managing Director at Visor Consultants Limited. ‘There cannot be a crisis next week. My schedule is already full’, said Henry Kissinger in June 1969 at a time when the US faced many potential crises. Humorous yes, but is there some truth in what he said? How many potential disasters are already on your corporate radar screen that you are too busy to notice? There you are, convinced that you have planned for just about everything. Your risk analysis is complete and all your information and data processing seems watertight. You are confident that you are as prepared as you can be for most eventualities. Even the chairman has shown an interest. But what if fate delivers you a low ball and you have a crisis that really is out of the blue? How would you cope? There is a worrying tendency, especially in the US, that assumes any ‘out of the blue’ crisis means just that: aircraft leaving the sky and deliberately hitting tall buildings – and we have all seen many post-9/11 business continuity plans that now focus exclusively on this threat to the exclusion of all others. Whilst it is true that our notion of terrorism as a form of limited violence was shattered by the terrible events in 2001, previous attacks by equally less predictable terrorist organisations – like the Aum sect in Japan, responsible for the Tokyo subway nerve gas attack and fanatical groups in the Middle East – had already challenged our previous assumptions about terrorism. It was, and will always be, a threat that is surprisingly hard to define. Almost by definition, terrorism will continually seek to change its face. But enough has already been written on this subject and before we also slide towards overindulging our concern with just one type of threat, let us return to the subject of this article: can you really handle any crisis? In March 2000, a lightening bolt caused a blaze at a Philips electronic factory in Albuquerque in the United States. Ten minutes later the fire was out, but far away in Scandinavia this small event sparked a corporate crisis that shifted the balance of power between two of Europe’s largest electronics companies. Nokia and Ericsson both depended on computer chips from the Philips factory. Indeed, the supply was critical to each company.

After the fire Philips needed weeks to return to normal capacity, but with mobile phone sales booming, neither company in Scandinavia could afford to wait. What happened next is a lesson for us all. Nokia (Europe’s largest corporation by market capitalisation) immediately switched on their crisis management skills. Before Philips said anything, all they noticed was a glitch in the flow of chips – but it was on their radar screen. Within a few days they had scoured Europe for alternate suppliers, flexed the company muscle to squeeze more out of them and patched together a solution that ensured manufacture of handsets kept going. Pertti Korhonen, the chief trouble-shooter for Nokia, said afterwards. ‘A crisis is the moment when you improvise.’ He was correct. Ericsson, on the other hand, were probably too busy to notice anything. By the time it was realised that their supply of chips from Albuquerque was in jeopardy it was too late. Nokia had been there days before and taken all that was left, and had done the same with most other suppliers. In the end, Ericsson lost around US$600 million of revenue and 50 per cent of market share and subsequently had to be rescued by linking with Sony to sell any handsets. In my experience, the majority of disasters are caused by organisations that fail to prevent a crisis from getting worse, and then only wake up when things have deteriorated to the point of disaster. My own belief is that crisis prevention is considerably more effective than disaster recovery, but many organisations are encouraged by some consultants to spend a disproportionate amount of time and money on recovery options, without first looking at reducing risks, as well as preparing for the unforeseen. So what are the drivers for crisis management? Here are a few:  protection of reputation and brand;  customer service;  shareholder value;  legislation, regulation and corporate governance;  increased complexity of business operations;  increased interdependencies;  insurance conditions. The last point, about insurance, also includes a potential reduction in premium if you can demonstrate that, should a catastrophe appear, being able to work at the speed of a crisis rather than at the speed of the organisation, the likelihood of a subsequent claim on your policy is much reduced. It is also worth bearing in mind that most insurers accept that for every pound or dollar of insured costs, there is anything between 8 and 36 times this amount in uninsured costs. Typically these costs are:  management time;  investigation costs;  adverse publicity;  loss of reputation;  loss of brand;  loss of image;  fines and penalties;  loss of expertise. But realising this is not enough.

It is also important to know that stakeholders and customers will now want to measure board proposals on issues such as succession, accounting irregularities, fraud and resilience. In 2003, as global threats and risks become more diverse and worrying, we might assume that being able to work instantly as crisis managers links more to profit than to cost. Nokia thought so. It follows that none of this should be seen as a ‘grudge purchase’ but as an extension of sound corporate governance executive stewardship – especially in a post-Enron/Worldcom world. So how do you do it? Over the years we have helped many organisations in the UK, US and Europe to create, train and test their own ‘crisis teams’ and have realised that there are a few important points that should always be borne in mind:  When you are analysing data and researching the best options on how to prepare, always remember to ‘keep your eye on the ball’ and not let the project get hijacked by something else. All the plans, mission statements, recovery options and supply chain goodwill counts for nothing if executives cannot switch to ‘quick time’ thinking and form a ‘crisis management cell’ without delay. It is, therefore, a subject where selection, coaching, testing and exercising counts for everything.  Your own suppliers may cause you to have a crisis. These days many companies operate ‘just-in-time’ (JIT) procedures, which probably means they cannot deal with ‘just-incase’ events since there is little or no slack left in the process. Add to that fragile supply and data routes up- and down-stream from your sites and the knock-on effect of someone else’s crisis seems all too obvious.  Getting board-level agreement is not enough. You must get board-level commitment and hands-on involvement.  Make sure that crisis management becomes a truly operational tool and not just a reference whose purpose is to reassure everyone when things are calm. It must be an integral part of management and a continuous process, of which the document marked ‘plan’ is simply a written presentation of management competence.  Avoid lack of motivation and inspiration. What do I mean by this? Well, take the story of an important visitor who some years ago called into a stone quarry to see what the workers were up to. All around him apprentices were busy chipping at granite blocks. ‘What are you doing?’ he asked one of them. ‘I’m making a stone block that will be two feet long by a foot wide’, came the answer. Turning to another apprentice he asked the same question but got a different answer: ‘Oh, I’m part of the team building a magnificent cathedral’.  Manage your risks properly and recognise that the key to successful crisis management is to realise that containing a crisis is more effective than recovering from a disaster. Oddly enough, many organisations have disaster recovery plans, but not enough have crisis management options. Perhaps that is because you can more easily measure recovery? This leads to the last point:  When setting up any measurement criteria, seek out what is important and then work out how to measure it (for example, measuring the likely damage to reputation).

At the beginning of the Vietnam War, the US Army had numerous fire-fights with the Vietnamese Army and quickly realised that the number of enemy dead invariably far exceeded their own. This was easy to measure and thus could be used to calculate who would win the war, and how soon. However, in doing this the US Army, like many before it, made the mistake of finding something to measure and then making it important, rather than the other way around. For the Vietnamese Army, leaving the dead in the field was irrelevant when you had endless reserves, control over domestic media coverage and a will to win. The truth is that almost all crises follow a path from normality to possible disaster. Crisis management can recognise and interrupt this if applied diligently and on time. In the case of a bomb explosion without warning, this path will be sudden; but such a scenario is an exception, as many incidents can be termed ‘quiet catastrophes’ that build up, often unnoticed (small errors that are not checked soon become big problems). This can include scenarios such as power failure, intermittent system faults, road closures, sabotage, protestors, corrupt data, or building-related issues such as faulty air conditioning. Sometimes organisations have first been alerted to a crisis because the press called to tell them – in which case they might already be halfway down the path to disaster where trying to take the ‘media high ground’ is even more imperative. Indeed, the issue of presentation and media image is so important that we have seen some companies ultimately fail even though their efforts on site were as good as they could be, but they somehow failed to give the right message to the world’s media. When speaking to the press, try and avoid the five ‘d’s:  denying everything;  doing nothing;  diverting to someone else;  diminishing the incident;  drip-feeding at your own pace. It is often the case that organisations have not necessarily taken the wrong actions in terms of crisis management but probably took the right ones too late – by which time the crisis itself sets the pace and you might end up following events rather than getting in front and stopping the spread. By calculating an assessment of the crisis situation and its likely development – coupled with what should be the ideal reaction to control, contain and resolve it – it is possible to draw a basic model to illustrate the point that few crises instantly jump from normality to disaster. It is therefore possible to assess the impact of the crisis and its likely rise/fall, and then link this directly to the best reaction to contain it, to reassure stakeholders, and so on. In this way a crisis management structure can quickly be set up, but populated only according to present and anticipated requirements. For example, there is a ‘stage 1’ crisis that puts some people on standby whilst others are engaged in ‘fire fighting’. Subsequently, the incident can be either downgraded or upgraded to a ‘stage 2’ crisis, where levels may be fully staffed on a shift basis. The outline structure, however, remains the same. But setting all this out in a few pages may ignore a particularly vital feature. Unfortunately, too many crisis planners often overlook human emotion.

Too many practitioners see the processes they are dealing with as highly systematic, cerebral and conscious: you know what you are doing and you can explain the process to others. Emotion is seen as something that clutters up the calm processing of information and is nearly always factored out of the equation. That is one reason why my own company specialises in crisis management, since when your own schedule is full and human emotion is ignored you can be sure that a crisis is soon to follow. Peter Power is MD of Visor Consultants Limited. He was the lead speaker at 2002 Global Disaster Management conference in North America and is a Special Advisor to the Canadian Centre for Emergency Preparedness, as well as the UK Disaster Management Forum. Peter also wrote the UK Government-issued guidearticle Preventing Chaos in a Crisis and led many front-line crisis teams at several terrorist and other major events in London while a senior police officer at New Scotland Yard. He regularly lectures on his experiences and occasionally speaks on BBC TV/radio. He is a Fellow of the Institute of Management, Fellow of the Business Continuity Institute, and a member of the Institute of Risk Management. For further information contact: Peter Power, MD, Visor Consultants Limited, 212 Piccadilly, London W1J 9HG. Tel: +44 (0)20 7917 6026; Fax: +44 (0)20 7439 0262; Mobile Tel: +44 (0)7774 824487; Email: info@visorconsultants.com; Website: www.visorconsultants.com

Forensics A computer forensics investigation can reveal practically everything about the perpetrator of a crime, says Clifford May, Principal Consultant at Integralis, but you must know where to look – and not destroy any evidence.

Chains of evidence Contrary to popular perception, most e-business and information security crimes and abuses that are reported today are internally inspired and range from theft of information to sabotage. As a result, the work of the computer forensics expert is a far more complex operation than most people appreciate. Computer forensics enables the systematic and careful identification of evidence in computer-related crime and abuse cases. This may range from tracing the tracks of a hacker through an organisation’s IT systems, to tracing the originator of apparently anonymous defamatory emails, to recovering evidence of fraud. But, as with any investigation, it is vital to know where to look to find the evidence required and how not to destroy that very evidence in the process. This requires skill, knowledge and a lot of experience – especially as all forensic investigations must respect the laws governing the rights of the individual in each country and must always be handled with sensitivity. A computer forensics investigation can reveal practically everything, from the character of the user, to their interests, activities, financial health, acquaintances and more. It is all there to be recovered from applications, email systems, Internet browsers and free space. Their life, outlook, intelligence and interactions are held – as individual as any fingerprint – on the computer they use.

There is no limit to the accountability that can be uncovered: private business transactions, communications with accomplices, fraud indicators and much more are frequently mined from systems. Attempts to hide or erase this evidence are often unsuccessful, and a ‘golden nugget’ that proves a crime can be unearthed by an expert. The evidence that a forensics investigation will seek to uncover will vary; but activity such as Internet abuse during working hours is a good example of a well-known business problem. Amongst the more prevalent cases tend to be problems involving employees who divulge critical corporate information to third parties, fraud and the diversion of sales to rival companies for generous kickbacks. Cases of anonymous harassment and defamation are increasing along with the use of email and the Internet, and hacking cases involving Trojan horses, denial of service attacks and network intrusions also feature highly in the typical forensics workload. Industrial espionage is also still a problem, and the discovery of ‘key loggers’ is increasing with improved user awareness. A small hardware device or software utility such as this can easily be installed and go unnoticed. These simple tools can help a competitor or criminal to steal passwords and user IDs in an instant. Without the correct security procedures, the victim won’t know a thing about it until it’s too late. But it is not only employees that forensics investigations focus on. So few companies have adequate security vetting procedures, that industrial espionage has become a global concern. Every computer, on practically every desk, is an open doorway to the company’s network and all of its data and essential information, such as its payroll, projects, R&D, finance, patents and customer details. Everything is potentially there for the taking by professionals posing as cleaners, tradesmen, maintenance crews, fitters and even, sometimes, as clients. Cases of arson have been brought to trial using computer forensic techniques, and bandwidth problems in large corporations have been found to be a result of network abuse by personnel downloading massive video files (sometimes full-length, hi-resolution feature films), MP3 music files, or simply spending all day listening to global radio over the Internet. Petty jealousy is also an increasing problem in many organisations: better cars, larger offices, fatter salaries and unpopular promotions can provoke the worst kind of unreasonable behaviour. The result is that sabotage is a growing problem, with people systematically and knowingly breaking systems.

Gathering the evidence The process of gathering evidence requires proper incident management training. Investigators must follow the correct procedures or the evidence may be compromised and become inadmissible. Simply booting a PC will change at least 70 of its parameters. In addition, documentation of the steps taken in a forensic investigation is vital, and a case can be built on suspicious activity. Why does the suspect work so often at weekends? Why does he/she never take leave? Is there a regular pattern of people who always work long hours, often late into the evening? The ideal is to take copies of the entire hard drives of the suspect systems for examination with forensic software, but this is not always possible and a strict procedure for identifying and securing potential evidence is required. There is also an array of pitfalls to be avoided when attempting to secure reliable evidence: it must not be damaged, destroyed or compromised in any way, and steps must be taken to ensure that the investigation:  does not change any of the time and date stamps of files;  does not change the contents of the data itself;  maintains a complete and comprehensive audit trail of the steps taken;  understands what operations the computer performs when it is turned on or off. Computer forensics is a growing area that is earning increasingly wider recognition; and as systems and networks increase in complexity, it is becoming more and more specialised. It is also the area for specialist companies who have the resources, knowledge and experience to really make a difference. There is a growing awareness of the requirements for handling computer evidence in the UK due to an established and accepted code of practice and the number of cases passing through the Courts. However, the chain of evidence is frequently not confined to one country and may cover many different countries and several continents, requiring forensic specialists to understand international law. It is also important to remember that it is only possible to uncover what is actually there. This may seem like an obvious point to make, but computer forensics cannot promise or perform miracles, and the most obvious pieces of evidence, such as a letter written to an accomplice, logging dates, times and transactions, found in the free space on a disk is a highly unusual occurrence.

A really good forensics team can tell, in an instant, whether a business has good grounds for further investigation or not. They will know from their initial examination whether something looks wrong and out of place. Such a decision can often save a company many thousands of pounds and a lot of wasted time. As the discipline develops, forensics is spreading into whole new areas. Specialist teams are not only being tasked with handling criminal incidents but also with developing and implementing blocking, prevention and tracking techniques in companies and throughout organisations. But the fact is that most hacking cases are not pursued as far as they should be – companies simply rebuild their systems and get on with business, due to fear of the expense and loss of time that prosecution might involve. Forensic specialists are increasingly advising on the viability of potential courses of action, and are increasingly being called upon to help pinpoint sources of danger and devise procedures that prevent repeat attacks. Theft of company information and intellectual property is still the largest area of corporate crime, and computer forensics is certain to grow in importance as the volume of e-commerce transactions increases and as access to company networks and corporate information needs to be more reliably protected and ever-more tightly controlled. Integralis, the corporate solutions division of Articon-Integralis, provides information security solutions to all industry sectors throughout the world, allowing organisations to grow and achieve their business goals securely. These solutions combine service and system integration, the deployment of ‘best-of-breed’ security products and managed security services, and employ some of the leading technologists and most skilled engineers in the industry. Integralis is recognised as a leading and trusted provider of information security solutions in the European IT and e-commerce security market.