Makes me wannacry
Just a couple of weeks ago I boarded a plane from Birmingham airport heading to Shannon in the Republic of Ireland. It was the start of two weeks work for a client that had booked some time ago. As the weeks were back to back I had decided to stay in Ireland for the mid weekend as well so as not to keep flying back and forth so I was prepared for a longer stay than usual.
If you haven't been to Birmingham airport recently you are in for a real treat at the moment. They have recently extended the runway so the airport can now handle some seriously big aircraft and I'm talking Airbus A380's here, that’s the double decker one. With that comes more passengers that need more parking spaces, bigger drop off and pickup areas and more. So there are major construction works going on around the airport roads and parking areas and driving there at the moment can be a bit of a pain. Make sure you leave enough time to allow for traffic issues.
More passengers also means longer queues at security checks and as I arrived at the screening area I can see that the decision to arrive two hours before my flight was going to pay off as most of it was going to spent in the security queue!
This was no surprise however as it was the Sunday following the Wannacry ransomware hit on the Friday so I was expecting some kind of backlash, not that there was any indication that the airport systems were hit and I'm not suggesting otherwise. My risk management head was telling me that I should be prepared.
Wannacry hit many organizations across the globe, estimates put it at over 200,000 people in 150 countries so this was not an insignificant event and well publicised. As I was travelling then just a couple of days after the hit I'm prepared for how it affects me, including the possible cancellation of the work I'm flying out to do.
My phone was never far from my side across the whole weekend as I was aware of this possible event occurring and yes I did get a text message saying my client had been affected by the ransomware hit and wanted to postpone the training. The text arrived as I turned my phone back on as I left the plane in Shannon!
Power Failure at BA
At the time of writing British Airways (BA) are currently into their third day recovering their IT systems from a catastrophic failure caused it seems by some kind of power outage. Indications are that today most of their flights will be back to normal.
What people are asking is not so much about how the power went out in the first place but why there was no backup system in place to take over.
Having put in many IT systems in the past this is a discussion that has cropped up on many an occasion. Sometimes a uninterruptable power supply (UPS) is fitted with a battery backup that has sufficient capacity to execute a controlled shutdown in the event of a mains power failure.
On some sites it has been necessary to install backup generators for the whole building to produce power in the event of failure. These generators are nothing more than massive diesel engines that are able to turn power producing turbines. A combination of UPS devices on the kit along with generators then gives you more protection but the generator will only run as long it has fuel in its tank. A lesson learnt once when decided to run a whole night’s batch work whilst running on the generator only to have it cough into silence two hours after we started it because it ran out of fuel. The tank was full when we started.
Local solutions may not be enough then but there are more options available. We could have a mirrored system some miles away in another building on another part of the mains power grid just running alongside the primary infrastructure in case we lose power. If we do suffer an outage then the mirror site immediately picks up and carries on so our users don’t notice anything.
Not sure what you think but that sounds expensive to me.
Business Impact Analysis
Two major problems then that have had global effects.
Wannacry was a massive hit globally but here the UK there was only one organization got the publicity of being effected, the National Health Service (NHS). When I worked for the NHS many years ago there was always a constant conflict when it came to funding the IT service within an NHS trust. What you spend on IT you can’t spend on life saving treatments for patients but without adequate technology you can’t give lifesaving service. I'm sure my former colleagues in the NHS had the most reasonable solutions in place considering the challenges they face in that environment.
Many other organizations were hit, I know because I was directly affected by one of them but we have hardly heard of any others in mainstream media.
I wonder if the same is true for BA?
Was this a power outage that effected a whole region or was it just the BA building?
Either way it’s the failure of BA systems that has that greatest impact. Everyone on a plane is there for a reason. Whether that be business, holiday, getting married or travelling to see family in far flung lands. I am yet to sit next to a person on a plane who is just there "because I fancied it today"
For both the NHS and BA then the impact to their business of these events has been very significant whether as a direct impact or just being a high profile name that was involved.
Cost of Accept
In my experience I’ve had many conversations over the years talking about the possibility of these risks occurring and what the impact to the business would be. There are many responses we can make to risks like this and we can also implement robust continuity plans to mitigate the impact of these events.
You can see though that the more protection you put in place the more it is going to cost and nobody can guarantee that all your IT will be 100% available no matter what happens. How much an organisation wants to spend on this protection has to be considered by its management. The bigger the impact the higher levels of management need to be engaged.
One of the responses available under risk management is to 'Accept'. This on face value seems such a harmless word. Some think it is harmless, using it as a response when mitigation of a risk is a bit pricey. It’s easy therefore to slip into risk acceptance when we are either cutting costs or running a business to its lowest possible cost level.
In reality it‘s where we make an absolute management decision to take on board the impact of a risk should it happen. And that can be very costly.
Organizations like the NHS and BA have the ability to absorb the impacts these risks have but for us small business owners being hit with these events could have considerable effects that include bringing our businesses to a close.
Please make sure you know the cost of accepting risks in your business and nothing makes you Wannacry.