A Traditional Richter Scale for IT Incidents and Data Breaches

Recently, I came across an interesting article in Venturebeat written by Dan Lohrmann of Security Mentor – “Why data breaches need their own Richter scale.”  In the piece, Lohrmann discussed whether a standard scale is needed to classify data breaches by severity level, like the famous Richter scale used to measure earthquakes.  I like it.

That got me thinking. How would an effective unified critical communications strategy complement this new scale? Let’s call it the Breach Scale for the sake of this post.

Here are two hypothetical scenarios of different “levels” to paint a picture of what communications plans could look like, depending on the severity level of a situation.

1. Low-Level Incident: Website Outage

 Details: A database malfunction at Joe’s Sneakers headquarters causes their online website to be down for two minutes. Company averages 500 people viewing their site at any given time. Their customer service department starts receiving calls from unhappy customers.

This scenario certainly isn’t life threatening, so there doesn’t need to be an “all hands on deck” type plan executed. What is important though is to have everyone involved with running the website collaborating with customer service and certain members of the executive team, to get the issue solved as quickly as possible. A unified critical communications platform can make sure all the “need to know” parties are alerted to the issue and can connect to start fixing the problem while also keeping customers informed of the progress.

2. High-Level Crisis: Tornado Hits Major Automotive Company

Details: Omaha-based Westwind Automotive’s five million square foot corporate campus is hit by a severe tornado. There is major damage throughout the location. Hundreds of offices are leveled, the manufacturing plant screeches to a halt and the global video-conferencing system is offline. People are missing, email is useless and hardly anyone remembers where to meet up in their safety groups in case of a fire or catastrophe.

This scenario is obviously disastrous. Not just because business continuity is impacted, but also because lives may also be in danger. This, would be an all hands on deck scenario. The C-suite and board would need to be immediately alerted and in constant contact to determine next steps. But, what if they were spread out across the globe – the CEO speaking at a conference in Dubai, the chairman in Tokyo, and the rest of the executive team traveling across various time zones?  Precious seconds are ticking away. A  critical communications system would make sure they are aware of the situation as soon as possible – whether via email, text or phone. Additionally, dozens of other departments within the company would need to be able to collaborate with dozens, if not hundreds of parties. For example, supply-chain managers would have to assess the damage and manage inbound and outbound deliveries, HR would need to be ready for employee related issues, and marketing may have to halt forthcoming campaigns because of reduced inventory. The list goes on.

As you can see from the tornado scenario, the severity level of the incident not only impacted the number of people who needed to be made aware, immediacy was even more important and the logistical challenges of having “need-to-know” people spread out made everything more complex – without the right communications platform in place.

While different communications efforts and platforms may need to be enacted, depending on how critical an IT outage or business impacting emergency may be, there are some overarching key recommendations that all organizations should look to as best practices.

1. Standardizing a plan for how you respond to incidents – critical or not – can be beneficial, and prevent you from scrambling when an incident actually occurs.
2. Communication and collaboration can help reduce your Mean Time to Know, which, in turn, shortens your Mean Time to Repair. Communication during this period should be specific and offer guidance.
3. Automation is essential for incident management, but you can’t forget about human interaction completely.
4. When putting together an incident management plan, don’t forget about mobility trends, such as bring your own device and telecommuting. These two trends could completely change how you respond to critical IT incidents.

I encourage those reading this post to check out Lohrmman’s Venturebeat piece. Matching the type of communications needed for every incident severity level, and maybe creating some kind of standardized scale for corporate America and beyond, is something quite interesting and worth discussing further. We certainly will be discussing it around our offices.