Monday, March 23, 2015

Security and Preparedness in the Age of Disruptions

In the Fall of 2004, I had the great fortune to work as a Graduate Marketing Intern for the University of Wisconsin Press. One of my duties was to create marketing materials for the new title, Business Confronts Terrorism: Risks and Responses by Dean C. Alexander. In this seminal book, Alexander discusses a future world in which businesses of all types must learn to live with the prospect of terrorist attacks. At the time, he was warning about the treat terrorist groups presented to "soft-targets" where security and scrutiny would be low if not non-existent. Simply stated, 9/11 and the treat of Al-Qaeda changed the security and preparedness matrix for all businesses, not just the "usual suspects" like power plants, chemical factories, and financial institutions. Rather, for Alexander, shopping malls, tourist attractions, and the mom-and-pop shops must all be ready to handle the threat of terrorist actions.

To be frank, I thought the book was a bit alarmist at the time and the decade or so following didn't materialize the type of threats which I felt warranted the concerns expressed in the book. To be sure there were some attacks around the globe, but not the volume of attacks that, for me, warranted additional concern. Historically, terror attacks happen to soft-targets on an infrequent, but regular basis. In the end, if you run a small business, the cost-benefit of preparing for the risk of a terrorist attack simply wasn't there.

So, from time-to-time since 2004, I've viewed terrorist attacks or riots or natural disasters and thought, "Maybe Dean was right." But, in so doing, I further reflected that the structural conditions hadn't changed all that much. So, while Alexander had been "right" the need for small businesses to be prepared just wasn't there.

Now, in 2015, I view the structural conditions having undergone a dramatic change.  Recent events in Paris at Charlie Hebdo and Tunis museum attack, and the destruction of cultural heritage sites and artifacts in Iraq, Syria, and Afghanistan,  along side the structural property damage in Ferguson, Missouri, combined with the aftermaths of major natural disasters and weather related disruptions, I can only conclude that Dean was RIGHT. Having said that, at the same time, his also singular focus on terrorism undercut the real dangers that businesses face from the very society in which they operate and the environmental conditions unique to there geography.

All businesses, both great and small, need to think critically about preparedness, be it from natural disasters or terrorists. There are just too many points of risk. Fundamentally, I believe there has been a structural shift in the nature of terrorism whereby it is acceptable and preferable to target small and soft-targets. When society combines a loosing of moral indignation to soft-target attacks with maximum media coverage the likely result will be more not fewer attacks on soft-targets. And, since we have entered the full-on digital age, cyber-attacks have also emerged as non-violent, but severe disruptions to business operations, financial losses, and consumer confidence. Now, combine those issues further with with occasional local social unrest, and more disruptive weather patterns and businesses really are facing some critical threats.

Now, I'm more optimistic that the terrorist and social threats are short-term, nevertheless, there will always be weather related events that raise some serious issues for businesses, regardless of actual business, to address. Here are some questions businesses should be asking:

1) What are the major external threats to business operations? Where are the most likely areas to produce operational disruptions?

  • Weather or Natural Disaster
  • Social Unrest 
  • Terrorism 
  • Disturbed Individual
  • Disgruntled Employees
  • Illicit Employee Activities

2) How might our location or operations impact our status as a "target?"

  • Are we in a known protest zone?
  • Do we have or work with items of significant social or cultural value?
  • What is our local, national, international, cultural, social, or digital footprint?
  • Who do we serve, and are they likely to be a "target" for terrorism or social unrest? 

3) What might the media reaction be to our businesses being targeted or to major disruptions in our operations?

  • Do we have a media plan?
  • Do we have a plan for collecting and distributing information to the media, law enforcement, our employees, and/or the public?
  • What types of media response might be most likely, Local, State, or National?

4) What is our current security and disaster planning? 

  • Do you have a plans written down that are knowable to all employees or is there just a "intuition" about what would happen?
  • What types of infrastructure is in place to handle business disruptions, regardless of cause?
  • Do you have redundant systems in place?
  • Do you have mitigating systems in place?
  • Do you have defensive or offensive procedures in place? And, does everyone know what these are? And, does everyone understand their role?

5) What is our current training for security and disasters?

  • What are the exceptions of employees and do they understand what is expected?
  • Are there clear chains-of-command, or is there always a known decision-maker at hand?
  • Is there regular "training" or information shared with employees about security threats or disasters?
  • Is there a communication plan for employees?

If your business hasn't discussed these issues, now is the time. These are just some of the most basic questions that any business should consider, and in so doing, will revel where your organization's threats derive. Then, you can start the complex task of planning and budgeting for your response(s). Not all businesses will be able to address every issue, and, not every business will be able to ensure they will be fully protected when disruptions happen. The point is to have the discussion. It's too important, in these troubling times, not to have ideas about to handle the various difficulties that could arise from natural disasters or man-made calamities.

If you want more information, or some help discussing these issues with your organization drop us line. We'd be glad to help you and your organization be better prepared.

Monday, March 9, 2015

Email Retention Policies

The Hilary Clinton email "scandal" has captivated headlines for the past couple of weeks. As side from the political wranglings, email policies are important. Every organization has an obligation to ensure the integrity of  its email communications. Emails are the modern "correspondence" and "memorandums" that are traditionally integral to the historical and decision-making records for an organization. One of the problems that many organizations face is they have delegated much of the authority for email retention to individuals and/or IT departments, without fully understanding the long-term ramifications. The collection and retention of emails is not seen as historically critical process. Far too often organizations merely consider the legal and regulatory compliance aspects of email. Of which, the legal and regulatory compliance issues can be at odds with maintaining quality historical records.

When organizations consider changing email policies, there are just a few of the most critical issues to consider, at the outset (in order of importance as determined by History Edge):

1. Who are the key employees we need to consult regarding email retention?

Understanding who are the key employees to consult is ESSENTIAL to answer every other question that may arise during email retention discussions. Plus, allowing the ability to bring in additional "experts" as needed is critical. Too often organizations merely consult the senior managers and the legal team, but these are not always the best people in your organization to determine policy. Ground-level employees, professionals, and certified individuals may prove to be your best advisers. These individuals provide key insights into how the rank-and-file use email and best practices. Its constantly amazing, disheartening, and alarming to hear stories by fellow archivist, librarians, and technical staff about their organization's utter disregard for their input. As a consequence, its not surprising when those same organizations experience near-catastrophic consequence that send the organization into fits as they struggle to find email and other records. The simple answer for all organizations is: learn your staff, know their expertise, and utilize their knowledge.  

2. What is our organizational capacity or dedication to records retention, or what resources (personnel, finances, and technical) are we willing to dedicate to email retention?

To some extend this is a "chicken-and-egg" issue. Unless you know what you are going to keep, you cannot know what resources will be needed. On the other hand, unless you know what resource your organization is willing to devote you'll just keep throwing resources at unmanageable or unsolvable problems. Starting with a framework of understanding about the budget allocation for the study and yearly expense allocation will help a committee to make both tough decisions and frame their arguments about what should be done and how. Now, this initial allocation should be flexible, but open-ended budgets only result in unrealistic recommendations and the need to make ill advised decisions based on budget constraints.

3. What is our organization's industry, purpose, and mission?

Knowing your organization's industry, purpose, and mission will guide what emails are required by law or regulation, but also allow the organization to understand where they stand in the context of their history, and their role in society. Understanding these items will allow for the identification of emails are critical or essential for retention, important to retain, nice to retain, or not necessary.

4. What are the legal and regulatory issues associated with our organization?

Once you identify where your organization is located within an industry then it should be relatively clear what are the legal and regulatory compliance issues, as these will likely be outlined by statue or legislation. Therefore, at a minimum an organization will be able to determine what resource will be necessary.

5. Who are the major leaders and decision-makers?

Once an organization has identified its legal requirements surrounding email retention then the major leaders and decision-makers can be identified. Not everybody's email is critical to the function of an organization from a historical perspective. Day-to-day operations are another matter, but from a historical or legal perspective most employee emails could fall under a relatively short retention period. Now, additional education and training may be necessary or technical systems may need to be developed in order to execute changes, but far too often a one-size-fits-all policy is adopted by organizations. The problem is senior leaders discussion topics of historical and organizational significance via email. If those individuals do not archive their emails, then those discussions can be lost, all to the detriment of history. Therefore, it is critical to identify individuals of historical significance and provide them with additional tools to retain their emails. Additionally, these leaders may be identified as individuals that will have special requirements, such as using only organizational email, and not personal email, or their emails may have special review requirements prior to destruction.

6. What communication is distributed via email, and who is responsible for retention ?

The types of mail communications distributed via email are another issue to consider. If most internal communications are distributed via email then your digital footprint will grow exponentially, if you keep everyone's email. This is not a good thing. When you add the extraneous emails about lunches, fundraisers, links to web pages, etc., the email situation can get out-of-hand quickly. Identifying senders of record and/or emails of records are critical to reducing the overall IT burden of email retention. Moreover, if you have a daily newsletter distributed via email, but do not have or want to dedicate resources to retaining this newsletter then an organization will have a better understanding of the resources necessary to maintain the email system.

These are just a few of the initial steps in helping to coordinate and define an organization's email retention policy. One point that cannot be underestimated is the interconnected nature of email and organizational records. If you don't have your email house in order, then now is a great time to start. Its is far better to have policies and understandings in place then to react to the media or judicial system.

Get the History Edge via Email