Are there contractors working on our site? If there are, then they should be categorised as our staff? Good response plans will always have an immediate response action checklist. Despite most organisations having different internal procedures and areas to focus on during an event, I would hope that they all follow a similar structure, something like this:
Safety & Wellbeing Check:
- Am I OK?
- Is my family OK?
- Are my colleagues OK?
- Are customers or visitors in the office OK?
These are all very relevant points but you need to be diving deeper into this, specifically with visitors.
You are responsible for everyone on site
Are there visitor-contractors working on our site? If there are, then they should be categorised as our staff.
Why should there be a difference between contractors and staff? After all, when I come to your site and train your staff, I’m a contractor…and I’m pretty important!
Maybe it’s time to start considering the following:
- Have contractors signed in and do we know their whereabouts?
- Have they done an induction that includes how we as an organisation respond to unexpected events, and what we expect from them?
– I recently visited a rail and coal client in Australia who presented me with a very professional and detailed video on their Emergency Plans. Amazing stuff (blog coming soon on that one)!
- Do they have a Business Continuity Plan? Do they have a back up to support us if they suffer a disruption?
- Can we stop them talking to the media if they turn up?
- Should we start to include them in our training sessions and scenario exercises?
We’ve seen this before
The recent Australian Defence Force Hacking was a prime example of why you need to know your contractor’s processes inside out. It also highlights that they don’t necessarily need to be onsite to impact the way you run your operation.
I bet few people can name the contractor in question who failed to put up effective defences to prevent a cyber-attack, but we all know that at the end of the day, the buck stopped with the Australian Defence Force!
Another prime example that recently came up in my training session was around how some CCTV footage and sensitive documentation is being left with third-party contractors. Again, if any of this was to be leaked, how would you respond?
Facial recognition for CCTV is currently being used by law enforcement across Russia and now the UK. Australia will adopt this technology as well should the rollout be effective.
However, in terms of practical use, it can be very shady technology. Similar to when you’re trying to tag your friends on facebook and it selects the wrong persons face. It’s still got progress to make which also makes it very vunerable to attacks right now.
Hacking a phone and laptop has never been easier, so where does the chain of connections end in your organisation?
How you should be dealing with them
I get it, it’s hard. It’s hard to get a contractor on the phone and ask them if they’ve got business continuity in place and if not, why not? But you need to do this. RiskLogic has provided basic, smaller Business Impact Analysis’ and Emergency Plans for our client’s contractors before and this is a positive, quick win in getting them aware and interested in business continuity.
Start with the basics:
- What information do they have?
- How are they storing it?
- What are their backups?
- What are their response plans like?
- How can you aid to protect yourself?
I’ll be spending a bit of time around this in the New Year as I believe there is a big gap in the resilience here. It’s important in New Zealand that we stay ahead of this, could you imagine how many contractors are currently chipping away in our small country right now?
Until then, plan, do, check & act…