In these times of crisis, many companies have launched plans to optimize their costs. Unfortunately, the management decisions often directly affect the people: staff reduction, higher pressure, increase of production rates, etc.
If no agreement is reached between the management and unions, strikes may affect some services. To strike is a right for all workers but, leaving the social side, the IT security of the company may also be affected by a strike inside the staff!
Examples:
- The staff is concerned about social problems and is not focused on their daily job. Some security incidents may not be detected in time and investigated properly.
- The staff could be an excellent target of social engineering attacks (trying to pretend to be somebody from the union is a good example).
- Some staff can sabotage the infrastructure!
Do you want a good bad example? A Belgian Internet provider is currently affected by a major strike inside one of their subcontractors staff. The engineers started a strike and refuse to connect new customers to the Internet or to troubleshoot customers suffering of network outages. Worse, some strange failures affected the Internet services. Rumors of sabotage circulate! (Read the article in French, translation here).
For all companies, this is a risk that must be analyzed (with a BIA or “Business Impact Analysis”) and countermeasures must be defined to prevent customers to be affected. For me, the situation affecting the Internet Provider is a good example of BCP (“Business Continuity Planning”). Their are facing the two types of risks:
- Qualitative risk: A very bad publicity. Articles have been published in newspapers, I saw a video on the TV news.
- Quantitative risk: New customers will go to the concurrence and customer affected by the outage will claim some financial compensations.
And, finally, on top of this, let’s hope the company will have a good communication plan!