} What happens if something really does break the internet? | ICAEW
ICAEW.com works better with JavaScript enabled.

What happens if something really does break the internet?

As experts warn of a lack of appreciation of the cost of technology failures, it’s time for businesses to review and enhance their digital infrastructure resilience strategies, writes Joe McGrath.

"internet"
Back in 2013 Amazon suffered an internet outage. It cost the e-commerce giant some £2m in lost sales and a 40% drop in web traffic. But this outage did not last weeks or even hours. It lasted just 30 minutes. Today, most UK companies are reliant on internet and mobile service providers for the smooth running of their businesses. But the digital infrastructures many organisations depend on are extremely vulnerable to collapse. 

Even in 2020 – 46 years after Telenet, the first internet service provider (ISP), was created – telecommunications networks can still black out for a whole host of reasons, be it electrical power outages, bad weather, damage to cables and infrastructure, human error, or network changes and upgrades. All can have a devastating effect on business, causing significant disruption and damage to profitability, brand reputation and morale. 

According to a study by independent ISP Beaming, UK businesses lost almost 60m hours of working time due to internet outages in 2018. On average, organisations experienced two major outages and 16 hours of downtime each. With the help of Imperial College’s mathematics department, Beaming estimated these outages cost the UK economy £742m in lost productivity and extra overtime.

And you don’t have to search for long to find a plethora of recent telecoms disasters that hit businesses hard. At the end of 2018, the UK’s second biggest mobile phone provider, O2 – which has over 23m customers, including many businesses – saw its whole network buckle due to a software fault caused by its equipment supplier, Swedish firm Ericsson. 

The blackout of O2’s 3G and 4G services caused all manner of mayhem for companies that use its platform, including subsidiaries Giffgaff and Lycamobile, with many unable to make or receive phone calls or get online for up to 23 hours. The mobile giant’s solution to the scandal was to decommission Ericsson’s faulty software.

The incident was so severe that O2 gave its customers, including its small and medium-sized business and mobile broadband clients, two days’ credit as a goodwill gesture. And this is just one example. The regular frequency and unpredictable nature of these incidents means businesses and accountants have to seriously consider how to effectively manage digital infrastructure risks – not only as advisers to their clients, but also as businesses in their own right.

Beth Johnson, managing director of risk management company Team Umbrella, says the good news is that digital infrastructure is now so important, diverse and complex that the chances of it all going down for any amount of time are low. “The real risk is underlying infrastructure failure. England’s power grid is much more open to risk than Google or Amazon’s globe-spanning empire,” Johnson says.

Power outages remain a major source of digital infrastructure vulnerability and weakness. In August last year, a severe outage at the National Grid resulted in nearly one million people across England and Wales being left without power, prompting a government investigation. The blackout is believed to have been caused by the simultaneous failure of a gas power plant and a wind farm after a suspected lightning strike. 

Johnson believes businesses, especially those in accountancy or finance, need to engage in risk minimisation when it comes to digital and physical infrastructure vulnerabilities. “In practical terms, this could mean maintaining an internal network with backups of all internal or client files, or paying for a highly stable system like Amazon’s Web Services package to store valuable datasets.”

Rebecca Freeman, founder of accountancy group Lagom Finance, said while many businesses believe having systems that are cloud-based is enough to mitigate any risk faced by a digital infrastructure breakdown, this does not go far enough. “Having cloud-based tools is brilliant for accessibility, but this isn’t enough to safeguard companies against the loss of data. First of all, it is critical for any business to know where and how its data is being stored. 

“The first port of call should be to thoroughly check the terms and conditions of any software used within a business to understand your responsibilities and, more importantly, how to recover any data you might need now and in the future,” Freeman adds. Having a copy of the data in two separate, unrelated software packages would reduce the risk of loss during an outage, Freeman explains. “If you wanted to go a step beyond, I would recommend exporting your data from any accounting package at least monthly.”

Sonia Blizzard, Managing Director of Beaming, says businesses that rely on their internet connections and IT systems to trade normally should have backup connections in place that �n kick into action in the event of an internet failure. Businesses should also take additional steps to secure data at rest and in motion. 

“Traditionally, accountants have been good at securing information held in their offices, both physically and on their IT systems. The advent of cloud accounting and increasing use of online packages means that some of these cyber resilience protocols need to be updated. The use of the cloud has shifted some risk on to third-party vendors, but accountants need to ensure that the data they control and the routes they use to access it remain secure.”

According to Blizzard, internet resilience strategies and risk management can differ widely between small and large accountancy firms and companies. “Larger businesses are more likely to use more reliable forms of connectivity such as fibre-optic leased lines, making it less likely that an internet failure will leave them unable to operate,” she says. It is clear that the difference in approaches to risk management between firms can be immense.

“There are a lot of options for a business looking to protect its data from system failure, but they all require capital to varying degrees,” Johnson explains. “A large firm could afford to hire a dedicated server engineer whose sole job would be to ensure the stability and security of their network.”

Johnson, Freeman and Blizzard all take the view that larger businesses are more likely to have processes in place to ensure the longevity of any systems, should there be an internet blackout. 
Freeman says it is common for smaller businesses to completely overlook the risks in their digital infrastructure. “Only when it’s too late do they consider solutions such as cyber insurance or more robust internal processes.” 

Insurance is an important consideration. Companies’ risk controls can do little to prevent a network service provider failing or being attacked, therefore risk finance plays a crucial part in the recovery process after an outage. While products such as business interruption (BI) insurance traditionally only cover the insured’s own network, some insurers have started to expand the BI coverage by changing the definition of computer system to include the systems owned by third-party providers, including internet providers.

Blizzard says company finance teams should also be heavily involved in containing the risks posed by vulnerable digital networks. “Finance teams can support risk mitigation by helping the business to understand the actual cost of any business downtime. This ensures businesses take these problems seriously and have a full set of facts when evaluating the costs and benefits of enhancing their resilience.

“It is increasingly important that businesses have comprehensive disaster recovery policies and systems in place. This helps ensure that companies are as resilient as possible to threats, and also enables them to recover more quickly if their systems or premises are compromised,” Blizzard says.

For internal audit teams, tracking and reporting on key risk areas, such as the risk of data loss during an infrastructure crash, is also crucial to mitigate the impact of these incidents. “Internal auditors should be focussed on data security above all else,” Johnson says. “In a post-GDPR world, poor data practices can cost any firm an enormous share of its net worth depending on the offence. Internal servers for emails, rigorous password standards and proper reception logs can help companies avoid the hefty fines the EU is capable of issuing under GDPR.”

Blizzard warns that a failure by firms to secure their data properly will always result in the “greater loss of corporate reputation. Data security is fundamental to accountants’ businesses and their clients’ trust in them. Their responsibilities should go way beyond compliance. Those who can’t be trusted to keep their clients’ data safe will soon find they don’t have any clients to protect,” Blizzard says.

In addition, internal auditors should stick robustly to processes and implement ISO standards for any internal processes, according to Freeman, as well as assigning key personnel to monitor and take responsibility for each procedure. “Any safeguards put in place should be subject to regular reviews by an independent party either internally or externally,” she says.

With a 2019 Mimecast poll revealing a shocking 52% of UK firms do not have a cyber resilience strategy in place – despite the majority believing they will suffer an internet-related incident in the near future that would damage their business – concerns remain that firms are undervaluing these wider infrastructure risks.

“There’s definitely a danger of companies consistently underestimating their exposure to these risks,” Johnson cautions. He adds: “I think we all know that it’s easy to put these things off, especially if your firm has grown organically from small beginnings. It can be hard to implement these practices while the wheels are already in motion, but it’s essential for any company hoping to scale fast and with few incidents.”

Read our article on six top tips for developing cyber resilience strategies