What can we learn from the Optus outage?
9 November 2023.
The Optus outage and what lessons we can learn from it
Yesterday, over 10 million private and business customers were affected across the country when one of Australia's largest telecommunication providers crashed. This left many of them without telephone service or internet access for up to 13 hours in some cases.
Fallout from the outage
This was clearly bad news for those affected customers and for Optus itself. It's only just over a year since the company suffered a major data breach affecting a similar number of customers. That breach had many impacts on the company. Aside from the obvious reputational loss, Optus agreed to pay for the replacements of compromised passports, and for some customers to have a subscription to a credit monitoring service.
In the wake of yesterday's outage, the parent company suffered over a 4% drop in its share price. The Australian Federal Government has announced an investigation, and there are reports that Optus 'rivals have indicated a spike in new customers.
So, the outage was clearly bad news for Optus and its customers, and there will be plenty of observers piling in with criticism. As our regular readers will know, this blog space, and indeed Qudos as a business is all about supporting people that run management systems. We thought we would take a different approach, and ask the question...
What can we learn from the outage?
Most of us don't run a Telco but we all use them. This obviously won't be the last outage such outage, so we should consider what practical steps can we put in place when a service provider we use does suffer a technical problem or cyber attack.
The aim is, of course, to continue business (at least to acceptable levels and time frames) despite a significant disruption to something we rely on. Although we can't predict the exact nature of any specific disruption in the future, we can consider a range of what-if scenarios and plan how to deal with them. We can then consider arrangements for prevention, preparation, response, and recovery to build resilience. What we are talking about in general is Business Continuity Planning.
Having a Plan-B
In many cases, the solution will involve having a Plan B - an alternative that we can turn to in the event of a failure in our supply chain.
Here's a couple of illustrations:
During yesterday's Optus outage, we had team members that were working from home with mobile phones on the Optus network. While that failed, they were still able to work because their home internet connections were with a different provider. They could make calls using Messenger, What's App etc. What's more, with Apple iPhones they were able to switch them to wi-fi calling and make calls using the internet connection. If the scenario was that the failure was with their ISP instead of the mobile phone provider, the reverse could have applied by using the hotspot facility on their mobile.
Like many organisations, we use the Microsoft Azure cloud infrastructure for both our own network and also to host our client's Qudos 3 IMS software installations. That is not reliant on a single service provider, so a failure in one does not disable the service.
Business Continuity Planning
So, one thing we learned from the Optus outage is to include such scenarios in our Business Planning. We recently ran an article on the very subject. Read here.
Communications is the key
Another thing we learned is that should a disruption affect our own service delivery, it's imperative to have effective and timely communications - especially with our customers.
Optus came in for a lot of criticism for its failure to communicate or communicate well. There were reports of people without internet connection being advised to visit the company's web site for information.
The Sydney morning Herald published an article "It's better to say too much than too little".
On Channel 9's A Current Affair last night, Rachael Falk from the Cyber Security Cooperative Research Centre stated "For any brand that goes through an outage or breach, you can't communicate enough. The customer needs to be front and centre of comms".
So what can we do? Our suggestion is to develop a communications plan. That should include who will communicate, to whom, by what means and under what circumstances. It is a good idea to have some template comms ready for certain eventualities. The comms can be adjusted as necessary, but the plan will help to respond better and faster.
Qudos 3 IMS software clients have a template Communications Plan in their toolkits. A customised version should be included in your master documents and reviewed periodically.
Webinar on ICT readiness for business continuity
On 2 November, we held a webinar on ensuring successful business continuity and disaster recovery in the face of adverse events. A recording is being prepared and will shortly be uploaded. Be sure to follow us on LinkedIn for notification.
Template Business Continuity Plan
To supplement our recent article and webinar on Business Continuity, we included a new template Business Continuity Plan with our November 2023 newsletter released last week. This latest template from the Qudos3 ISO 27001 InfoSec Toolkit is in Microsoft Word DOCX format for easy customising.
If you do not already receive our newsletter and would like the template, subscribe now and you will receive it in a resend for new subscribers.
'ISO 27001 Information Security in plain English'
As a service to our visitors, this web site includes a series of blog articles where we work through requirements of all the clauses and controls in ISO 27001. You will find them to be a great starting point for developing your ISMS.
The series began with an introductory webinar. A copy of the slide deck is available for you here:
Click the LinkedIn Follow button below to receive notification of further articles and webinars.
There's nothing like word of mouth to share creative content. So, if you found this blog informative, please share it with a colleague or business associate.
Ready to start your journey to ISO 27001?
The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.
Contact us today to discuss your needs!