From the ancient Akkadians who scraped cuneiform symbols into clay tokens, to the oracle bone script used for divination in China millennia ago, through to the humble blue Biro, our writing systems have taken many forms throughout history.
But how strange it would seem to a papyrus-toting Egyptian scribe that our latest system involves no scraping, pens or ink at all — just pixels on screens and the ones and zeros of intangible computer code.
Although digital systems offer unparalleled scale and efficiency, an overreliance on them leaves organisations exposed when IT outages or cyber attacks strike.
Even in today’s thoroughly digitised world, cyberattacks can force businesses to return to using analogue forms of communication. When Starbucks’ third-party payment supplier, Blue Yonder, was hit by ransomware, the coffee company was forced to process payments with pen and paper. Foreign exchange firm Travelex similarly had to revert to analogue when it suffered an attack.
When digital access becomes unreliable, analogue readiness is essential
And in 2019, Norsk Hydro, a major renewable energy company in Norway, was forced to operate with manual processes for three weeks while it worked to restore systems following a major ransomware attack.
Reverting to analogue systems is especially complicated when a business operates in heavy industries. Norsk Hydro, for example, was forced to draft in former employees retirees who knew how to run a business in the pre-computer days – they printed out order forms, left sticky notes on computer screens and ran mission-critical processes with pen and paper, Hilde Merete Aasheim, the former CEO, told Time.
“It’s very easy to forget about analogue readiness because everything’s online,” says Joe Jones, CEO of Pistachio, a cybersecurity training company. “But when digital access becomes unreliable, analogue readiness is essential.”
Including analogue readiness in business continuity plans
In today’s digital economy, going analogue is not a permanent solution for any organisation. But, as huge IT blackouts and cyber incidents have shown, digital systems are frail and having a retro fail-safe in place can be a vital lifeline.
So says Jaco Vermeulen, the CIO at BML Global, a business technology consultancy. Vermeulen recalls defining a cyber resilience plan for an NHS Trust. When an IT fault was mistakenly thought to be a cyber incident, the Trust was forced offline and back to pen and paper.
“In a hospital, you can’t just suspend operations, because people’s lives depend on it,” says Vermeulen.
Fortunately – and somewhat ironically – the NHS’ slow adoption of digital technologies proved to be an advantage, as staff were well acquainted with working offline. Additionally, new joiners were trained in manual business continuity so they could keep the hospital running even as systems went down.
“The focus was on critical services,” says Vermeulen. “All records were kept with paper and there was a clear strategy for putting these back into the system once stability was restored.”
During the two day period, where pen and paper was the primary way for sending messages, communication was key. People picked up the phone and alerted the appropriate departments that they would be switching to manual processes, then followed a predefined script of how to work offline.
Having such a script is help organisations weather a period where systems are offline and prevent errors in communication.
Analogue readiness and business continuity: test, test, test
Simon Højmark is the head of cyber for the European division of QBE, an Australian-headquartered insurer. He has seen cyber claims where the claimant needed to revert to analogue, only to realise they didn’t have any blank paper.
“Organisations need to think the unthinkable, run table-top exercises and test response plans,” he says.
Businesses tend to fare better at operating in a crisis during normal work hours but Højmark advises that they also think about how they would run “from five to nine” in an emergency. This requires establishing a chain of command – setting out who reports to whom – and ensuring that responsibilities are clearly defined so that business decisions are not delayed.
Even if organisations have digitised versions of cyber incident response plans, such as the ISO 22301 standard, it’s “really important that they have a secure, local copy of the plan,” says Tracey Hannan-Jones, a cybersecurity consultant who has designed business resilience strategies for governments. Businesses should know where this copy is and who controls the plan, she adds.
It’s not quite going back to slate and chalk, but having really basic tools on hand is important
“More often than not, when I audit for business continuity, I find people have got out-of-date copies [of their plans],” Hannan-Jones says. “It’s about maintaining that copy all the time – it really becomes your fail-safe mechanism for things like power outages or when you lose digital services.”
Hannan-Jones advises that businesses create a securely stored, up-to-date ‘battle box’ in the event of such emergencies. This should contain a copy of the most up-to-date business continuity plan along with any supporting documents.
That means keeping pens and paper on hand too. “When the proverbial hits the fan,” she says, “and you’re scraping around for these things, you want to know they actually work and it’s not some dried up old one that somebody’s left in the cupboard. It’s not quite going back to slate and chalk, but having those really simple, basic tools on hand is important.”
Business continuity in cyber crisis: back to basics
To better understand their exposure to risk, businesses should go back to basics and establish what their core, critical business functions are. “Picture losing your customer relationship management platform for a week,” Jones says. “What are your sales and customer success teams going to do? Do they have some form of offline contact directory? Do they have some way to manage customers offline?”
Only by mapping out business risk can organisations take proactive steps towards mitigating in the event of a major cyber incident or IT outage.
“Very few organisations actually have a clear view of their risk,” says Vermeulen. “And therefore they don’t have a measure for defining what they need to do if something goes wrong.”
That translates to an over-reliance on their tech and a negligence of what their businesses’ operating model and processes actually look like.
Organisations should define their core business proposition and operating model, flag what’s critical or essential and then define business continuity accordingly, with manual alternatives. They don’t have to be manual, but it’s better to have the option if needed.
For example, one of Vermeulen’s former clients ran a fully automated warehouse. A general failure in the data centre that powered it knocked that automation offline and the company had to revert to manual controls. “They worked in just-in-time principles and they were able to do so,” he says, “but that was only possible due to defining a clear way of working manually.”
So while ones and zeros may have mostly replaced the inky scrawling of yore with digitisation and the paperless office, there’s still a place in the world for that trusty ballpoint – at least in an emergency.
From the ancient Akkadians who scraped cuneiform symbols into clay tokens, to the oracle bone script used for divination in China millennia ago, through to the humble blue Biro, our writing systems have taken many forms throughout history.
But how strange it would seem to a papyrus-toting Egyptian scribe that our latest system involves no scraping, pens or ink at all — just pixels on screens and the ones and zeros of intangible computer code.
Although digital systems offer unparalleled scale and efficiency, an overreliance on them leaves organisations exposed when IT outages or cyber attacks strike.
