The Public Eye with Eric Chabrow

Boston Tragedy Offers Risk-Management Lesson Business Continuity Plans Cannot Rely on Wireless Networks

In the wake of the Boston Marathon bombing, which claimed at least three lives and injured 150, we're all searching for answers of one kind or another.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

For security and risk leaders, if they can draw any immediate conclusion from the tragedy, it's this: No business continuity plan can be overly dependent on wireless communications.

One of the key stories in the immediate aftermath of the bombing was the failure of cellular communications. Despite erroneous reports that cell service had been shut off to prevent remote detonation of any remaining explosives - wireless providers dismissed those reports as groundless - the reality was clear: A high volume of calls disrupted service in Boston.

This outage is yet another reminder to organizations that they need to develop alternative ways to communicate with employees during such emergencies. Otherwise, they could put their organizations' continuity plans at risk.

For hours after the mid-afternoon, April 15 explosions, callers clogged Boston-area cellular networks, making it all but impossible for many customers to get service, a situation that's not uncommon when such a disaster occurs. Hundreds of thousands of people who normally aren't in Boston on a weekday converged into a small, geographic area, not only for the marathon, but also for a Red Sox baseball game at nearby Fenway Park and other celebrations for the distinctively Massachusetts holiday known as Patriots' Day.

Media reports say the overwhelming voice traffic that brought the cellular network to a crawl made it difficult for first responders to communicate with one another. A Verizon Wireless spokesman said the company advised customers in downtown Boston and surrounding neighborhoods to avoid using their mobile devices for phone calls, instead suggesting they rely on text messaging or e-mail, which employs much less bandwidth.

The advice that users employ alternate ways to communicate by mobile devices is an idea organizations should consider when reviewing their own disaster recovery and business continuity plans.

As a society, including many businesses and government agencies, we've become highly dependent on mobile devices. And many business continuity plans are built around the notion that, if people cannot get to work, they can still work at home and maintain communications via mobile devices and wireless networks.

But as last fall's Super Storm Sandy taught us, these plans are useless when electricity is out and networks are down.

Likewise, the Boston tragedy shows how heavy call volume - which you'd expect during a disaster - can cripple mobile communications.

There is much still to learn about Boston - how the bombings occurred and how such attacks can be prevented in the future. But we already know that disasters such as the Boston bombing and Hurricane Sandy will happen again. It's incumbent upon businesses and government now to keep the communications channels open to employees and other stakeholders by developing plans to cope with the loss of cellular services. It's just good risk management.



About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network