Recent information about IT security, a particular aspect of business continuity plans, highlights the high risk behaviour of people in using computer passwords. The data comes from passwords uncovered by hacktivists group Anonymous, who then exposed them online. The more general question is then whether such a gap between stated rules and real life behaviour can exist in domains like business continuity itself. To get a handle on the degree to which things can degenerate, can you guess which was the top hacked password for 2012?
The top hacked password for 2012 was simply “password”. Runners-up in positions 2 and 3, also unchanged from the previous year, were “123456” and “12345678”. After that, the list contains further gems such as “abc123”, “qwerty”, “monkey”, “letmein” and “dragon”. “Welcome” for example is a new entrant in the list at number 17. While this is not to say that everybody is guilty of such behaviour, a further statistic from the hacking by Anonymous of the Greek Finance Ministry showed that about 37% of workers were using “123456” as a password. If the disconnect exists for something as obvious as computer passwords, one could be excused for feeling doubtful about what business continuity plans are supposed to accomplish.
What’s the solution for BC plans? We can compare with remedies for IT security and information security in general, which can be improved by employee training, awareness campaigns and managers setting the example. To narrow or even eliminate gaps between business continuity plans and employee behaviour, the same tactics are also available. As background activities of business continuity are less visible than the daily entry of account passwords, the key is to identify BC actions required by staff on a regular basis and to communicate by first using those actions as a lever.