At an initial glance the disruption within Egypt is an internal security issue. However as events have unrolled a bigger picture is emerging, re-enforcing many governments concerns about the contribution of the internet, as a tool, to the spreading of discontent and also global awareness of the actions taken by the government.
In Egypt’s case the government does not appear to have taken actions to understood its vulnerability to information systems, like the web, and subsequently had no appropriate plans to manage this threat / risk when it came. So, as with many organisations that have no resilience / business continuity or incident management plan, the government responded with an ill considered knee jerk re-action by pulling the plug on all internet traffic.
Such a draconian measure, whilst taken to control the spread of the internal troubles, also comes with significant risks. I tweeted about these last week but wanted to follow up with a blog providing some deeper insight into my thoughts on the broader implications.
Undermining the Business Process Outsourcing Industry
Last year a number of Egyptian business process outsourcing providers became ISO27001 certified. The countries educational strength, language skills, particularly English, developing ICT infrastructure and government support has put it on the map as a destination for UK and other states to outsource business processes to. Egypt’s economy needs a much needed boost outside of traditional revenues such as tourism and outsourcing was an option producing results. The decision to pull the plug on internet services, to and from Egypt, will have had a significant effect on these BPO’s ability to deliver their contracted services. Here are some questions possibly worth pondering:
1. What impact will this have on individual service providers reputation, revenues and profitability?
2. What impact will this have had on customers using Egyptian BPO service providers?
3. What impact will this have on the reputation and longevity of the overall industry in Egypt?
4. Will potential customers broaden their ISO27001 and supply chain risk assessments to include the broader context within which global business operates?
5. Did the Egyptian government understand the risk to one of its few areas of growth and potential prosperity from its actions?
Government Policy: The Relationship between Information Security & Economic Policy
A broader question would be whether these events highlight, what I suspect is a relatively common policy weakness amongst national states, that there is a significant lack of understanding of the relationship between information security and broader economic and social policy. Is Egypts policy, like many, focused on keeping information confidential / secret or does it recognise, that in the inter-connected world that you have to understand the information security risks and plan for these? Does such an approach to managing the flow of information highlight vulnerabilities in the government’s economic, cyber , information security and information assurance policies?
Contextual Risk Assessment
Having recognised these issues several years ago I have been working with UK retailers on a broader strategic assessment of information security risks. So far we have highlighted several key global and national state policies and events which have had an impact on information security & business continuity. If you are interested in understanding the bigger picture or want your risk assessments to truly reflect the broader context within which your business or government operates within then please get in contact.