Tag Archives: Egypt

Business Continuity Amidst the Recent Middle East Turmoil

Omar Sherin

In late January of this year, the Middle East was the scene of unprecedented and rapid political and social changes that took the most mature businesses and industries by surprise, and left them virtually paralyzed.  Not even the most sophisticated and knowledgeable secret intelligence agencies predicted the massive scale social uprisings that emerged throughout the region.

It is worth analyzing business continuity strategy in Egypt because it witnessed what was probably the first international incident ever recorded of a government using the internet “kill switch,” as well as the ripple effect of the consequences resulting from the decision. Additionally, as Egypt is the second largest economy on the African continent following South Africa and it has the most diversified economy in the region by United Nations standards; therefore, the impact on diversified businesses is clearly visible and not
sector-specific.

How It Happened

After days of continuous anti-government demonstrations that used the Internet and social networks such as Facebook and Twitter as coordination platforms, the former administration decided to cut the Internet just minutes before midnight on January 27, 2011 with the hope of preventing protesters from using their communication tools. Minutes later, it was confirmed that there was no Internet connectivity whatsoever across the entire country. What was once deemed technically impossible was proven to be technically
possible. In such authoritarian countries, much of the physical telecommunications infrastructure is under the direct ownership and control of the government.

We saw firsthand the catastrophic impact of the government’s impulsive decision. Imagine a country or a modern business deprived “overnight” of emails, VoIP services, e-commerce, online conferencing, web-browsing, running a corporate website or even seeking remote online support. This unprecedented situation lasted for five consecutive business days.

Immediate Impact

Companies working in the IT outsourcing industry were among the first to be affected. The direct loss in revenue for those five days  is estimated at $90–$120 million USD, which does not include lost business opportunities and possible SLA violations and lawsuits. Another example is the banking sector. Several national and multinational banks announced key services such as international money transfer and online banking were unavailable or unreliable. With the national ATM network shutdown and the standalone ATM machines vandalized, millions of bank customers resorted to standing in long queues in front of their local bank branches.

Plans Exercised

Very few companies appeared to be unaffected and resilient. Some companies survived due to exercising solid BC plans yet others were sustained just because of pure luck.  One major mobile operator provides a good example of a company that survived the disruption. This company’s actions demonstrated effectiveness of having a solid and comprehensive business continuity plan in place.

On January 27, the BCP was triggered by the government cutting off the Internet. Then, the crisis management team (CMT) met and activated the disaster recovery plan (DRP) to safely shut down the local IT services and focus on securing the physical assets, data centers, key cellular towers, and power generation stations, from sabotage and perhaps the unsafe street conditions.

Initially, the customer call center was bombarded with calls complaining about difficulties using communication services like mobile Internet, Blackberry, international calls. Although the customer service representatives tried to explain the situation to callers, they soon realized it was a national problem.

On January 29, the government announced a national state of emergency and a curfew was enforced. Furthermore, all the mobile operators in the country received orders from the government to shut down all mobile communications including voice and SMS services as a last attempt to cripple the demonstrators’ communications. Due to a provision in the mobile regulatory license agreements signed with all the mobile operators, companies had to comply. This decision proved to have significant costly and negative
corporate image implications that later left those companies with no option but to embark on massive damage control and PR campaigns.
At this stage, the CMTs ordered the shutdown of the customer call center and landlines, activated the internal call tree and ordered all staff to remain at home until further notice. After receiving confirmation that all headquarters and branch offices countrywide had been evacuated and locked, the CMT started the crisis
communication plan which had to deliver several messages to international media and foreign stock markets where the company is listed.

On the IT side of the disruption, the DRP of this company was designed to mitigate the risk of total and complete loss in connectivity by developing a replica of its web services hosted in Europe, as well as by signing with a prominent cloud-based
managed services provider to manage the security and availability of the corporate emails for its 5,000 users in the cloud. This managed service had a provision that allowed them to save drafts of undelivered emails “in the cloud” for up to seven days. Once the former president and his administration announced his resignation, the Internet was back online and the employees’ mailboxes were flooded with week-old emails, certainly a better situation than an empty mailbox and angry customers.

On the other hand, entities such as the Egyptian stock exchange (egyptSE.com), which appeared to be online and reachable throughout the Internet blackout, proved to be on a single and fairly
small ISP in terms of market share. It is unclear if it survived the former government’s decision by coincidence, as the Stock Exchange is one of its few subscribers. On the other hand, it could be that the ISP was purposely spared because of the Stock Exchange and that the other few subscribers were incidental beneficiaries.

Based on available information, nearly 80 percent of the businesses in Egypt did not list the scenario of a national Internet blackout as a strong possibility and were therefore unprepared. The remaining 20 percent of companies were well-prepared with alternative and varied means of international communication, such as satellite connectivity “VSAT” and companies that do not exclusively rely on the Internet for business.

Who Survived?

The most advanced secret intelligence agencies in the world, such as the US Central Intelligence Agency (CIA), did not anticipate this revolution. The United States Secretary of State Hilary Clinton described the Egyptian government as “stable” after three days of events. Interestingly, none of the traditional risk assessment methods available or practiced in most of the companies in Egypt would have predicted the risk of a major political overhauling and social uprising.

The event was the world premiere of a government using the Internet kill switch, coupled with a nationwide mobile communication blackout. It simply caught everyone off guard. However,
corporate risk experts should have learned from their previous experience in 2008 when there was a major Internet services disruption due to human error when an undersea Internet cable was cut.

The failure to anticipate this major incident in the corporate risk matrix was impermissible. Perhaps the only companies that continued operation throughout the disruption were those with rigorous, dynamic, and active risk assessment practices that learned from the 2008 events and translated those lessons into viable disaster scenarios.

One key observation is that companies that used cloud computing were noticeably more resilient and capable of working around this disruption because of the flexibility and availability offered by cloud computing infrastructure.

Many small to mid-sized businesses with traditional BC and DR plans found that their plans had many shortcomings in regard to this particular situation, as there was a dependency on modern technology. Ironically, many companies could not activate their call trees since mobiles and SMS were unavailable and disseminating a message to the branch offices across the country was nearly impossible.

Even companies with expensive disaster recovery sites (located over 100 miles away) had problems activating the DRP due to the complete and prolonged loss in connectivity and the inability to seek technical support from partners or vendors, including industry blue chip companies.

The recent events emphasized how modern businesses really depend on technology and, particularly, the Internet. These events also provided the unfortunate reminder that we take these modern technologies for granted.

 

References:
1 Internet Kill Switch
(http://www.infowars.com/egypts-internet-killswitch-coming-to-america/)
2 Hillary Clinton comment on the events on the 28th
(http://af.reuters.com/article/topNews/idAFJOE70O0KF20110125)
3 Undersea cable cut
(http://news.bbc.co.uk/2/hi/7792688.stm)

 

Omar Sherin holds a bachelor of science degree in computer engineering, with more than 10 years of professional information systems security, resiliency and SCADA security experience. He is a member of the OWASP organization leaders board and a voting member on the IEC/ISA-99 standard for critical infrastructures security. He has worked for several multinational firms in the oil and gas sector, and he is a certified ISO27001LA, CEH, and a CBCP.

The Xceed Experience: Implementing the Plan

Khaled Embaby, Mahmoud Marzouk, Waleed Yasser, and Mohamed Al Awwa

The role of the business continuity management team at Xceed is to identify potential external and internal risks to the organization and set prevention and recovery plans. This role is not exclusive to planning, but rather it extends to include the management of staff and other resources with the objective of helping the organization to stay in business in the event of a disaster.

In light of the concerns of multiple political forces in Egypt about the possibility of the former president’s son coming to power, Xceed’s BCM Team considered the political unrest in Egypt as a potential risk, so they activated their plan. One precautionary measure was to follow opposition forces through various news sources and social platforms on the Internet.

There was increased social media activity as a result of the extreme dissatisfaction with the outcome of the parliamentary elections. Rumors began to spread that there would be widespread demonstrations.

Events at Xceed proceeded as follows:

January 24: The BCM team took control from the emergency operations center (EOC) at Xceed’s two sites in Egypt, Smart Village and Maadi Call Center Park, to monitor all activities that might affect the normal business flow.

January 25: The Egyptian Youth Coalition announced protests across Egypt. Xceed’s BCM action plans were immediately put in place with special consideration given to the possibility of an imposed countrywide curfew. Such a curfew would pose a major threat to the company’s ability to operate.

January 27: The Egyptian government cut off the Internet throughout the entire country including the corporate links. The resulting impairment to business function caused a dramatic impact on 30 percent of our business.

January 28: Demonstrators declared January 28 as Anger Day in reaction to the violent action taken by police forces to control the persistent and widening demonstrations. It was no misnomer. Egypt witnessed severe and violent confrontations between police forces and protestors. Around 5:00 p.m. the president announced that the Egyptian army would take over the security management of the country. As anticipated, a curfew was imposed from 6:00 p.m. until 8:00 a.m. daily.

The challenge at Xceed began. At the time the curfew was imposed, 880 employees were present at the Smart Village and Maadi Call Center Park sites. It was impossible to send them home because security conditions on the roads were alarming. It was considered much safer to stay at the office. We took immediate action to accommodate those 880 employees by serving hot meals and creating sleeping areas for them. At the same time, we let all the employees call their families to inform them that they were in a safe place and would spend the night on company premises. Additionally, we decided to let employees with small children choose whether or not to come in, as we expected to face the curfew situation during
the Anger Day. Fortunately, all the employees with small children decided not to come in on this day. Accordingly with the work force management team in cooperation with the operations team scheduled only those with no small children for work.

January 29: Egypt reached the red level of security. Police forces withdrew from their positions, prisoners escaped from prisons, looters were on the streets and chaos was everywhere. Xceed’s BCM team made the decision to work with the minimum number of employees required to run operations for our critical business service, which is the Ambulance 123 Hotline. Running only the one service meant accommodating 100 employees for a potentially infinite number of days.

Relying on the previously implemented plans with new daily inputs, and with the support of members of different teams—such as administration, facility management, physical security, and IT support—continuous action was in place to keep the business running and our employees safe. For the following six days, 100 employees were accommodated at Xceed around the clock. For the next three days, 250 employees were accommodated and then over a period of twelve days, we gradually increased the number of employees present until we successfully returned to normal operations.

The BCM team managed to recover business operations successfully in the face of political unrest and despite unforeseen challenges as a result of our precautionary plans. The timing and the size of the political unrest was unexpected as the anticipated political unrest was expected to take place later in the year and at a much smaller magnitude. The chaos that resulted from the reported escape of prisoners and the widespread looting were expected and caused a major physical security threat to employees and the community. Finally, the scheduled internet outage was unexpected, but Xceed’s BCM Team managed to counteract this challenge with only a 30 percent impact on business operations.

 

Xceed is a global provider of quality, multi-lingual Business Process Outsourcing (BPO) services. Xceed has two sites within Egypt, with its headquarters located in Cairo’s technology park, The Smart Village. Xceed has an additional contact center, geographically
and culturally proximate to Europe, at Morocco’s technology park, CasaNearshore Park.

The Outage and The Impact

Waleed Hammad

Despite the extensive efforts that the Egyptian government made in the past years to develop and promote the adoption of technologies, the shutdown of communications services for a full day and the Internet for the first five days during the Egyptian revolution had a great economic impact on most services nationwide. The Organization for Economic Co-operation and Development (OECD) estimated at least $90 million USD in losses in the telecommunication sector alone during the five days of the internet shutdown. This amount refers to lost revenues due to blocked telecommunications and Internet services; averaging $18 million USD per day.

Egypt has other sectors that depend on Internet and communications, including tourism and banking. Although it is difficult to conclusively determine the losses in the tourism sector, the banking sector suffered huge losses. All online banking and e-commerce services went down, ATM machines were almost non-functioning, and credit card payment facilities at local stores and
markets were totally suspended.

The IT outsourcing firms in Egypt are a good litmus test of the state of business continuity management in the region. The IT outsourcing business line grossed $1 billion USD in revenues in 2010 (or around $3 million USD per working day). Most IT outsourcing companies were affected in two different ways: medium-sized call centers, mainly representing non-governmental and/or non-critical domestic services, went totally offline. Other critical operation call centers were fully operational, such as ambulance and fire service and
military services. What follows is a comparison between two different crisis response approaches of two big names in the IT outsourcing field, each with two different geographical locations.

Serving national vital operations, Company A decided to continue operating from its headquarters and main branch by keeping employees literally living onsite, with food and sleeping
facilities in place. As the company is located at Egypt’s prime Communication and Information Technology Cluster and Business Park, the area was totally secured and governed by the military forces during the days of the revolution.

As for Company B, a giant international company, the company headquarters was equipped with a backup satellite Internet connection to serve its international overseas customers during crisis. However, the company decided to shift its main operations to other branches in different countries. The business continuity plan stated that key employees should be ready to travel to other countries should the headquarters becomes inaccessible. The plan was updated to include the addition that key employees should be ready to travel to other countries at any moment if communication went down for a certain period of time.

In brief, the long-term impact of the Internet and communications shutdown on Egypt’s economy is hard to assess. However, this incident reminded business owners why proper business continuity
management is a crucial driver in this region for both international and local business entities. Additionally, it urged the Egyptian government to form a committee to prepare an Egyptian business continuity standard, which is considered to be a step forward in increasing the BCM awareness in Egypt and within the region.

 

References:
Egyptian Cabinet- Information and Decision Support Centre
OECD—Organization for Economic Co-operation and Development

 

Waleed Hammad is the President of DRI MENA, he is also the Co-founder & Managing Director of PROXC Consulting (a leading business continuity management company in the Middle East). He has more than 12 years experience, delivering consultancy
and training to professionals in the Middle East in the areas of business continuity management, risk management, and project
management. He also is a member of the committee responsible of preparing the Egyptian BCM Standard.