Business and IT leaders have done far too little to improve their
organisations' readiness for terrorist attacks or
catastrophe.
Unless action is taken soon the increased awareness of business
continuity planning that followed last year's on the World Trade
Centre and Pentagon could be swamped by business-as-usual
complacency.
Almost 3,000 people lost their lives on 11 September. Fifteen
million square feet of office space was put out of action and up to
£3.5bn of IT and telecoms equipment was destroyed.
Despite these losses a survey of senior IT executives by analysts
organisation Gartner revealed that few organisations have effective
business continuity plans.
Just 13% of enterprises told Gartner they were "mostly" prepared
for major loss of life from catastrophic damage or attacks. Only
28% reported that they had business continuity plans for dealing
with the consequences of physical attacks and 36% had a plan for
complete loss of physical assets and work space.
Gartner analyst Simon Mingay was deeply disappointed. "Many
enterprises have not yet learned a key lesson of 11 September and
have not put significant resources into establishing operational
resilience in case of catastrophic damage or attacks," he
commented.
Peter Sommer, senior fellow at the Computer Security Research
Centre at the London School of Economics told CW360.com, the
situation in the UK was patchy.
"Certain parts of industry were already well-tuned to the issues of
contingency planning as a result of the last 15 years of Irish
terrorist attack. For those that had not been convinced," he added,
"it is doubtful whether even 11 September would change their
minds."
DK Matai, chairman of e-security consultants mi2g agreed: "In some
sectors, such as financial services, lessons have been learnt. In
others, such as professional services, a great deal more awareness
is needed," he said.
Businesses only have a brief opportunity to put into practice what
they have learnt from the tragedy said Gartner's Mingay. Even
disasters on the scale of 11 September, "create a relatively short
window of opportunity, usually about 12 months, during which
awareness is raised and executives are motivated to take
action".
The LSE's Sommer echoed the point. "It is an unfortunate fact that
the most persuasive practical justification for a good security
budget is not thoughtful risk analysis but big disasters. The
horror of 11 September created an opportunity for IT professionals.
They should use it well."