The UK's financial services sector is one of the most
tempting targets for cyberattacks and conventional forms of
terrorism.
Publicly, City firms point to their rigorous disaster recovery and
business continuity arrangements, insisting that they have been
updated and thoroughly tested since the 11 September terror attacks
in 2001. However, some City IT managers have painted a more
worrying picture of the robustness of financial companies'
safeguards against threats to their IT infrastructure.
"I think some people in financial firms have learned the lessons of
September 11 but in general they haven't," said one veteran IT
manager at a large City firm. "In general, people are very bad at
preparing for low-probability high-consequence scenarios."
Predicting and preparing for the myriad modern-day threats to a
company's IT infrastructure can be difficult. "[A few years ago] I
worked in a building that was half taken over by anti-capitalist
protesters," the City IT manager said.
"There were blood stains on the marble floor. They did not manage
to damage any IT systems but they did take out some electronics. We
reviewed our disaster recovery arrangements about a week
afterwards, but how likely to happen was that?"
Most firms have a dedicated person responsible for business
continuity and disaster recovery arrangements, and this person will
often have a background in IT.
But within City IT circles, being head of business continuity is
not seen as a prestigious role. This is likely to stop the
brightest people applying for the job and limit their influence
within companies.
"Business continuity chief in financial services is seen as a
career dead-end and is generally a place to go and retire because
you haven't reached central management," the IT manger said.
Financial firms use a variety of disaster recovery arrangements,
ranging from the most sophisticated and expensive twin-system (in
which IT systems are mirrored at the disaster recovery datacentre
site) to nightly back-up of data on tapes.