Business continuity plans should be part of a wider
security strategy that is closely aligned with business needs and
accounts for everyday threats as well as major
disasters.
The Buncefield oil depot blast last year sounded a very loud
warning to us all. Disasters do occur and IT directors need to
establish a business continuity strategy to ensure access to
business critical systems are maintained.
And it is not just the big bang events that we need to prepare
for. Every day, businesses are under attack from viruses, worms and
hacking attempts. And end-users and IT staff are making decisions
that could inadvertently cause the corporate network to fail.
An analysis of the risks is crucial, but far too many
organisations handle risk in a haphazard way. Businesses need to
ask: how real is the risk? What systems will be affected? How will
this affect the business? What do I need to do to maintain business
operations? How much will it cost? The answers should be integral
to any security strategy.
IT directors need to understand how a security issue or disaster
could affect operations. It is all very well having a back-up site,
but as John Milne at the Financial Services Authority warns in the
article on page 35, there is little point in putting a back-up
datacentre within walking distance of the main site, as you may be
unable to get to either in the event of a terrorist act. Even a gas
leak could prove disastrous.
Although many businesses prepare for major disasters, it is the
run-of-the mill events that can cause operational problems – even
something as mundane as a rail strike, or a major traffic jam can
have an impact. Last month’s power cuts in London’s Soho
demonstrated how a combination of relatively minor events can lead
to businesses having to execute full-blown business continuity
plans.
So there may be little point in spending large sums of money
renting empty office space just in case a bomb takes out head
office, if all you require is the ability to offer flexible working
and remote access.
And even when there is a major catastrophe, such as at
Buncefield, IT services company Steria found that issuing laptops
allowed key staff to continue working even though the explosion had
taken out its head office.
Business continuity should, of course, be assessed as part of a
wider security strategy. A virus or worm may not have a direct
business impact, so IT directors must be prepared to weigh up the
risks. However, as John Kavanagh discovers in his article on page
28, few companies are tackling risk analysis in a systematic
way.
Approaching business continuity as part of a larger security
strategy may well help to reduce the disruption caused by common
security problems such as users opening infected e-mail
attachments, or when a modified application or new software patch
leads to network failure.
It is simply a matter of a security policy – perhaps supported
by software products – to minimise the damage when something goes
wrong.
But remember: an IT security policy is a living document and a
thorough IT security strategy is just a starting point.
This strategy must constantly be assessed to take into account
new risks and downgrade lesser risks. Most importantly, it should
reflect the ever-changing priorities of the business.
Without business alignment in your IT security strategy you risk
wasting time, effort and resources on non-essential activities,
while leaving critical business functions exposed.
Most businesses have IT security measures in place, but
fewer perform a systematic risk analysis. We find out how it is
done
The emphasis of business continuity needs to shift to
everyday threats. We look at how to set up reliable plans at the
right price
Vote for your IT greats
Who have been the most influential people in IT in the past 40
years? The greatest organisations? The best hardware and software
technologies? As part of Computer Weekly’s 40th anniversary
celebrations, we are asking our readers who and what has really
made a difference?
Vote now at:
www.computerweekly.com/ITgreats