Six years on from theSeptember 11 terrorist attacks, UK
businesses are not doing enough to prepare staff to work with IT
systems in a disaster, theBusiness ContinuityInstitute has
warned.
Lyndon Bird, technical services director at the institute, said
firms had made good progress on technology recovery, but they
needed to train staff in how to work in a disaster - a key lesson
from the attacks on the World Trade Center.
Without trained staff, even the most automated operation will
fail, said Bird. "Many organisations do not spend sufficient time
or budget on staff training," he said.
Steve Salmon, business continuity consultant at professional
services firm KPMG, said that post-9/11 he had seen more companies
draft recovery plans and increase funding for
business continuity projects.
However, many plans were flawed because of their emphasis on
testing technology recovery, not how staff would use systems to
maintain business practices, he said.
"More companies need to train employees to work with IT systems
under live test conditions. They must also explain to staff what
their responsibilities are in a crisis and train them to be
multi-skilled so that they can keep key business processes going,"
said Salmon.
Jim Norton, senior adviser on ICT at the Institute of Directors,
who was involved with drafting the
BSI 25999
standard on business continuity, said the problem was
particularly acute among small and medium-sized businesses.
"Despite the lessons of September 11, our research showed that
43% of SMBs do not test their business continuity or disaster
recovery plans or train their staff, and we do not believe this is
changing."
The London Chamber of Commerce, which represents 3,500 UK
businesses, called on the government to offer financial incentives
to encourage proper contingency planning by businesses. "For
smaller firms, these incentives could cover the initial cost of
setting up and testing a continuity plan, and larger firms could be
rewarded if they form partnerships to advise smaller businesses,"
said a spokesman.
David Bason, IS director at law firm Shoosmiths, said, "IT
disaster recovery in itself is not enough. Replication of business
processes and testing people and processes is critical to
successful business continuity."
David Walker, business continuity and information security
manager at Guoman Hotels, said full testing could be expensive to
conduct regularly and could disrupt normal business, but partial
testing to see how people and processes interact with IT systems
must occur.