Business continuity plans should be part of a wider security strategy that is closely aligned with business needs and accounts for everyday threats as well as major disasters.
The Buncefield oil depot blast last year sounded a very loud warning to us all. Disasters do occur and IT directors need to establish a business continuity strategy to ensure access to business critical systems are maintained.
And it is not just the big bang events that we need to prepare for. Every day, businesses are under attack from viruses, worms and hacking attempts. And end-users and IT staff are making decisions that could inadvertently cause the corporate network to fail.
An analysis of the risks is crucial, but far too many organisations handle risk in a haphazard way. Businesses need to ask: how real is the risk? What systems will be affected? How will this affect the business? What do I need to do to maintain business operations? How much will it cost? The answers should be integral to any security strategy.
IT directors need to understand how a security issue or disaster could affect operations. It is all very well having a back-up site, but as John Milne at the Financial Services Authority warns in the article on page 35, there is little point in putting a back-up datacentre within walking distance of the main site, as you may be unable to get to either in the event of a terrorist act. Even a gas leak could prove disastrous.
Although many businesses prepare for major disasters, it is the run-of-the mill events that can cause operational problems – even something as mundane as a rail strike, or a major traffic jam can have an impact. Last month’s power cuts in London’s Soho demonstrated how a combination of relatively minor events can lead to businesses having to execute full-blown business continuity plans.
So there may be little point in spending large sums of money renting empty office space just in case a bomb takes out head office, if all you require is the ability to offer flexible working and remote access.
And even when there is a major catastrophe, such as at Buncefield, IT services company Steria found that issuing laptops allowed key staff to continue working even though the explosion had taken out its head office.
Business continuity should, of course, be assessed as part of a wider security strategy. A virus or worm may not have a direct business impact, so IT directors must be prepared to weigh up the risks. However, as John Kavanagh discovers in his article on page 28, few companies are tackling risk analysis in a systematic way.
Approaching business continuity as part of a larger security strategy may well help to reduce the disruption caused by common security problems such as users opening infected e-mail attachments, or when a modified application or new software patch leads to network failure.
It is simply a matter of a security policy – perhaps supported by software products – to minimise the damage when something goes wrong.
But remember: an IT security policy is a living document and a thorough IT security strategy is just a starting point.
This strategy must constantly be assessed to take into account new risks and downgrade lesser risks. Most importantly, it should reflect the ever-changing priorities of the business.
Without business alignment in your IT security strategy you risk wasting time, effort and resources on non-essential activities, while leaving critical business functions exposed.
Vote for your IT greats
Who have been the most influential people in IT in the past 40 years? The greatest organisations? The best hardware and software technologies? As part of Computer Weekly’s 40th anniversary celebrations, we are asking our readers who and what has really made a difference?
Vote now at: www.computerweekly.com/ITgreats