Maintaining 24/7 operations in a changed world

As physical security is tightened in the wake of the attacks in the US, Paul Williams looks at the possibility of cyber-terrorism...

As physical security is tightened in the wake of the attacks in the US, Paul Williams looks at the possibility of cyber-terrorism and what can be done to prevent it.

There is much talk of "business as usual" as the world's financial communities attempt to restore normal operations in a world that may never be the same again.

In my last article I discussed the need in today's business world for 24/7 operations enabled by technology. There is little that the business world can do to protect itself against the physical attacks that occurred last week, although many business continuity plans will now need to be re-assessed in the light of the sheer scale of those events.

Many assumptions will need to be revisited including the ease of access to buildings and back-up sites, the potential loss of personnel, and the impact of the disaster across multiple businesses within the same trading community. But what about the more subtle and potentially business-fatal attacks that could arise from cyber-terrorism?

Will cyber-terrorism be next?
Given the recent events in the US, and the possibility of further attacks on information networks as well as physical structures, what are businesses doing to manage the risks to their business from potential cyber-terrorism?

In the US, the FBI issued a warning that "Tuesday's attacks could be followed by a series of cyber-attacks". Attacks on information networks could cause not only financial losses: imagine if the machines that were attacked were the ones that operated air traffic control systems or controlled a nuclear power plant?

As strict physical security measures
"Just as people are the heart and mind of a business, IT and telecommunications networks are increasingly serving as the nervous system"
Paul Williams
are put into effect across the Western world, will terrorists attempt to achieve their aims of disruption and destruction through attacks against information networks? In the 1990s, the Pentagon produced a number of studies that showed that a cyber-attack on computer and communication systems could cripple the US as severely as a physical attack.

What precautionary measures can we take to reduce the risks to our IT infrastructures?

Risk identification and analysis
We must first be confident that all relevant risks have been identified, and that management understands which ones should have action taken to reduce those risks.

There is a limit to the resources available for reducing risks, and compromises will inevitably occur. Even huge expenditure such as the proposed "Son of Star Wars" missile defence scheme would not have prevented the attacks on the US. However, it is also important to remember that no risk can ever be completely eliminated - no country or business can ever be completely secure.

Building defences
A combination of measures such as well configured firewalls, effective monitoring tools and high levels of security awareness can help to reduce the damage caused by cyber-attacks. However, companies have to remember there are more than just tangible assets at risk. The damage to a company's reputation resulting from a security incident can far outweigh the loss of data or cost of rectification. Loss of reputation and shareholder confidence can contribute to long-term damage and even potential business failure or takeover.

Businesses should establish a Business Continuity Plan, taking into consideration disaster recovery for events such as hacking or intrusion as well as for the more traditional physical disaster scenarios. The key to this being able to operate effectively is awareness that an attack has occurred, and good communication and training about the plan to enable it to be put into action quickly.

Be proactive
This is a time to focus your security budget on the key risks to your enterprise.

Urgent and effective action is required in areas such as disaster recovery planning and external back-up and storage solutions, both of which can serve to mitigate the effects of cyber-attack. Many companies in the World Trade Centre had set up dedicated back-up sites following the 1993 bombing and were able to relocate their operations quickly to New Jersey or elsewhere.

Just as people are the heart and mind of a business, IT and telecommunications networks are increasingly serving as its nervous system. It is becoming increasingly important that these business assets are given adequate protection, and that this protection is provided in a proactive rather then reactive manner.

To date there has been no coordinated cyber-terrorist attack in the UK. However businesses should take notice of the increasing use of hacking and other attacks as additions to traditional physical threats.

Risk management should be considered at all levels with the understanding that these risks are very real and that it is everyone's responsibility to ensure that these risks are properly managed. From a governance viewpoint, management boards and audit committees should be seeking positive assurances that these threats are being properly assessed and that there are adequate measures in place to minimise the impact from such attacks.

Are systems more at risk than ever?
Do you believe that terrorists will turn to cyber-attacks as physical security is tightened in the wake of the World Trade Centre atrocity? And what is the best defence?
Let us know with an e-mail.

Paul Williams FCA, MBCS is immediate past international president of the Information Systems Audit and Control Association ( ) and a partner with Arthur Andersen's financial markets division in London.

Read more on Antivirus, firewall and IDS products