The phrase "September 11" will always fail to do justice to its referent. In the months that followed the attacks on the World Trade Center, many a jaded IT journalist found themselves automatically deleting press releases that included the phrase as a makeweight.
Six years on, and 14 months after the 7/7 attacks on London, there is a keener awareness of the risks posed to the business continuity of companies, not to speak of the physical continuity of civilians. Back in 2001, the UK state had considerable experience in dealing with terrorist attacks, and some of that learning has, in the time since, been transferred to the private sector.
On 9/11 there were organisations based in the Twin Towers whose back-up datacentres were also housed in New York City. There were legal firms whose paper-only transactions were scattered to the winds. There were firms whose business continuity plans had not been adequately tested. And so on.
Today, Merrill Lynch has spread its datacentres out more geographically Morgan Stanley has separated its trading and back-up facilities and, in London, HSBC's staff can ring an incident number providing information directly from Transport for London and the Metropolitan Police.
For today there is a clearer understanding that business continuity is a people issue as well as an IT issue. Nevertheless, the latest DTI survey on disaster recovery shows that regular testing is still falling short.
Although terrorism brings these issues into sharper relief, it is, of course, only one threat to business continuity. And reading such threats falls under the general discipline of intelligent risk management.
Too often, IT professionals look inwardly at vulnerabilities rather than outwardly at external threat agents. A recent Institute of Internal Auditors report confirms that only 68% of internal heads of audit believe UK boards understand the full gamut and depth of IT risk.
Six years evidently isn't long enough.