Saturday, January 10, 2004

Plans fail to prevent 'IT disasters' - UK

ZDNet UK - News - Plans fail to prevent 'IT disasters'

Andy McCue
silicon.com

Although nearly all large companies have a business continuity plan, more than half have suffered an 'IT disaster' during the past five years, according to new research.

Some of the UK's leading companies are inadequately protected from IT disasters, according to a survey of FTSE100 firms.

Research by Compass Management Consulting covering 55 companies in the FTSE100 found that while 98 per cent have a business continuity plan (BCP) in place, 58 per cent have still suffered an 'IT disaster' in the past five years.

The most common disasters suffered by respondents included hardware failure (22 per cent) and utilities failure (18 per cent), followed by deliberate or malicious damage (14 per cent).

It is the latter cause that companies are increasingly unprepared for, according to Debbie Rosario, senior consultant at Compass Management Consulting, who said that more than a third of firms did not consider deliberate or malicious damage at all in their continuity planning.

'There's not the degree of correlation between the types of disaster and the BCP. The focus appears to be on the technology but technology is getting more reliable.'

She said that while almost all organisations now have business continuity in plans in place there seem to be wide variations in their effectiveness. Only 38 per cent suffering an IT disaster actually invoked the measure to solve the problem, while of those who did 71 per cent still reported that their business was impacted.

Rosaria said: 'It doesn't necessarily mean those business continuity plans are good or extensive.'

And while terrorism remains way down the list of actual incidents and priorities for IT departments, Rosario warned that firms are still leaving themselves exposed, with almost half not including security breaches in their continuity plans."

COMMENT:
==================================================
Audited Software Quality Assurance controls should handle the rogue programmer who installs a back door for later use but what about the exploited vulnerabilities once the code is already in production. This goes back to effective risk management systems to prevent and mitigate attacks on assets in production by hardening them in a test environment first. Correct Business Crisis and Continuity Management does not skip over this type of attacker because it uses a systematic approach through a secure enterprise architecture. The key focus here is to be able to anticipate threats through more effective combinations of training and testing in the lab. Then, providing proactive change management tools and systems to identify vulnerable assets and rapidly make the most likely targets the first priority for risk treatments.