27 January 2004

Terrorism not widely addressed in European business continuity plans

Terrorism not widely addressed in European business continuity plans:

A survey by Synstar has found that terrorism features in just 20 percent of European business continuity plans. The survey of 700 European IT directors also revealed that changes to business continuity plans are more likely to be driven by issues that feel closer to home, such as corporate governance and audits (35 percent), and existing and potential customers (30 percent). 29 percent say that business continuity plans cover disruptions caused by severe weather conditions. 14 percent said they have plans in place in case of changes in the economic climate with a further 14 percent stating they have plans to cope with possible strike action.

The survey found that 50 percent of companies have reviewed their business continuity plans in the last 12 months. However, some 20 percent were not aware if any changes to the plan had actually been made as a result. 10 percent admitted their BC plans were last reviewed more than two years ago. Even more surprising is the finding that 16 percent of IT directors don't know what risks their BC plans cover."

Predicting where, when and how a terrorist will attack our physical and information assets is ever so difficult to say the least. Ask any of our respective intelligence organizations this question and there is always a degree of analysis on the two main intersections of the threat matrix. Threat exposure X Consequences. The 20% who have evaluated terrorism in their respective Business Crisis and Continuity Management have found areas of "Intolerable Threat" with regard to their particular asset targets. The question is, why is it that 80% of the IT directors don't consider their own existing or former employees capable of malicious behavior? For terrorism, the threat is the aggressors (people or groups) that are known to exist and that have the capability and history of hostile acts, or have expressed intentions for using hostile actions against potential targets. Terrorist attacks are typically low probability high consequence events. They require substantial investments in mitigation measures built into operational parameters. The key for the IT Director is to identify the best and most cost-effective mitigation measures for their own unique security needs and risk appetite.

No comments:

Post a Comment