The failure of an organisation's IT network can be debilitating, and it is a risk that affects almost all companies, across all industry sectors. By Shaun Cooper
IT security events, such as identity theft and computer viruses capture headlines, but it is the quiet catastrophes that have the potential to damage organisations' most valuable IT assets and intangible property, including data, availability of information systems and, most importantly, reputation.
Without robust defence mechanisms, critical assets and intangible property can suffer serious damage when the speed and scale of an incident result in severe, unplanned outage to IT dependent processes and security systems.
In just the first few months of 2007, IT losses demonstrated their potentially catastrophic impact on organisations' reputations. For example, a leading financial institution faced a possible breach of customer data confidentiality following a lap top theft from an employee. A technology outsourcing company suffered a power failure. As a result, its customers were unable to access their own computer networks, causing severe system failures at their key trading and data centres.
This article highlights the issues an organisation needs to address, from improved communication between enterprise risk and IT to understanding and analysing the perils and their impact in this evolving area of risk.
Information security principles
The international standard for information security management systems ISO 27001, defines information security as the preservation of "confidentiality, integrity and availability of information." The standard continues, "In addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved."
The standard also systematically describes how to ensure
+ Availability - the system is accessible and usable upon demand by an authorised entity
+ Confidentiality - information is not made available or disclosed to unauthorised individuals, entities, or processes
+ Integrity - the assets are kept accurate and safe
It seems clear that preserving the confidentiality, integrity and availability of information must involve people, processes and systems. As any failure would certainly increase the risk of loss, information security constitutes an important factor in the control of enterprise risk.
In the past, those responsible for IT security have been familiar with computer systems, electronic threats and vulnerabilities. Their reporting line has tended to be the IT manager whose attitude to IT risk focuses on maintaining the efficient use of technology and of networked assets. Instead, IT security should be viewed in its relationship to the business process as a whole. In today's compliance-driven global economy, understanding of enterprise risk and of IT security risk must be integrated as businesses become increasingly dependent upon technology and networked assets.
Malicious and accidental perils
It is not only a catastrophic disaster that can adversely impact your organisation; even a minor occurrence can have a potentially costly effect. Perils include the following:
+ Serious information security incidents - cyber crime, misconduct by employees, loss of electronic data, accidental or deliberate disclosure of sensitive information, and IT system failure
+ System failure - loss of internal power, air conditioning unit failure, production line failure, cooling plant failure, loss of utilities and services, telecommunication services failure
+ Deliberate disruption - acts of cyber terrorism and industrial sabotage, cyber extortion
+ Natural disasters and accidental damage - tornado, hurricane, flood, earthquake, electrical storm, fire and human error
Faced with events like these, most organisations turn to their traditional property or liability insurance policies to reimburse them for their own financial loss or legal defence costs. However, such losses are not generally covered because information and systems are deemed intangible property. The business could discover too late that its policy carries data loss exclusions.
Impact of a disaster
The Irish cyber crime survey 2006 by the Information Security System Association and University College Dublin revealed that 51% of organisations required more than 10 days to recover from a cyber crime incident, with a quarter needing over 50 days.
Although the immediate impact of an unplanned event will be apparent in lost revenue and the inability to deliver both critical services and advertised products, these are not the causes from which so many organisations to ultimately fail. It is the knock-on effect from this interruption of business that provides the ultimate impact for many organisations. Such consequences can include
+ Reputation and customer brand loyalty are damaged.
+ Customers may start to seek out alternative suppliers.
+ Supply chain partners also look at alternatives.
+ Stakeholder funding may disappear.
An organisation that fails to provide a minimum level of service to its customers following an unplanned event may not have a business to recover. There is a need to identify your organisation's pain threshold to catastrophic IT failures. This may vary from minutes for a stockbroker to days for a law firm.
The first stage is to analyse your business, as it is necessary to understand at the outset exactly where your business is vulnerable. You will need the fullest possible understanding of the important processes inside your organisation and between you and your customers and suppliers. This process will also assist in gaining the involvement and understanding of other people and departments, thus helping identify which, if any, parts of the organisation already have plans or procedures in place to deal with an unexpected event.
Most companies have put in place technology that enables them to deal with operational security, such as intrusion detection and anti-virus systems. An astute business will also implement managerial and strategic planning controls. Recent surveys have showed that few businesses have clearly identified all their critical information assets. Even more worrying, they have not understood what they need to do to protect the availability of the information assets or discover if their confidentiality or integrity has been breached.
Business continuity management is not just about reacting to an incident, disaster recovery, crisis management, risk management control or technology recovery. Nor is it just a professional specialist discipline. Business continuity management is an activity the business owns and drives that can provide the strategic and operational framework to review the way it provides its products and services and increase its resilience to disruption, interruption or loss.
While larger organisations generally have more to lose and more ways to lose it than smaller organisations, smaller firms often suffer the most devastating results from seemingly minor business interruptions. Smaller organisations tend to have tighter limits on their ability to absorb losses and respond to interruptions.
The key to recovery is time. The organisation which recovers in the shortest possible time will mitigate its losses to the optimum.
Shaun Cooper is network risk consultant at Aon.