Consider, information technology isn’t just the computer on your desk, the laptop in your bag or the mobile device in your pocket. IT controls who is and isn’t entering the building -- virtually and physically – and how and where customers are served. It’s also driving a company’s production line and even has a part to play in how the coffee is produced.
IT is no longer confined to a small back office, staffed by computer geeks all speaking their own language. IT keeps the enterprise open for business, but if you’re not careful, it can close the business down for good.
For every company, there is a requirement to exercise due diligence and care of the company’s assets and the future ability to produce returns for investors, from revenues. This is increasingly embedded in legislation, regulation, standards and best practice guidelines.
A definitive list is neither necessary for this article, nor realistically possible due to the frequency it changes or is amended, further complicated by differences in terminology between sectors and countries. Suffice to say, to exercise due diligence and care, executives and administrators need to plan for the day they can’t – in other words, a business continuity plan.
The challenge is to – get a copy of your company’s plan (if one exists), dust it off and actually read it. In the majority of cases, it will cover eventualities such as damage caused by fire, theft or even flooding. If based in one of the cities vulnerable to terrorist attack or other disaster eventualities, it may even include a section on external threats. There is probably a plan for overcoming a power failure, where to resource external staff in the case of significant staff illness and for crisis management in the event of a production or product distribution failure.
Now, what does the business continuity plan say about handling a cyber attack? Chances are it doesn’t.
In this day and age, most companies – irrespective of whether it is a single office or a large international conglomerate – are reliant on computer systems to function. If attacked tomorrow, the reality is it will shut the operation down. How long it takes to get back up and running, if at all, comes down to those with management responsibility. So planning for the inevitable is a must.
IT Under Attack
An attacker isn’t just interested in stealing information or funds. Organizations are experiencing attacks, whether denial of service or injected with malware, that are designed to wreak havoc and ideally shut the business down. Recent high profile victims include Facebook and Twitter. However, it’s often not just the victim that suffers, as PayPal, VISA and MasterCard can attest, having fallen victim by association.
Any company can be a target as it’s not just anonymous cyber-terrorists waiting to pounce. If so inclined, a disgruntled employee could wreak just as much havoc on an IT system.
The effect of being closed for business, however temporarily, will cost the organization money. For an online retailer, it’s a little more obvious. If customers aren’t able to make purchases, there’s the immediate loss of revenue. However, for a large manufacturing company, if its IT infrastructure fails and production has to shut down for 24 hours, the costs will soon mount – potentially into the millions.
The expense isn’t limited to the immediate problem of restoring services or production - there’s the lost time, ruined stock, ongoing costs of rebuilding confidence in the customer base and potentially among shareholders, plus the peripheral effects such as an increase in insurance premiums. The costs quickly mount.
The AT&T Business Continuity Study, reported that:
- 77 percent of organizations indicate that employee use of mobile devices plays a major/minor role in the business continuity plan.
- 50 percent have virtualized their computing infrastructure, with less than four out of 10 (38%) having implemented a business continuity plan for the virtualized infrastructure.
- 84 percent of all companies surveyed have e-mail or text messaging capabilities to reach employees outside of work, and 73 percent have systems in place that enable most employees to work from home or remote locations.
On the surface, all of these resources offer a lifeline to an organization in the event of a general infrastructure failing, and some of these initiatives have probably been rubber-stamped in the budget already. On a day-to-day basis, however, they also ‘throw open the doors’ to the outside world, risking extreme disruption through attack.
First Line of Defense
An organization’s IT team has many responsibilities with one main, overriding objective - to deliver the best service possible. However, this does not always promote the best security possible. Why? Well, budgets are usually the biggest issue. CEOs must understand the need for enhanced security and ensure their IT teams deliver it.
When the corporation has spent millions on network defenses, it is then close to incompetence to not make sure those investments are working to the optimum effectiveness. Regular audit and validation leads to enhanced security that costs very little and is a must-have process.
With constant vulnerability testing and security enhancement through configuration, better rules can be defined and implemented. This activity can even avoid additional capital expenditure in unnecessary security devices, saving budgets.
Making sure your defenses are working to the optimum is not just the responsibility of the CIO, CSO or other IT top manager. It goes all the way to the top. The function of the CEO and board of directors, as part of their legal responsibility and charge by shareholders, is to exercise good corporate governance.
It makes no sense to build an office on sand, so why allow the IT infrastructure to have insecure foundations. Ignoring network defenses is tantamount to corporate suicide.
This article first appeared in Financial Executive magazine.