[ISN] On the anniversary of 9/11, experts spot gaps in continuity plans

From: InfoSec News (alerts@private)
Date: Tue Sep 11 2007 - 22:32:10 PDT


By John-Paul Kamath
11 Sep 2007

Six years on from the September 11 terrorist attacks, UK businesses are 
not doing enough to prepare staff to work with IT systems in a disaster, 
the Business Continuity Institute has warned.

Lyndon Bird, technical services director at the institute, said firms 
had made good progress on technology recovery, but they needed to train 
staff in how to work in a disaster - a key lesson from the attacks on 
the World Trade Center.

Without trained staff, even the most automated operation will fail, said 
Bird. "Many organisations do not spend sufficient time or budget on 
staff training," he said.

Steve Salmon, business continuity consultant at professional services 
firm KPMG, said that post-9/11 he had seen more companies draft recovery 
plans and increase funding for business continuity projects.

However, many plans were flawed because of their emphasis on testing 
technology recovery, not how staff would use systems to maintain 
business practices, he said.

"More companies need to train employees to work with IT systems under 
live test conditions. They must also explain to staff what their 
responsibilities are in a crisis and train them to be multi-skilled so 
that they can keep key business processes going," said Salmon.

Jim Norton, senior adviser on ICT at the Institute of Directors, who was 
involved with drafting the BSI 25999 standard on business continuity, 
said the problem was particularly acute among small and medium-sized 

"Despite the lessons of September 11, our research showed that 43% of 
SMBs do not test their business continuity or disaster recovery plans or 
train their staff, and we do not believe this is changing."

The London Chamber of Commerce, which represents 3,500 UK businesses, 
called on the government to offer financial incentives to encourage 
proper contingency planning by businesses. "For smaller firms, these 
incentives could cover the initial cost of setting up and testing a 
continuity plan, and larger firms could be rewarded if they form 
partnerships to advise smaller businesses," said a spokesman.

David Bason, IS director at law firm Shoosmiths, said, "IT disaster 
recovery in itself is not enough. Replication of business processes and 
testing people and processes is critical to successful business 

David Walker, business continuity and information security manager at 
Guoman Hotels, said full testing could be expensive to conduct regularly 
and could disrupt normal business, but partial testing to see how people 
and processes interact with IT systems must occur.

Visit the InfoSec News Bookstore

This archive was generated by hypermail 2.1.3 : Tue Sep 11 2007 - 22:43:43 PDT