Thousands of UK financial services companies still have no business continuity plans in place

Despite the dreadful events of September 11 last year, thousands of UK financial services companies still have no business continuity plans in place to keep their businesses running in the event of a terrorist attack or other major disaster, warns Tony Barker

You might think that the attack on the World Trade Center would have driven home the need for effective recovery plans. However, while a small number of the larger UK financial services organisations have made comprehensive plans, according to the Financial Services Authority (FSA) up to 40% of the approximately 11,000 firms it regulates have no back up arrangements at all. To be ready for all eventualities, the FSA has demanded that firms 'up their game' in establishing robust plans to cope with disruptions to operations.

Although most insurers and banks have contingency plans to cope with fire or power failures, the issue of information security – including disaster recovery, application availability and data security – have become more urgent since the September 11 attacks. The fact that many organisations have yet to implement even basic continuity plans is disturbing, and poses a significant risk to the financial services industry as a whole.

Drawing on experiences when the World Trade Center was attacked, my own company has learnt valuable lessons. One of the simplest is that an information security programme that was good on September 10 2001 would be equally good today.

A good security programme
A good information security programme must be based on a risk management model such as the one shown below. The stages of the model, and the actions to be taken at each stage represent, in the main, common sense and logic.

Protect > Detect >React > Recover and Revise The issues that need to be considered within these headings are very broad, and range from the obvious to the obscure. Many firms have inadequate resources to achieve a comprehensive and embedded information security process. Hence they turn to specialist companies to help them achieve it.

Some of the issues that need to be considered at each stage of the model are these:

Protect: Patch the holes. The most common and readily handled issue is to fix already known software security weaknesses by applying patches.

Configuration or implementation errors that may not be immediately apparent also need to be identified and put right. For example, some developers have a habit of setting up a 'secret entrance' within software that allows them easy access to the source code. Unfortunately, the hacking community often finds a way in through such entrances, with potentially disastrous results.

Another action is to ensure that the perimeter protection of firewalls, routers and other devices are adequate for the job. This is particularly important where systems can be accessed by other companies or by the general public.

Detect: Know what is happening on your network. Relying upon an intrusion detection process alone is not enough. Despite the high profile given to cybercrime, the greatest danger to most organisations comes from within, not from the outside. Even then not all damaging incidents are malicious; some are caused by genuine mistakes by staff.

Consequently, it pays to set up a constant and thorough monitoring process, looking out for both intentional and non-intentional misuse of critical systems.

React: Speed may not always be of the essence. Once an incident has been detected, the next steps are to determine its severity and mitigate the impact. The nature of the incident should determine the speed with which it is tackled. Not all types will require the same degree of attention.

Speed can be expensive, so response times need to be matched with the seriousness of an incident and built into the security protocols.

Recover and revise: Start a regular assessment programme. There are a number of good vulnerability assessment tools on the market, and some are even free. The primary objective following a security incident will be for the business to recover by making the system operational again. But this needs to be done in a structured, planned way, so as to avoid creating secondary problems. The recovery process needs to be incorporated into the security programme.

In addition, it will be necessary to revise the programme to prevent further similar incidents occurring. This may involve an adjustment in technology, in process, in the awareness and performance of people, or in any combination of these factors.

Developing a programme
A good security programme will ultimately hinge upon the attention given to three areas: processes, technology and people.

As well as calling upon the expertise and experience of specialist companies, there are two international standards in force that provide useful guidance and a reference against which to measure performance. These are ISO 17799 and ISO15408.

  • ISO 17799 – the international security standard that the FSA is urging financial services organisations to adopt – can be used to help develop processes, policies and compliance measures.
  • ISO 15408 is the result of an international effort to develop consistent evaluations of security products and systems. This standard can serve as one basis for specifying requirements, as failure to comply can weed out weak or immature technology and product vendors.

    Processes normally have to be implemented by people, and the technology used by them. So, responsibility for security cannot rest solely with security and IT staff. System users must also be aware of the importance of good security practices and of their own obligations and liabilities.

    Despite the standards, there are no globally recognised information security metrics. The extent to which any measures need to be implemented are up to individual organisations to decide. Most companies could do more than they are doing now. While perfect security may be unachievable (and unaffordable), good security is not.

    THE LESSONS FROM SEPTEMBER 11
    The businesses of a number of CSC's financial services customers were severely affected by the events of September 11 last year. Typical of the experiences of that day were those of a trading firm based on Wall Street, close to the World Trade Center, that outsources its IT infrastructure management to CSC.

    Apart from the obvious difficulties of power and communication disruption, and restricted access to the site, the CSC team executed a pre-established business contingency plan that resulted in the movement of 100 servers, 500 desktops, 2,500 people and 13,000 voice and data circuits to different locations in New York. Critical applications were relocated to sites in London and Delaware.

    The company was one of the first to recommence trading on the NYSE when it re-opened on 17 September, and had the busiest day in its history. The contingency and backup systems performed without a hitch.

    What were some of the lessons learnt from this exercise?

  • An information security programme that was good on September 10 2001 would be equally good today.
  • Time spent practising crisis scenarios – whilst not on the scale of September 11 – proved invaluable in providing experience on the decisions that had to be taken.
  • The establishment of a crisis centre allowed technical issues, as well as personal ones, to be managed, and improved overall communication.
  • Despite all the planning, things had to be done which had not been anticipated. For example, no one had considered that there would be a crisis so devastating that it would affect the firm's customers, as well as the firm itself. This is now always taken into account in CSC's work for its clients.
  • In a crisis as big as this one, once you start to execute a contingency plan you immediately need to start devising a secondary version to protect what you do under your primary one.
  • Panic is something you have to consider, as people who have been leaders may lose their ability to lead in an extreme situation. In the midst of a crisis some one must lead – it doesn't matter who.


    ATTITUDES UNCHANGED
    The attitude of more than one third of companies to disaster recovery has not improved in the wake of September 11, according to a survey recently published by Survive. The survey also shows that the level of confidence in the effectiveness of business continuity plans among those whose job it is to produce, test and operate the plans, is low.

  • 35% of the experts admit their businesses are not adequately protected against most forms of interruption – let alone a terrorist strike.
  • 65% say their suppliers have failed to reassure them of their continuity plans.
  • 43% of business continuity departments have had no extra investment since September 11.
  • 31% say their departments have been victims of the economic slowdown.


    Survive is a user group for business continuity specialists from around the world. Currently it has nearly 3,000 members.

    More information is available at www.survive.com

    Tony Barker is director of marketing, UK financial services, Computer Sciences Corporation, Tel: 01422 265432, E- mail tbarker@csc.com