Security must include business continuity

Security threats have a significant effect on business - so are IT managers prepared?

Business continuity used to be associated with disasters such as fire and floods.

However, according to the Global Information Security Survey, security threats now have a significant impact on business, and organisations need to make sure they have plans in place to protect themselves when hit by a security breach.

"Security is now seen as an important element of business continuity," says Richard Archdeacon, director of technical services at antivirus specialist Symantec.

"How do you continue to do business if you have a severe virus attack? What areas should be maintained? Which need multi-layered defences? Business continuity is being built into security measures."

About 90 per cent of European businesses suffered downtime over the past year, the research shows.

"That's very surprising to me," comments Jean-Paul Favier, unit manager of e-travel operation support at online travel company Amadeus.

"We've been running our website since 1996 and we've not had any downtime since then. However, it's important to differentiate between our site, which is our main channel to market, and other systems, such as email, which have been affected by things such as viruses."

Some three per cent of European firms suffered a loss of systems in the past year that lasted for six to 10 days, three per cent for three to six days, 14 per cent suffered for one to three days, 20 per cent eight to 24 hours, 21 per cent four to eight hours, and a further 29 per cent less for than four hours.

"Figures on downtime are useful in the sense that they impress upon company managers and owners that there are things that can happen to computer systems that result in them not working and then the business not working. That is an important message," maintains Peter Sommer, security expert at the London School of Economics.

Good management is vital when it comes to implementing security systems, and ensuring that processes are appropriate to the business and provide the best protection against attacks. Central to this is the security policy.

Some 73 per cent of North American respondents to the Global Information Security Survey said they include appropriate use of email in their security policies, but less than half take the same precautions in Europe, 49 per cent. It's even lower in Asia-Pacific countries, 48 per cent.

System administration was covered by 66 per cent of North American policies, 68 per cent of South Americans, 65 per cent of Europeans and 56 per cent in Asia-Pacific. Network administration featured in 62 per cent of North American policies, 66 per cent of South American policies, 62 per cent of European ones and 53 per cent of those in Asia-Pacific.

"Security policies are incredibly important and enforcing them is even more important," warns Peter Pedersen, chief technology officer, at interactive betting firm Blue Square.

"We all need a security policy," agrees Amadeus's Favier.

"At the start of any new application or site, it needs to be drawn up and adhered to. I think it's important to design your applications according to a strict policy. It's a requirement for us."

The survey found that the most common person in a business to set security policy is the chief information officer, a vice president or director of information services or IT, according to 48 per cent of North American businesses, 43 per cent of South Americans, 26 per cent of Europeans and 29 per cent of Asia-Pacific companies.

The president, chief executive or managing director was responsible for setting policy in 40 per cent of North American companies, 37 per cent of South American firms, 41 per cent of European businesses and 42 per cent of firms in Asia-Pacific.

Educating users is essential when implementing a security strategy, according to Graham Nugent, European strategic information services manager at UPS.

"At UPS, we believe that the best way of securing our information assets is by educating our users in all aspects of information security, and by continuing to reinforce the importance of security through our management group," he explains.

"We have had an Electronic Communications Policy document for some time now, and each of our users is required to sign a copy of that document to qualify for an access ID. We have a tradition in UPS of communicating with all our employees using a pre-work communication meeting.

"These events are highly structured, last three minutes maximum and are designed so that the manager talks and the workers listen. What a great way to get the latest information over to our people about email attachments, viruses and so on."

Jeremy Beale, head of ebusiness at the CBI, also sees education as an essential part of security management, but believes the government needs to be involved.

"There is a very large-scale education programme that needs to be undertaken, and we've been in discussion with the government and are getting nearer to getting that kind of awareness campaign launched," he comments.

"Many parts of government need to be involved, as do many sectors of the industry. It needs to be co-ordinated so that it is high-level, and addresses the different groups concerned."

Knowing how much security and subsequent disruption costs as a result of downtime is essential if businesses are to effectively manage security, according to the LSE's Sommer.

"Businesses need to be able to calculate the cost of business interruption. There are well-known disciplines within the insurance industry that people can draw on," he explains.

"One of the lessons you might draw is that security specialists need to understand the discipline for calculating consequential losses, because that might have an impact on the order of budget they are going to get from bosses to avoid it happening."

Some 22 per cent of European respondents to the survey said downtime that resulted from a security breach cost them up to $10,000. And 11 per cent cited between $10,000 and $100,000.

But 46 per cent didn't know how much attacks cost them.