While preventing another massive loss of life has deservedly been
the focus of most post-9/11 security efforts, a quiet, almost unnoticed
quest has concentrated also on avoiding another devastating loss
of financial and other personal data that occurred during the World
Trade Center attack.
When the World Trade Center collapsed, untold volumes of valuable
information were irretrievably lost. The cost to reconstruct that
information has been significant.
So, while it has not gotten headlines, the problem has not been
ignored. In the past year, more and more companies have examined
their information vulnerabilities and are quietly taking steps to
harden their vital management data and information from attack.
Today, more than ever, companies want assurance that if a key facility
goes down, mission critical operations don’t cease and the
data vital to support those operations doesn’t disappear -
even for an instant.
Backing up data no longer is as simple as downloading your hard
drive to a floppy disk and dropping it in your desk. Remote, multiple,
simultaneous redundancy of data backup, systems recovery and, occasionally,
total business operations is now the focus of top corporate information
officers.
Called Business Continuity Planning, companies that rely on continuous
information access are developing plans and procedures to guarantee
that their mission critical operations remain unbroken in the face
of unexpected disruptions.
"Terrorism is not the only threat," said Sean Smith,
Chairman & CEO of Coalition America, an Atlanta-based healthcare
cost containment and claims processing company. "A breach in
security, a loss of critical client data, a hacker, undetected virus
or a natural disaster that cuts communications are all scenarios
that put information-age organizations at risk."
According to a survey 5000 managers by the Business Continuity
Institute, over a quarter of UK organizations have suffered major
disruptions to their business, due to a breakdown in their supplies
and services, over the past five years.
Also, federal regulation through such legislation as the Health
Insurance Portability & Accountability Act (HIPAA) are forcing
hospitals, doctors, insurers and employers to secure their data
for privacy reasons, too.
The September 11 attacks simply gave impetus to a process that
had already started to capture the attention of information-based
businesses. According to Smith, companies like his are examining
five key areas to ensure their business operations continue when
faced with either an intentional or inadvertent threat to their
information systems:
- Disaster & Contingency Planning - Understanding the
potential impacts of major disaster scenarios, and establishing
the risks that could lead to such scenarios, is the first step
to ensuring the BCP or DP plan meets the actual needs of the organization.
"We began our process with a meticulous review of our organization
and its operational vulnerabilities," Smith said. "This
assessment included not only day-to-day operations, but our data
infrastructure and the suppliers, vendors and partners vital to
operations. Included were detailed contingency plans that will
guide our organization both protecting individual privacy and
in performing our critical functions during a disruption or disaster."
- Network and data security - No system is secure unless
it addresses the threat from its most trusted users. That is because
the biggest risks are on the inside where access is easiest. Further,
security problems typically result from people or process failures,
so security must be multi-layered and self-checking.
At SunGard eSourcing, a leading information security organization,
an individual encounters four levels of physical security just
to access its systems. First is a security guard checkpoint requiring
sign-in and photo identification. Next comes a fingerprint scan
followed by a key station requiring a PIN number. Finally, its
data access area is monitored 24/7 by security cameras.
Protecting from external threats is even more complex with the
customary firewalls, virus detection systems, and encryption technologies.
Yet, whatever technology can protect, technology can defeat.
So, these systems must be continually updated based on the latest
advancements and threats.
- Data Recovery - If disaster does strike, the goal of
recovery is to find and fix the problem swiftly, then get operations
back to normal promptly. The key to successful recovery from any
disaster is having a reliable copy of your critical data backed
up offsite.
If properly completed, the planning process has prepared all documents
and plans while identifying and securing any additional equipment
and supplies needed to mitigate the risks identified in the assessment.
Meanwhile, all personnel must be trained on their respective roles
and responsibilities.
Then go one step further. Conduct regular drills and exercises
to ensure the plans will work and provide a continual means to
update the information to adjust for organizational changes.
- Alternate site operations - Sometimes disaster is inevitable
in spite of the best laid plans. Disasters such as hurricanes,
fires, floods and earthquakes are inevitable and often unavoidable.
As a result, more companies are creating off-site backup facilities
that mirror their primary operation centers.
For example, in Florida, a place where hurricanes visit, and California,
home of the frequent earthquake, companies often have full-blown,
moth-balled operations centers well away danger centers that can
be open for business within hours. Key employees can be moved
there quickly and stay on the job until normalcy returns.
- Infrastructure Disruptions - The risk is not always company
specific. The nation’s telecommunications infrastructure
is an inviting target for terrorists, hackers or other bad actors.
Even if a business has done all it can to protect its own system,
it can still be crippled by a disruption within the portals that
carry its data traffic.
As a result, many companies are contracting with secondary and
tertiary portal providers in case their primary portals become
inaccessible. Thus, if one portal closes, they can shift their
systems instantly to a new ISP.
Many companies have installed backup generators and other emergency
systems to ensure that their business operations can surmount
any but the most devastating disruption.
"Given the importance of information in today’s global
economy, extended downtime due to terrorism, disasters, hackers
and other disruptions is something most enterprises cannot afford,"
said CAI’s Sean Smith. "As a result, business continuity
planning is the top strategic concern for many companies in the
post-9/11 environment."
###