So-called “business continuity plans” have become a
primary concern for private firms and government organizations since
the sudden destruction of the World Trade Center, experts said.
Even though contingency preparation is not a new concept in the
business world, the collapse of the Twin Towers has prompted companies
to reevaluate their planning.
A case in point is New York-based Marsh Risk Consulting, which
has been in the business of advising companies on loss analysis
and developing continuity plans for the past 150 years. But Marsh
had never tested its own internal continuity plan prior to September
11, when it had to be exercised.
About 1,700 of the company’s employees worked in offices
between the 90th and 100th floors in Tower 1 of the World Trade
Center.
One contingency plan that Marsh had never considered was how to
continue operating in the event that the entire staff were incapacitated
or eliminated.
“Marsh lost about 300 people that day, and we never thought
of that,” said Scott Lochman, a senior vice president at Marsh.
“We got an opportunity, unfortunately, to exercise our own
business continuity plan, and we learned a lot of lessons,”
he said during an industry conference in Arlington, Va.
Lochman said it is important to consider that “you can have
the best information technology infrastructure, the best back-up
systems in the world, and you can recover in four hours. [But if]
you don’t have anyone to operate the systems, you cannot continue.”
An important consideration is how to transport employees to an
alternate location to continue operations if necessary. “You
can have 27 laptops set up at an alternate location,” but
they’re worthless if the employees can’t get to them,
he said. Lochman also recommended that lists of employee contact
phone numbers and continuity plans be stored in places other than
the office, “in case the office isn’t there when you
get back.”
Lochman explained that consequence management involves more than
just disaster recovery. “You can have a disaster last five
minutes at your organization, and you can recover from it within
five minutes. Business continuity is a natural progression. If something
happens, whatever is done needs to flow from the senior chain of
command. If it doesn’t, you will have a lot of people scurrying
around, thinking they know what needs to be done.”
There are four types of continuity to consider, Lochman said. They
include financial, strategic, operational and hazard-related. “If
you don’t have a plan in place to recover, your recovery is
either extremely slowed, or your processes going on a forward-basis
are crippled,” he said. “How can you protect your operations?
Identify the threats and the impact from those threats.”
Potential problems that should be considered range from an angry
employee who can wreak havoc on a network and destroy operations,
to the more conventional dangers posed by hurricanes or fire damage,
he said. Man-made hazards, such as terrorist attacks, should now
figure into risk planning, he said.
Cyber-Security
Many companies are investing in cyber-security services to protect
and ensure the continuity of their networks in the event of a terrorist
attack.
Cyber attacks and cyber-terrorism are on the rise, said Tim Belcher,
chief technology officer for Riptech, Inc., which was recently acquired
by Symantec Corporation, based in Alexandria, Va. Public companies,
particularly those involved in power and energy, financial services
and high technology, are attacked the most often, he said. Aggressive
or severe attacks are twice as likely to occur on public companies’
networks, he added.
“You are being attacked 24/7, every day, from anywhere in
the world,” he said.
Attacks are made on systems for a variety of reasons. Sometimes,
the attackers hope to “sneak into one system, ‘trojanize’
that system and compromise critical infrastructure. They’re
looking for systems that allow those footholds,” so they can
monitor it from the inside, he said.
Symantec publishes a semi-annual Internet security threat report,
which is a compilation of information about intrusion detection
gleaned from its more than 400 customers.
The report said that virtually all statistics indicate that Internet
attack activity remains “intense, pervasive and potentially
severe.”
Attacks on Symantec’s customer networks increased by 28 percent
for the first half of 2002, Belcher said, but “there was no
substantial increase after September 11.”
Belcher explained that Symantec’s attempts to determine “the
characteristics of the person that launched the attack,” and
then assigns a level of “aggressiveness” to the attacker.
The “aggression metric” quantifies the level of effort
attackers exerted to penetrate the network, Belcher said.
Only 2 percent of attacks were at the highest level of aggression,
“but they were 26 times more likely to be successful,”
he said.
Once two client networks are attacked from the same source, Symantec
starts profiling the source, gathering information about the types
of systems the source is running and attempting to measure the intent
of the attacker, Belcher said. Most attacks are perpetrated on Windows-based
networks.
The State Department’s cyber-terrorism watch list does not
convey the landscape of countries to watch, Belcher said. Therefore,
Symantec has developed its own watch list, based on two types of
countries: designated state sponsors of terrorism, and “those
from which terrorists have reported operated and recruited in the
past,” the report said.
The report found that attacks were detected from three of seven
countries designated as state terrorism sponsors. “Ninety
percent of this activity emanated from Iran, while the remaining
10 percent was split evenly between Cuba and Sudan,” said
the report.
However, the report noted that Iraq, North Korea, Syria and Libya
have few Internet protocol (IP) addresses assigned to them, so it
is difficult to determine if attacks are originated in those nations.
“Only one severe attack over the past six months came from
a country on the watch list,” the report noted.