The September 11 terrorist attacks on America cost close to 3,000 people their lives. On an IT level, more than $5 billion in infrastructure was lost and more than 100 businesses in New York City declared disasters. Those that had formal, tested disaster recovery and business continuity plans in place experienced relatively minimal downtime. Those that didn't closed their doors forever.
Planning, policy and procedure never assume a bigger profile than when disaster strikes.
Post-September 11, however, IT security professionals surveyed by SearchSecurity.com rated disaster recovery as the second most vulnerable area in their enterprise behind only physical and plant security. Awareness may be up, but it has not been backed up by an increase in spending or resources to assist IT in securing assets or data, the survey also concluded.
"I don't think things have changed that much in the way security is implemented post-September 11," said April Beachy, Director of Technology for Tuscarawas County in New Philadelphia, Ohio. "The difference is in the awareness of non-IT people for the needs of IT."
Beachy is responsible for network security, including the physical security of the network, for the county. The networks serve more than half of the county government offices, and disaster recovery is a big pulse point for auditors who run mandated tests on the network.
"We always get hit on our audits for not testing our disaster recovery plan and for not testing user procedures," Beachy said. "But it would us cost too much to do that."
Solid IT security policies mitigate disasters, said Robert Lonadier, president of Boston-based RCL Associates, with the best example, he said, being e-mail antivirus measures.
"The better prepared you are for disaster recovery, the better you'll be able to respond to security exploits," Lonadier said. "Last year with Code Red and Nimda, a number of organizations had no choice but to go offline and recover their operations from the point prior to the virus outbreak."
Lonadier, in fact, recommends that his clients treat virus attacks as they would natural disasters like hurricanes. But he adds that this may the extent of the link between disaster recovery and security.
"You need to treat IT security as a separate concept," Lonadier said. "It's a preparedness issue, a policy issue, a mindset issue. Enterprises need to accept that virus attacks or hacks of other kinds are inevitable and it's about how you respond to such an occurrence that separates the best organizations from the middle-of-the-pack organizations."
Others disagree with Lonadier's assertion that disaster recovery plans do not make an enterprise more secure.
"The security field addresses the confidentiality, integrity and availability of data," said Michael Kleckner, Information Security Advisor for American Family Insurance in Madison, Wisc. "The availability of data is where security comes into disaster recovery. Disaster recovery or business continuity are a form of security."Disasters in today's enterprise don't often take on the global nature of the horror and damage done on September 11. In fact, most IT security officers would probably prefer to refer to "disasters" as incidents and frame disaster recovery as a subset of incident response, and instead have to weigh how they respond to incidents against their enterprise's business plan.
"Most companies don't think their risks are significantly different now than pre-September 11 with regard to terror attacks on their complexes. The increase in cyberattacks and physical attacks on companies in the U.S. has been gradually increasing over the past several years," Kleckner said. "The awareness of this trend has increased, but the dedication of resources to security concerns has not. This is likely tied to the uncertainty of economy and the difficulty to prove a positive ROI with additional investments in security. I don't think most executives are worried that they will be next."
Instead, incidents are viewed on a localized level and disaster recovery/business continuity plans will reflect that against business priorities.
"Security is a business issue," Kleckner said. "If you have zero tolerance for downtime, then you have redundant systems, total failover. Most businesses will pick something less. It becomes a cost issue."
Security involves technical and human components and that's where solid policy can go a long way toward maintaining the bottom line.
"A security policy has to identify the way a business is going to operate in a disaster," Kleckner said. "You try to put controls in place that will enforce the business requirements."