This November, the UK was once again confronted with the reality of what it means to be the world’s number one terrorist target.
Only months after the foiling of a plot to blow up US-bound flights came revelations of plans for a series of attacks on a scale even more devastating than the London Underground and bus bombings of 7 July 2005. A British court heard how Dhiren Barot of north-west London – described by prosecutors as “member or close associate” of al-Qaeda – had not only laid detailed plans for attacks on Waterloo Station, the Heathrow Express, a Tube train travelling under the Thames, and the Savoy Hotel, but had drawn up a hitlist of US business targets: Citigroup Centre in New York City, and the Prudential Corporate Plaza and world headquarters in Newark, New Jersey, the International Monetary Fund headquarters and World Bank headquarters in Washington, DC, and the New York Stock Exchange.
That just affirms what many high-profile businesses already know and have been preparing for: the uncomfortable truth that they too are potential targets. An attack on such organisations would not only be a symbolic blow against Western economic power, says Dr Anthony Richards of the Centre for the Study of Terrorism and Political Violence (CSTPV) at St Andrews University, but serve the wider goal of largescale economic disruption. “If you look at al-Qaeda and the Global Salafi Jihad, one of their strategies is to inflict economic costs on their enemy,” Richards observes.
Virtual impact
Attacking business interests – and financial institutions in particular – is more likely to achieve this end for the simple reason that their assets and the services they provide are largely virtual in nature , and delivered via a large and vulnerable IT infrastructure.
That is a threat that is taken seriously. Downtime inflicted on such organisations as the result of an attack – or even the threat of a direct attack – could devastate a business. This realisation, says Peter Yates, head of infrastructure for EMEA at European banking giant ABN AMRO, has led to a discernable change of attitude within the business continuity circles of the financial world.
“Certainly, several years ago, companies recognised that they should have business continuity plans, but they were often quite happy to let someone run that. Now, since 9/11 and the London bombs, it has become apparent that these disasters can happen and, if so, you do have a big chance of losing business. Now it appears to be more high profile, and senior management are taking it very seriously now.“
This concern however, is by no means the preserve of financial services. According to a recent survey of global continuity practices designed to chart changes in practices since the 7/7 bombings, 32% of businesses say that just four hours of downtime as a result of such a disruption would be potentially “fatal” for their organisation. The research, by online information service Continuity Central, however found that the vast majority (73%) thought the meltdown point would come within 24 hours of their IT infrastructure disappearing, showing just how critical and deeply embedded IT is within the fabric of most businesses.
In recognition of that position, MI5 recommends businesses prioritise the protection of their IT infrastructure as a matter of business survival, second only to providing physical protection for their buildings and staff. According to Continuity Central, the majority of organisations have now started to properly address this issue, with 73% of the CIOs and IT directors it surveyed confirming they have a business continuity plan (BCP) in place. Of these, 46% said they test their plans annually, with a further 32% performing tests at least four times a year.
For large multinationals, such as investment banks, oil companies or pharmaceutical giants – companies that are aware of threats from a range of political activists and terrorists groups – activities of this nature are now assuming a massive scale. For example, as a matter of priority, says Barry Clark, consultant and former superintendent at Scotland Yard, nearly all such organisations have begun to reconsider the location of their data centres.
That is something Yates confirms: “Our primary UK data centre is in London, but we have a major project right now to look at other data centre sites. We also have a secondary facility in the UK, and all our critical data is backed up as well as being replicated at another site.”
The lack of specifics is not surprising. Like most financial organisations, the location of such critical business infrastructure, that in years gone by were openly shared, are now treated as highly confidential.
The impetus is not just based on a sense of self-protection. Chris Keeling, partner at Acuity Risk Management, which provides security services to a number of the major investment banks, says organisations have been “pushed hard” by regulators to disperse their risk by divorcing the people performing the work from the technical production that supports that work. Consequently, large organisations have begun to look further afield, and in more obscure places, to relocate their data centres, in order to buffer themselves against potential attacks. Information Age knows of at least one major bank that has contemplated housing its data centre in a former nuclear bunker, while many other businesses are making special efforts to ensure their data centres are not easily recognised from the air.
In addition to securing low-key locations, businesses are also taking measures to ensure the resilience and redundancy of the data centre itself, says Keeling. “Where new data centres are put in place, firms try to make sure there are two of them, so there is a fallback between them, and active configuration so one can take the load of another.”
Some organisations will routinely switch operations from one data centre to another, to ensure full capability testing on a regular basis, he adds. The centres themselves are also being built with improved resilience, including additional capabilities for air-cooling, and multiple generators. “The technology cannot stop [running],” adds Keeling, “especially for an investment bank.”
With data centres relocated, it is also becoming routine for large organisations to have several standby locations to which employees themselves can relocate. Continuity Central found that 46% of businesses now include a standby site in their BCP, which are usually provided by a third-party and furnished with the necessary IT infrastructure, including hardware, software, and communications.
If ABN AMRO were to lose a main building for example, it would immediately move its operations to another pre-defined location in the UK. In addition, says Yates, being a global organisation, the bank has overseas offices for some of its activities. “This is obviously not on a one-to-one basis, but we do have a number of seats available for critical business activities.” Critical systems, he adds, are mirrored. “We have invested a lot of money to make sure we‘ve replicated critical trading structures, so if a primary system fails we have a back-up system to offer continuity of service to our clients.“
Ensuring continuity
Specialist security consultant Tony Collings, director of Electronics Commerce Associates, says however, that less well prepared organisations have had to overcome major problems with the infrastructure of their secondary sites. In the case of one national transportation company, he reveals, it was not until a fire forced it to deploy its standby venue that the company discovered it had mismanaged the configuration of the technology at that secondary site.
On this occasion, the company found that the application software could not run on the available hardware, effectively rendering its back-up tapes useless. It was subsequently forced to rebuild its hardware by hand, while in the mean time it was deprived of email capabilities over the Christmas period. “So even if you have the office and the hardware, that doesn’t mean you have the business continuity,” warns Collings.
While the potential to mismanage standby IT is a major consideration for businesses, the supporting communications infrastructure at these locations remains a chief and less-controllable concern, adds Clark. Terrorist attacks are often designed to cause maximum confusion, with multiple sites of disruption, they can impact the resilience of shared business continuity facilities too – as these become over-taxed by numerous client requests. In the event of a co-ordinated, multiple attack, warns Clark “your business continuity centres are going to be absorbed very, very quickly.”
Demands on the sites’ infrastructure providers, such as telecommunications companies, are likely to be particularly high as numerous businesses compete to secure resources. “A request for additional lines? Forget it. So you’ve got to start thinking maybe about relocating somewhere else that no-one else has thought of,” says Clark.
Diversifying communications technology is also becoming an increasingly common means to manage this issue, with many organisations securing telecommunications services from more than one provider. As Collings reveals however, some organisations have learnt to their detriment that these providers often share the same hardware. “So knowing your infrastructure and knowing your vulnerability, knowing what you need and what you’re actually being given is crucial”, he stresses.
In response to some of these challenges, more and more major organisations are starting to permanently move their back offices and non-core IT operations to the suburbs, Acuity’s Keeling observes, or to outsource elements of them to places like Singapore, the Czech Republic and India. ABN AMRO, for example, has off-shored parts of its operations to India, says Yates, allowing the bank greater flexibility in response to a disruption.
Collateral damage
For the vast majority of lower-profile businesses however, and in particular small to medium enterprises (SMEs), terrorist activity is far less of a consideration. Such organisations are more likely to be impacted indirectly, as a victim of that dubious phrase, ‘collateral damage’.
A major disruption to an SME’s business operations is however likely to be disproportionately damaging in relation to its size, because SMEs often have fewer office locations and more concentrated IT infrastructure. Limited financial resources make it particularly costly for SMEs, many of which border on profitability in the first few years of existence, to secure adequate back-up and recovery solutions.
Data is often held on a single server in a single location, leaving organisations highly exposed. Minimising the downtime in the event of a major disruption to local power supplies, or an Internet service provider, therefore remains an ongoing continuity challenge for this segment of the business community.
In addition, says Henry Wilkinson, terrorism analyst at international firm Janusian Security, “when terrorists do attack they tend to like it to appear random and to target the greatest concentration of people.” This will often have a “knock-on” cumulative effect, he adds, which most commonly impedes the ability of staff to get to work.
“On the 7 July bombings, a lot of businesses in the area of those attacks found their people weren’t actually able to get to offices, sometimes for two days,” he recalls. This is again particularly damaging for SMEs which often have more ‘key’ staff members, but fewer individuals responsible for or able to run IT functions.
Despite the considerable financial damage that an indirect threat can inflict on small businesses, the SMEs remain significantly less well prepared for this than their larger counterparts. “The majority of big businesses have reasonably good continuity and recovery plans – they have to,” says Clark, while the SMEs “wing it.”
As IT becomes ever more pervasive in business, however, and the implications of failure grow correspondingly, the importance of business continuity provision to SMEs will become as acutely obvious as it is today to the largest organisations. As Yates observes of ABN AMRO, business continuity and resilience are no longer add-ons but “an integral part of how we work.”
The cost of downtime
Length businesses said their most important services can be unavailable before the downtime becomes a potentially fatal issue for the organisation:
Less than four hours 32%
Between four and eight hours 17%
Between eight and 24 hours 24%
Between one day and one week 21%
Between one week and one month 4%
Common internal business services ranked in order of their importance within the organisation’s business continuity plan:
• Customer support
• Corporate financials (accts payable/receivable)
• Phone system
• Email
• Order acceptance or delivery
• Corporate website
• File and print
• Manufacturing or production development
Source: Continuity Central