September 11: From catastrophe to complacency?
by Mike Simons, © 2002 ComputerWeekly.com Ltd.
All rights reserved
Business and IT leaders have done far too little to improve their organisations'
readiness for terrorist attacks or catastrophe.
Monday, 11th March 2002 - Unless action is taken soon the increased
awareness of business continuity planning that followed last year's on the
World Trade Centre and Pentagon could be swamped by business-as-usual complacency.
Almost 3,000 people lost their lives on 11 September. Fifteen million square
feet of office space was put out of action and up to £3.5bn of IT and telecoms
equipment was destroyed.
Despite these losses a survey of senior IT executives by analysts organisation
Gartner revealed that few organisations have effective business continuity
Just 13% of enterprises told Gartner they were mostly prepared for
major loss of life from catastrophic damage or attacks. Only 28% reported
that they had business continuity plans for dealing with the consequences
of physical attacks and 36% had a plan for complete loss of physical assets
and work space.
Gartner analyst Simon Mingay was deeply disappointed. "Many
enterprises have not yet learned a key lesson of 11 September and have not
put significant resources into establishing operational resilience in case
of catastrophic damage or attacks," he commented.
Peter Sommer, senior fellow at the Computer Security Research Centre at
the London School of Economics told CW360.com, the situation in the UK was
patchy. "Certain parts of industry were already
well-tuned to the issues of contingency planning as a result of the last 15
years of Irish terrorist attack. For those that had not been convinced,"
he added, "it is doubtful whether even 11 September
would change their minds."
DK Matai, chairman of e-security consultants mi2g agreed: "In
some sectors, such as financial services, lessons have been learnt. In others,
such as professional services, a great deal more awareness is needed,"
Businesses only have a brief opportunity to put into practice what they
have learnt from the tragedy said Gartner's Mingay. Even disasters on the
scale of 11 September, "create a relatively short
window of opportunity, usually about 12 months, during which awareness is
raised and executives are motivated to take action".
The LSE's Sommer echoed the point. "It is an
unfortunate fact that the most persuasive practical justification for a good
security budget is not thoughtful risk analysis but big disasters. The horror
of 11 September created an opportunity for IT professionals. They should use