The Internet has been the catalyst for incredible change in our economy.
Millions of people and organizations around the world have found that it offers a convenient, efficient and often cost-saving way to conduct business. As a result, nowadays, just about anything can be sold or purchased via the Internet.
Along with these e-commerce advances, though, come increased challenges to the continued operation of businesses. By opening avenues of access via Internet connections, organizations face potentially significant time and revenue loss from sources such as viruses, fraud, denial-of-service (DoS) attacks, hacking, natural disasters and equipment failure. All of these have the potential to cause major disruption and threaten the continued viability of an organization.
While it has many benefits, taking advantage of e-commerce also can be very costly to organizations. Online fraud losses for 2001, for example, were 19 times as high, dollar for dollar, as fraud losses from offline sales, as reported in a Gartner G2 study.
In addition, 64 percent of U.S. computer security professionals surveyed by the Computer Security Institute acknowledged financial losses due to computer breaches. From the 35 percent willing or able to quantify the amounts, more than $375 million was attributed to financial losses. And for the fourth consecutive year, more respondents (70 percent) cited their Internet connection as a more frequent point of attack than their internal systems (31 percent).
Maintaining IT security and ensuring businesses will continue functioning without interruption despite such natural, accidental and premeditated events, requires a shift in planning for business continuity. In fact, we need to move beyond business continuity planning and engage in business continuity management (BCM), treating all the aspects of availability and recoverability on an enterprise-wide basis.
Often business continuity plans (BCPs) are referred to interchangeably as disaster recovery plans (DRPs), even though there is a difference between the two. While BCPs may include disaster planning, their overall purpose is to ensure an enterprise can continue operations after a major disruption. DRPs, on the other hand, are usually preparations solely for the recovery of computer systems. In the model proposed here, the information, personnel, communications and logistical needs of an enterprise are to be addressed strategically and systematically, recognizing that in many cases recovering from an interruption is insufficient. For most e-commerce functions at many companies, interruptions cannot be tolerated at all
Thus, BCM integrates strategies, processes and resources to help organizations avoid (rather than recover from) events that disrupt business operations. BCM answers the questions: what causes interruptions in service? Who manages the recovery if it is needed? What will be done? How will directed processes be performed and when will resources, customers and vendors be re-integrated, as shortly after an incident as possible.
Although every organization must customize its business continuity preparations based on its specific needs, environment and situation, a series of best practices provide a strong foundation for the plan. BCM development can be categorized into five phases, as described in Business Continuity Planning in an E-Commerce Environment, published by the Information Systems Audit and Control Foundation (www.isaca.org):
- Project charter. This first step is essential for a successful management program. It includes establishing project expectations, obtaining appropriate commitments, selecting the appropriate participants and developing an efficient work plan.
- Business assessment. This step entails documenting business unit critical processes and components, and identifying existing and potential disaster-mitigating systems and procedures. In an e-commerce environment, additional consideration needs to be given to documenting the flow of information through the whole enterprise.
- Strategy selection. Since the enterprise should ideally offer continuous availability, the best availability strategy is to avert disaster. If avoidance cannot be ensured, a recovery strategy must be developed.
- Plan development. Procedures should be developed to recover an organization's minimum production capabilities. Staff must be able to execute, test and maintain the plan. The plan also should define the ongoing business continuity planning process itself.
- Testing and Maintenance. Expanding on the plan development process, management must have confidence that the plan will work, otherwise they may be reluctant to implement it. This phase often is referred to as "exercising the plan" rather than "testing the plan" so it doesn't become a pass/fail situation. Because technology changes so quickly, it is important to exercise the plan frequently. Each exercise often identifies continual improvements to the plan.
Business continuity plans should be written to address a worst-case scenario, while still addressing less severe events. A recovery effort, if necessary, should be led by the emergency management team, which ideally includes the CEO and senior management. Members of this team need to possess high thresholds for stress and disarray. They need to be decisive, self-motivated and authoritative. Quick assessments and decisions are critical, especially when recovery must be accomplished in minutes, not days.
Key activities of the emergency management team include:
- Motivating operations staff and focusing on delivering uninterrupted service.
- Escalating the situation internally and/or through vendors.
- Supporting crime scene isolation and evidence gathering.
- Reporting illegal causes of outages to authorities.
- Ensuring recovery plans are executed.
- Notifying customers regarding service delivery status.
- Notifying families of injured staff.
- Deploying staff.
- Assessing damage.
- Determining need for staff relocation.
- Arranging security of affected facility(ies).
Unfortunately disasters have an uncanny way of occurring when the CEO and top senior managers are unavailable. As a result, it is critical to allow other levels of management to make the decision to activate the plan. The emergency management team should be contacted as soon as possible so it can make a decision about whether to continue with the alternative plan or return to normal operations.
Business continuity management is not a luxury for today's e-commerce organizations, but an essential component of successful business. Disruptions to operations can directly impact revenues and market share, as well as expose the business to penalties, litigation and service to other business units.
Steven J. Ross, CISA, is a director at Deloitte & Touche. He can be contacted at [email protected].