Contingency and mitigation planning: What has your business got in place?

Kathleen Hall

Monday 6 October 2014

No one knows exactly when an IT disaster will strike but when it does, the one certainty is the damage it will cause to your company’s day-to-day operations, reputation and balance sheet. Is your business prepared?

The exposure to certain kinds of risk has also increased as more services and information becomes available online.

One recent high profile example of a near “catastrophic” IT disaster was the Heartbleed virus, which could have exposed countless amounts of sensitive information to cyber criminals. Experts predict the bug could have affected up to two-thirds of the world’s internet servers.

Heartbleed was a security flaw that no one saw coming – to the extent that the bug remained unnoticed for three years. The fault occurred through an OpenSSL programming error, which created a security hole in the open source programme exposing vast amounts of “secure” information.

But the event is also a cautionary tale for businesses to take extra precautions to protect themselves against unknown threats.

Easy targets

Bob Tarzey, analyst at Quocirca, says it is impossible for an organisation to fully proof itself against every possible attack. “But that doesn’t mean to say you have to be front of the queue. There are measures you can take to be better protected. If I wanted to rob a bank, I’d look for the one that I think is the easiest one to steal from. So the message is: don’t be the easiest target.”

Dale Vile, analyst at Freeform Dynamics agrees. He believes network monitoring is the single most effective technology that businesses can use against potential attacks.

“When you do a post-mortem of some of these high-profile disasters, you find that the biggest problem is that people were not aware of what was going on until too late. Monitoring your infrastructure and monitoring you network is absolutely the biggest enabler and it is often the biggest gap in terms of what people have in place. It is the best IT weapon against a lot of problems.”

There are a number of technologies businesses can use for risk mitigation. For example traffic management tools, which flag up any anomalies in the network or content filtering of the network to screen access to certain sites.

Organisations should also have a clear view of all the software they are using, and the software their suppliers are using. And if they are using open source tools, ensure they are fully supported by providers.

The proliferation of mobile devices has also exposed networks to more potential vulnerabilities, and many organisations are putting in place enterprise mobile management tools, including management of mobile applications and encryption of devices.

Cloud backup

When it comes to protection against attacks, it has always been an arms race between attacks and the security industry. But while the security industry is keeping up, the same is not necessarily true of their customers, says Quocirca’s Tarzey. Many businesses are using out-dated forms of protection, such as intrusion prevention systems and signature-style anti-virus tools to protect them, he says.

However, the use of cloud services can help companies keep up, as providers are able to aggregate the cost of protection across all their customers – as they have the economies of scale to use more sophisticated and expensive technology, he says.

Turning to cloud services also has the added benefit of protecting smaller businesses against general hardware and software failure, as everything is stored remotely at a much lower cost than typical disaster recovery investments.

Ahuge development has been the role of cloud in disaster recovery. Cloud together with management tooling, basically means the costs have come down massively in terms of implementing effective DR,” says Freeform Dynamics’ Vile.

There is every reason to have the majority of businesses applications protected via the cloud, he says.

Due diligence

And for smaller businesses in particular, cloud services have the added benefit of minimising the potentially problems of running servers in-house – a far less reliable and more disaster-prone way of running IT.

But for Vile the main issue it comes down to is basic due diligence, with most of the threats to businesses’ systems internal ones due to mistakes and misunderstandings.

“A lot of it is about making sure we look after systems well – the husbandry stuff like patching servers and keeping them in good shape, monitoring things and managing capacity.”

Ensuring staff are up to speed on basic good practices, such as password security and data encryption is a crucial weapon against disaster. “Recent studies suggest you can throw as much technology at is as you like, but the thing that makes the most difference is end user awareness and training,” he says.