How effective is your business continuity plan?

Putting together a business continuity plan is not enough to protect a firm from IT disaster, according to a new study.

Research carried out by Compass Management Consulting revealed that while 98% of UK companies have a business continuity plan, more than half (58%) have suffered an IT disaster over the past five years.

Surprisingly, out of the companies that faced a crisis during that period, only 38% actually put their continuity plan into practice. And out of the firms that did invoke their plan, 71% said that business was still affected by the disaster, suggesting an "alarming vulnerability" of UK companies to IT crisis, according to Compass.

The management consultants said a combination of factors were to blame, including a failure to review plans on a regular basis and missing out "critical" aspects of the business continuity plan, such as risk analysis and a business impact study.

Debbie Rosario, senior consultant at Compass Management Consulting, said: "When you consider that large companies spend small fortunes on implementing a business continuity plan, these results are very surprising, and indeed, very worrying.

"This suggests that these companies are misunderstanding the reasons behind developing such measures and aren't considering vital aspects, such as malicious intent or security breaches, when developing their plan. Additionally, they are not ensuring that their business continuity plan is aligned with the business requirements by conducting a business impact analysis."

Compass is recommending that firms undertake a complete review of their business continuity plans for the year ahead. It also stressed that reviews should be seen as an "ongoing process".

Debbie Rosario added: "There is a tendency to assume it always happens to someone else, and hopefully these figures will shake companies from their complacency, help educate them and encourage the implementation of appropriate measures."

A dim view of staff
Meanwhile a separate study has shown that many IT managers believe that computer users are "IT security incidents waiting to happen."

Research by compliance and security software firm PolicyMatter revealed that around half of IT managers have a dim view computer users, whose "ignorance and a willingness to take matters into their own hands" are often the main causes of computer misuse at work.

The study showed that the main cause of computer misuse, reported by 47% of IT managers, was users "not understanding what they are doing wrong." As many as 43% of managers claimed users were aware that their actions were not in accordance with company policy but believed they would not have any "negative impact". Only 1% of managers claimed users "deliberately flout company policy, regardless of risk."

Nathan Millard, lawyer with Morgan Cole, said companies needed to make better use of "acceptable use policies" (AUPs).

He said: "Many organisations go to great lengths to write AUPs but then undermine their effectiveness by making little or no effort to actually communicate these requirements to employees. Organisations need to combat any lack of understanding or complacency to IT security risks by ensuring that computer users have read, understood and signed up to policies.

"Often, the creation of an AUP is a knee-jerk reaction to a recent incident or near miss where the organisation is rudely awakened to the threats of employee computer misuse. However, once written, it is very easy to forget the policy and allow it to gather dust.

"To provide true protection to the organisation, the AUP needs to be updated regularly to cover new legislation, technologies and user habits, and re-presented to employees so that it is always fresh in their minds."

Angie Bell