Be ready for anything

Business continuity is one of the most talked about issues in IT across the globe due to the devastating impact disasters can have on a company. However, research from KPMG shows regional firms are still not prepared for the worst and could suffer the consequences.

  • E-Mail
By  Administrator Published  February 15, 2007

As representatives of global advisory services provider KPMG settle down for a roundtable discussion on the findings of its recent business continuity report, the conversation quickly turns to a cautionary tale of imminent flu pandemics and poorly prepared businesses, amongst other such issues.

The discussion had been instigated by the company's recent CIO survey, which found that, despite a sharp rise in IT security spending in the region in the last year, companies were not prepared for disruptions to their business.

The results of the study, which surveyed 80 companies in the UAE from all major industries, suggested that not enough companies are sufficiently prepared for unexpected breaks in business continuity.

According to the survey, while 90% of firms increased their dependence on IT during 2006, only 75% of companies increased their information security spending.

Although the spend on information security is on the up, KPMG says that not enough companies are taking a holistic approach to their business continuity and information security planning in the long term.

"86% of companies are not considering international security standards such as ISO27001 when implementing information security management systems, and 55% allocate funds to projects on a case-by-case basis," comments Rajeev Lalwani, head of IT advisory practice for KPMG in the UAE.

"Organisations need to treat security and continuity issues as business issues and embed them in the larger context of risk management policies and procedures. When it comes to information security, there is no point in investing in expensive security technology tools to protect your digital customer information if the same information remains unprotected in paper form.

"Most organisations in the UAE are going beyond national boundaries - they are operating with different regions. What this means is that there is a step change in the risk profile of these organisations, but this also provides these organisations with an opportunity to become more resilient and use their regional or global reach to better manage," Lalwani comments.

"From an information security point of view, it is important to understand that organisations today do not operate in a vacuum. They operate in a seamless chain of vendor suppliers. Securing the company's information is becoming very important - perhaps most important after people."

Integrating a robust incident response mechanism is a significant indicator of an organisation's readiness for security breaches, according to KPMG. The survey showed that only 15% of companies in the UAE had considered round-the-clock monitoring, with the remaining 85% ranging between purely reactive systems and informal levels of monitoring and logging.

Viruses were perceived to be the main security issue, followed by spamming and internal threats. Only 12% of the respondents claimed that their information security function lies outside the IT department, with direct reporting to the board. This again highlights the need for companies in the UAE to examine the extent to which their information security policies are interlinked with overall company policies.

On the business continuity side, only 20% of firms have a continuity plan that covers the entire organisation, and over half of the respondents focused their business continuity initiatives mainly on technology and related systems and processes.

KPMG also believes that a greater understanding is required on the need for geographic dispersion of disaster recovery sites. Most companies surveyed have, or plan to have, secondary recovery sites within the same city or location in which their business operates - leaving businesses vulnerable in the event of a major disaster in that same city or location.

The survey reveals that organisations recognise people as by far their weakest link. Processes are exposed to risks due to human error, negligence, lack of awareness or even lack of staff during a disruption.

Will Brown, KPMG's service leader for the centre of excellence for business continuity management, warns that one of the key aspects that now has to be considered is an emerging flu pandemic, which he says will force organisations to think about business continuity in a very different way.

"Traditionally, business continuity and disaster recovery sat in the IT environment," he says. "It is now very much a business issue and it is understood that although organisations rely on their IT systems, people are the absolute key and people must come first in terms of business continuity and disaster recovery capabilities. This flu pandemic is a virus that could take a significant proportion of the workforce out for an extremely long period of time. Best practice looks at having 25% of the workforce unavailable for a period of up to 18 months."

Despite this, investment in business continuity appears to be constrained, with a majority of firms spending in the lower end of the investment spectrum. In fact, the key drivers in decisions to implement a business continuity management programme have been customer service, compliance and safety of staff.

As organisations in the UAE grow regionally and globally, KPMG says it is important that they start considering aligning their security and continuity programmes with internationally recognised security standards.

Lalwani adds: "One key finding from the information security perspective is that most organisations seem to treat it as a technology issue and apply technology solutions to manage information security. That's good for IT security but when you talk about information security the context is much broader. You need to work on several other domains and these include working on security strategy and policy, ensuring that security function gets deployed across the organisation and not just within it.

"We've also discovered that most organisations in the UAE treat information security as a function - an IT function. The definition needs to be right. Business continuity and information security are business problems and business challenges with a lot of IT solutions out there," he goes on to say.

"When you compare with leading practices, one of the questions we asked was, ‘what kind of threats do you see with respect to information security?' and the respondents in the UAE mentioned computer viruses as top threats, followed by spamming and phishing," Lalwani points out. "When you compare this with colleagues in the West and the US, they mentioned threats relating to malware and adware - threats which are perpetrated for profit. So it's no longer hackers playing a game, but people in a coordinated fashion attacking for financial gain."

“...it is understood that although organisations rely on their IT systems, people are the absolute key and people must come first in terms of business continuity and disaster recovery capabilities.”

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code