The worry is that such an attack could shut down business and critical government operations for hours, or possibly even days.
That threat has IT and security experts working hard to raise the awareness of business executives and strengthen defenses to prevent such a disaster from taking place.
Hopefully, it never will. But the dramatic increase in the number of cyberthreats against the Internet--up 1,000 percent between 2006 and 2008, according figures from Symantec cited in a recent Internet Security Alliance report--also increases the risk that one day, one of the attacks will succeed.
This is a serious problem because businesses depend on IT for just about everything they do.
IT and security executives have estimated the financial cost to their own organizations at $6.3 million as a result of 24 hours of downtime from a major cyber incident, according to a recent McAfee study.
In a separate 2007 study by the Economist Intelligence Unit, 47 percent of respondents said they could endure less than a day of downtime from their IT systems before the disruption became serious enough to jeopardize the survival of the entire company. According to the U.S. National Archives and Records Administration cited in the study, which was sponsored by ACE, IBM and KPMG, 25 percent of companies that experienced an IT outage of two to six days went bankrupt immediately.
Prevention is undoubtedly important. But companies also need to give thought to business continuity and disaster recovery plans.
Hope is not a plan, and if they do not carefully assess their risks and vulnerabilities and come up with a disaster recovery plan, companies will be at a disadvantage should disaster ever strike.
In the IT field, disaster planning is something that has been taken seriously since the mid 1990s when companies began to recognize just how reliant they were on IT, says Roberta Witty, a research vice president at Gartner Research whose area of focus is business continuity management and disaster recovery.
One of the most common mistakes is failing to keep the plan up-to-date, Witty said. Plans are often developed, but then filed away and forgotten. Contact information becomes out of date and useless in a crisis.
Another common problem is that plans are rarely exercised. By this Witty means that companies need to take their plans out and give them a test run to see how well they work and whether there are any gaps.
The commitment from management is another challenge. Senior executives may say they want a recovery plan, with certain recovery time objectives, but are they really willing to pay for it?
These mistakes, as well as a lack of commitment from senior management, can limit the effectiveness of any business continuity plan. But new technologies such as virtualization and cloud computing are helping companies reduce the overall expense involved with IT recovery planning.
The risks to IT systems are serious and increasing every year. To protect themselves, companies need to not only strengthen their defenses but make sure they have a business continuity and disaster recovery plan in place and that they keep it up to date and exercise it to assess its effectiveness from time to time.
PATRICIA VOWINKEL has worked for national media outlets for more than 20 years.
August 1, 2010
Copyright 2010© LRP Publications