By John-Paul Kamath
11 Sep 2007
Six years on from the September 11 terrorist attacks, UK businesses are
not doing enough to prepare staff to work with IT systems in a disaster,
the Business Continuity Institute has warned.
Lyndon Bird, technical services director at the institute, said firms
had made good progress on technology recovery, but they needed to train
staff in how to work in a disaster - a key lesson from the attacks on
the World Trade Center.
Without trained staff, even the most automated operation will fail, said
Bird. "Many organisations do not spend sufficient time or budget on
staff training," he said.
Steve Salmon, business continuity consultant at professional services
firm KPMG, said that post-9/11 he had seen more companies draft recovery
plans and increase funding for business continuity projects.
However, many plans were flawed because of their emphasis on testing
technology recovery, not how staff would use systems to maintain
business practices, he said.
"More companies need to train employees to work with IT systems under
live test conditions. They must also explain to staff what their
responsibilities are in a crisis and train them to be multi-skilled so
that they can keep key business processes going," said Salmon.
Jim Norton, senior adviser on ICT at the Institute of Directors, who was
involved with drafting the BSI 25999 standard on business continuity,
said the problem was particularly acute among small and medium-sized
"Despite the lessons of September 11, our research showed that 43% of
SMBs do not test their business continuity or disaster recovery plans or
train their staff, and we do not believe this is changing."
The London Chamber of Commerce, which represents 3,500 UK businesses,
called on the government to offer financial incentives to encourage
proper contingency planning by businesses. "For smaller firms, these
incentives could cover the initial cost of setting up and testing a
continuity plan, and larger firms could be rewarded if they form
partnerships to advise smaller businesses," said a spokesman.
David Bason, IS director at law firm Shoosmiths, said, "IT disaster
recovery in itself is not enough. Replication of business processes and
testing people and processes is critical to successful business
David Walker, business continuity and information security manager at
Guoman Hotels, said full testing could be expensive to conduct regularly
and could disrupt normal business, but partial testing to see how people
and processes interact with IT systems must occur.
Visit the InfoSec News Bookstore