Canadian executives may be feeling secure about their own IT infrastructure, but consulting firm Ernst & Young wants them to take a closer look at who they’re doing business with and what could happen in the event of a system failure.
to The Fabric of Risk, a report released by the firm today, of CIOs and CEOs asked, 65 per cent said it was critical to their business to have systems restored within 24 hours, but 36 per cent said they couldn’t achieve the recovery time if needed.
Executives also put computer system failure ahead of the recession or terrorism as the most significant risk to business. But one in four companies don’t have a business continuity plan in place and the same number do not have a computer disaster recovery plan, while 41 per cent have no overall crisis management plan.
And while 83 per cent say the information stored and transmitted on their own IT systems, via the Internet and on local networks is secure, experts say they aren’t taking into consideration other factors working beyond company walls.
“The survey results were quite alarming. What we found interesting is that so many of them actually thought their systems are safe and secure,” said Bill Demers, Canadian leader for e-business at Ernst & Young. “In talking with our clients, we’re saying ‘You have to start looking at your business partners and your suppliers and your customers and whether or not they have their systems as ready as you have your systems ready.’ Quite often, if their systems go down, they can certainly take you with them.”
Ernst & Young commissioned Goldfarb Consultants to conduct the survey last December and it is based on interviews with 40 CEOs and CIOs from 80 of the top 1,000 largest publicly traded companies in Canada.
Demers said companies should plan for what they would do if a particular event occurred. That means conducting periodic reviews of their own systems (what may have been safe and secure one month is out of date the next) and conduct similar audits of business partner systems such as suppliers, to make sure these things are up and running properly and safe and secure.
“I think a lot of them have done a lot of work internally within their own organizations and have basically put policies and procedures in place that they think are going to help their business. But what they fail to realize is that in the economy we’re in is a much larger connected environment and as a result, they may think they’re fine but the people they’re actually doing work with may not be fine,” he said.
But the results were of no surprise to Dawn Willis, executive consultant with Compass Analysis Canada Ltd., who says too many companies have the attitude that “it will happen to them, it will never happen to me.”
“The only place investment in disaster recovery typically takes place is in mainframe sites where they might have to bring up a mainframe on a moment’s notice. In those cases, they have very definitive and detailed plans of what they’re committed to delivering,” said Willis.
Demers said organizations may also be putting themselves and their directors at risk legally if they fail to take responsibility for managing risk, particularly for public companies whose stock prices can be affected by attacks or crashes.
“Ultimately, the board of directors is responsible for making sure that management is doing its job. In an environment like this, certainly there is more opportunity to take these companies to court and sue them because they have failed to do what they were supposed to do,” he said.
Willis said IBM is requesting that clients sign a disclaimer around disaster protection stating they would not be liable if something happened.
“They want it clearly written and signed in a legal document that they have no agreement to be responsible for disaster recovery for them. It’s like Y2K when everyone was writing disclaimers on everything,” she said.