Nearly half of Canadian companies have suffered from a disaster such as a power outage or IT failure, according to statistics released this week — but almost three quarters of the country’s businesses are unprotected by a business continuity plan.
The survey, conducted by Leger Marketing for hosted services company Fusepoint Managed Services, also reveals that only half of the companies with a disaster recovery plan consider it to be “full-blown,” with nearly one in three firms admitting to an “unofficial” program. Twelve per cent of firms rely on a phone tree as their primary means of continuing business in the event of a disaster.
“One thing that alarmed me was that 40 per cent of business executives participating in the survey said that they hadn’t spent a dime in five years on this matter,” said Fusepoint CEO George Kerns. He was also concerned that 80 per cent had spent less than $100,000. “That’s a pretty nominal amount,” he argued, adding that companies should make their own risk assessment and ask themselves how much it will cost for IT systems to be unavailable.
With threats such as the outbreak of avian flu looming, regulators are slowly beginning to consider business continuity in more depth. For example, the Investment Dealers Association of Canada recently introduced a bylaw mandating business continuity guidelines for members, and also published guidelines last year on how businesses can deal with a potential flu outbreak.
For many companies, building business continuity directly into operational activities has been a key part of a risk mitigation strategy. Robert Symons, president of online insurance processing services provider Tritech Financial Systems, hosts the servers that provide services to its clients at Fusepoint’s premises.
Tritech’s IT systems are protected “to the point where we don’t see how they could fail,” he said. He said he sees many insurance clients build business continuity around staffing practices, making it easier for the business to continue uninterrupted in the event of a disaster. “A lot of time the agents don’t work from the office. They can continue processing without having the head office being there,” he said, because the insurance processing applications are hosted in a failover configuration offsite.
The biggest perceived threat to the workplace among the 520 executives interviewed was IT disaster (46 per cent), with fire or theft, internal employee error, infrastructure disaster and natural disaster following in that order. Significantly, in spite of the media’s coverage, a pandemic caused the least concern among executive respondents, with a quarter considering it to be their greatest threat. The executives interviewed included owners, presidents, and senior managers, and in spite of the common lack of a business continuity plan, 33 per cent of them felt “very responsible” for their company’s disaster preparedness.
At least when the worst happens, all is not lost: whatever causes e-mail to go down, 28 per cent of a thousand employees interviewed as part of the survey take the opportunity to visit with co-workers, while one in 10 take an impromptu smoke break or go out for coffee.
While Canadian businesses seem relatively unprepared for business disruption following a disaster, they are much more active whyen it comes to information security. A separate survey conducted by PricewaterhouseCoopers and others found this week that 67 per cent of Canadian businesses are engaging both business and IT decision-makers to help resolve security issues, compared to just over half worldwide.
However, they may also be missing the mark: one in six respondents had limited or no security training for end users, making common non-technical attacks such as social engineering much more likely. The Global State of Information Security survey targeted 7800 senior executives worldwide, with 250 Canadian organisations taking part.