If the Internet goes down, again, will you be ready?The crippling of the Internet services early this year due to the damage of the undersea cables across the Middle East, North Africa and parts of Asia reminded the industry again about how dependent we are on the public network ? for e-mail, collaboration, e-commerce, public- facing and internal Web sites, and information retrieval by employees. Disaster recovery and business-continuity plans often fail to take into account the threat an Internet disruption poses to a company and its suppliers. Experts predict that it?s likely that the Internet will soon experience a catastrophic failure, a multi?-day outage that could cost economies billions of dollars. Or maybe it isn?t likely. In any case, companies are not prepared for such a possibility.
The confusion for most companies stems in part from the fact that the Internet has never seen anything much worse than local outages and brief slowdowns. But could it? And if it did, how ready would your company be?
A recent Gartner survey found that most organisations are not prepared for a business outage lasting longer than seven days. ?The fact that most organisations plan for an outage that lasts up to seven days indicates a huge hole in those organisations? ability to sustain business operations if a regional disaster strikes,? said Roberta Witty, Research VP at Gartner.
?The impact of a disaster that lasts more than one week can have enormous negative impact on revenue, reputation and brand. Regional incidents, service provider outages, terrorism, and pandemics can easily last longer than seven days. Therefore, organisations must be prepared. More mature business continuity management/disaster recovery programmes plan for outages of at least 30 days,? Witty says.
In a recent Gartner survey (see graphic for more details) when planning for specific types of disaster scenarios, 56% of the companies surveyed also have plans for key service providers? failure, IT outages, computer-virus attacks and terrorism. ?With the growing use of third-party service providers to conduct mission-critical business functions, organisations that don?t plan for this type of business outage can find themselves in a tough position in the event that this scenario becomes a reality,? she added.
Results from a survey of 359 information security and risk management professionals from the US, UK and Canada (Source Gartner)
What can a meltdown do?
An Internet meltdown could result in a range of catastrophic consequences including reduced productivity and profits, falling stock prices, erosion of consumer spending and potentially a liquidity crisis,
Growing business dependencies on the Internet therefore now require CEO action because business executives often fail to realise how dependent they have become on the public network ? for e-mail, collaboration, e-commerce, public- facing internal Web sites, and information retrieval by employees.
Disaster recovery and business-continuity plans often fail to take into account the threat an Internet disruption poses to a company and its suppliers. Moreover, business executives often mistakenly believe that government will take the lead in restoring network services in the face of an Internet failure.
So what?s the way out of this? The thing to do is to say to CEOs, ?You may not realise that whole segments of your business are almost completely dependent on the Internet, and it?s not enough to have a few IT specialists to help you respond to problems as they come up.
Judging the risk
Put the Internet on your BCM plan Stephen Crocker, an Internet pioneer and chairman of the Security and Stability Advisory Council of the Internet Corporation for Assigned Names and Numbers (ICANN), says he tries to walk a line between ?Chicken Little, things-are-terrible? scenarios and ?Pollyanna, the-world-is-wonderful? views of the Internet. He says, for example, that he worries little about a physical attack on the Internet ? against major hubs, lines and so on. ?I don?t know of any physical attack that would have any widespread or long-lasting effect,? he says. ?The Internet is pretty robust at the physical layer. There are just too many alternate paths available.?
But the Internet is not so robust at other layers. Like the possibility of ?systematic failure of operating systems like Windows, or penetration by worms that run rampant and cause massive amounts of chaos,? or floodlike denial-of-service attacks. Still, these kinds of disruptions, although annoying and potentially quite costly, are typically resolved in a matter of hours and thus stop short of being the kind of catastrophe we dread.
Results from a survey of 359 information security and risk management professionals from the US, UK and Canada (Source: Gartner)
Put the Internet on your BCM plan
When many companies are asked if the Internet alternatives are part of their disaster recovery and business-continuity plans, companies often revert to say that they really have not sat down to go through that kind of thinking. Well now, it?s probably a very good thing to do.
The reason is because that although the Internet may have some serious vulnerabilities some of them could be patched relatively easily. IT and business leaders therefore need to speak up and demand better technology. Today, the network operators, equipment vendors, government and business all seem to accept the idea the network is inherently dangerous and can?t be modified in any useful way.
Experts imply that this is a fundamentally wrong concept. The most important thing companies should do is to band together to improve the overall situation. A ?first-class? CIO, should approach his CEO with this message: ?Boss, we need to take care of ourselves, but we also need to organise into a powerful user group and bring some pressure on [vendors] so that the network is fundamentally safer tomorrow than it is today.?
Mending burned bridges
We do concede that many functions in organisations would be a complete ?challenge? without the Internet. These moves will offer some protection against network outages, but not 100% protection:
If you accesses ERP applications via a virtual private network over the Internet, and inturn offer many Web services to external customers from your own data center, also via the Internet, you may want to flip that around, offering externally facing services from a distant site and hosting applications for internal use in your own data centre. Internal users are less likely to lose the use of their corporate applications if those applications reside in the data centre and don?t depend on the Internet.
Use a private, non-Internet network for its core operations and for transactions with major customers.
It?s natural for people planning for disasters to concentrate on the big, dramatic events, like the crash of an airliner into a data center. Meanwhile, lesser but more likely events are ignored. Ensure you plan for local problems that prevent the access to your Web site or services delivered via the Internet.
Maybe you should get a cheap Web host to set up as a fail-over site.
Negotiate more aggressively with communications companies and service providers to guarantee diverse routing.
Separate data centres and communication centres (like in the case of companies operating in the financial industry) more geographically.
Extend your concerns about your reliance on the Internet beyond direct threats to the Net itself.
Remember that some of the most mundane possibilities could turn out to be the most troublesome. For example, in case of a flu pandemic, large numbers of your employees may be forced to work at home via VPNs on the Internet. Think about what will happen to the bandwidth if these people are competing with kids uploading MP3 files?
Subscribe to this comment's feed
