Recent hurricanes have done more than expose the inadequacies of the government's disaster preparations; they have sparked debate on the deficiencies of plans for Internet-related threats.
ADVERTISEMENT
On Monday, congressional lawmakers demanded to know why the Department of Homeland Security and owners of major commercial enterprise infrastructures have not done more to safeguard the country against major Internet attacks.
With much focus on the security required to protect the nation's physical borders, fewer resources have been devoted to Internet security, said Forrester Research analyst Alan Webber. "Security is such a broad topic in government," he said. "A lot of people don't realize the large number of vulnerabilities a system can have."
And due to the constantly evolving nature of Internet-related threats, governments are continually playing catch-up, Webber said. "Emergency preparedness always seems to lag behind once the emergency has passed," he added.
Government Security
According to Webber, the number of security issues demanding the nation's attention has quadrupled since the Sept. 11, 2001, terrorist attacks. Most open-access government systems, for example, are not well protected, he warned. Threats can range from bugs in software code to employee-caused attacks from the inside.
Thus far, the government's recovery plans related to Internet disasters have been defined by continuity of operations (COOP), a government strategy that dictates certain minimal levels of operation that are acceptable following an attack. Webber doubts that a more comprehensive cyber-attack plan will be in place before a major catastrophe strikes, despite ongoing cries from politicians.
And even if there is a plan, he said, there is always going to be a way to penetrate critical systems. But the analyst doesn't suggest throwing in the towel completely. He said CIOs can learn from government inadequacies by investing the requisite time, human resources and money into securing their systems.
COOP for Business
Webber recommends that companies begin establishing a framework for recovery by appointing one person who is entirely responsible for disaster-recovery plans. Businesses also must ensure that this leader is not just a figurehead. "If you make them responsible but you don't give them a way to fix the problems, it's useless," he said.
Next, said Webber, businesses must identify their various COOP levels. The analyst suggested identifying not only the difference between basic, partial and full functionality, but also the resources required to meet those operational levels. Companies also must remember to identify the proper location for those resources to react to an attack effectively.
Finally, companies must take a realistic approach to predicting how long they might need to sustain these levels of operation. "Before Katrina, we would have said that enough food and water for three days would have been enough," he said. "Now we know that it isn't enough."
Personnel and Practice
"It may seem callous, but from a business perspective, companies need to make sure that they have supplemental or back-up personnel in their off-site locations," Webber said. Webber recommended that, while no one wants to call certain employees replaceable, it still is important to ensure that multiple employees can perform the same key job functions.
Weber also suggested that businesses should update their disaster-preparedness plans annually and run regular drills to prepare for the worst. At the most basic level, companies must ensure their employees know how to react when disaster strikes. "They need to know what they will do if the phones are down or the electricity goes out," said Webber.
While lawmakers might call for implementing new security and disaster-preparedness guidelines, Webber believes that these steps will help companies refine strategies and decrease the threat from attacks, Internet-related or otherwise.
http://news.yahoo.com/s/nf/20050929/tc_nf/38369;_ylt=Agjyw5mUT8SppyyOYpyS4LgjtBAF;_ylu=X3oDMTBiMW04NW9mBHNlYwMlJVRPUCUl
ADVERTISEMENT
On Monday, congressional lawmakers demanded to know why the Department of Homeland Security and owners of major commercial enterprise infrastructures have not done more to safeguard the country against major Internet attacks.
With much focus on the security required to protect the nation's physical borders, fewer resources have been devoted to Internet security, said Forrester Research analyst Alan Webber. "Security is such a broad topic in government," he said. "A lot of people don't realize the large number of vulnerabilities a system can have."
And due to the constantly evolving nature of Internet-related threats, governments are continually playing catch-up, Webber said. "Emergency preparedness always seems to lag behind once the emergency has passed," he added.
Government Security
According to Webber, the number of security issues demanding the nation's attention has quadrupled since the Sept. 11, 2001, terrorist attacks. Most open-access government systems, for example, are not well protected, he warned. Threats can range from bugs in software code to employee-caused attacks from the inside.
Thus far, the government's recovery plans related to Internet disasters have been defined by continuity of operations (COOP), a government strategy that dictates certain minimal levels of operation that are acceptable following an attack. Webber doubts that a more comprehensive cyber-attack plan will be in place before a major catastrophe strikes, despite ongoing cries from politicians.
And even if there is a plan, he said, there is always going to be a way to penetrate critical systems. But the analyst doesn't suggest throwing in the towel completely. He said CIOs can learn from government inadequacies by investing the requisite time, human resources and money into securing their systems.
COOP for Business
Webber recommends that companies begin establishing a framework for recovery by appointing one person who is entirely responsible for disaster-recovery plans. Businesses also must ensure that this leader is not just a figurehead. "If you make them responsible but you don't give them a way to fix the problems, it's useless," he said.
Next, said Webber, businesses must identify their various COOP levels. The analyst suggested identifying not only the difference between basic, partial and full functionality, but also the resources required to meet those operational levels. Companies also must remember to identify the proper location for those resources to react to an attack effectively.
Finally, companies must take a realistic approach to predicting how long they might need to sustain these levels of operation. "Before Katrina, we would have said that enough food and water for three days would have been enough," he said. "Now we know that it isn't enough."
Personnel and Practice
"It may seem callous, but from a business perspective, companies need to make sure that they have supplemental or back-up personnel in their off-site locations," Webber said. Webber recommended that, while no one wants to call certain employees replaceable, it still is important to ensure that multiple employees can perform the same key job functions.
Weber also suggested that businesses should update their disaster-preparedness plans annually and run regular drills to prepare for the worst. At the most basic level, companies must ensure their employees know how to react when disaster strikes. "They need to know what they will do if the phones are down or the electricity goes out," said Webber.
While lawmakers might call for implementing new security and disaster-preparedness guidelines, Webber believes that these steps will help companies refine strategies and decrease the threat from attacks, Internet-related or otherwise.
http://news.yahoo.com/s/nf/20050929/tc_nf/38369;_ylt=Agjyw5mUT8SppyyOYpyS4LgjtBAF;_ylu=X3oDMTBiMW04NW9mBHNlYwMlJVRPUCUl
