Tag Archives: BCM

Accountancy Magazine – Flirting with Disaster

I was quoted by Accountancy Magazine in an article covering Disaster Recovery. I was talking about the potential business impact for those that did not adequately plan and budget for disasters and how difficult, if not impossible, it would then be for them to survive one.

The article is available online at:


ISNow – Business Continuity

The following introduction was originally published in the BCS Information Security Now Magazine, Winter 2006/2007 issue (Volume 1, Issue 2), which was on the topic of Business Continuity:

Business Continuity
Businesses need to plan and prepare for the worst – and survive, it if it happens. This should be embedded in every part of the organisation that is relied upon for continued business, as it is only as strong as the weakest part.

There needs to be a formal approach to identifying and managing any risk to the organisation, and this is especially true where it is business affecting. Unlike some policies, which are dusted off when there is an infraction, business continuity management (BCM) needs a constant presence.

This means that the business must adequately identify and assign a value to its critical assets, and assess both the threats to those assets and the impact if those threats are realised.The output of this process should be a business impact assessment (BIA), which can then inform prioritisation and mitigations.

The BIA might also be used as a risk assessment for information security management, if the relevant information has been gathered. Either way, the business now has some numbers to crunch and use to identify the risks that are above its risk tolerance and which must therefore be addressed.

A BCM programme needs to work on reducing unacceptable risks in line with the business’s continuity strategy, develop continuity plans and responses, building and embedding a continuity culture, and exercising, maintaining and auditing the plans. This is a process of continual improvement and there are now standards to help.

When events do occur, a proper response must be made, in a timely fashion. People on the ground need to be empowered to make those difficult, business affecting decisions and should be suitably senior, or authorised and trained.

New Threats
Apparently 2006 was the year of zero day (0-day) vulnerabilities.That is, vulnerabilities were used or released before the vendors with either advised or prepared with a fix. Reasons are varied but, like the attempted auction of the Windows Metafile (WMF) vulnerability, are likely to be financially motivated.

In 2007, expect this area to grow, with vulnerabilities hunters seeking fortune over fame.To defend against vulnerabilities unknown, apply the old but effective defence in depth – and don’t expect the vendor to keep you safe.

Other things that may emerge this year, are increased targeting of different operating systems (e.g. Mac OS X), new platforms (e.g. games consoles with online capabilities), online games, along with more targeted phishing and malware which will be harder to identify and block.”

A PDF version of the magazine is available online at: