The Credit Research Foundation. Disaster Recovery and Business Continuity. Of Your , Credit & A/R System. An Occasional Paper February 2003

Transcription

1 Disaster Recovery and Business Continuity Of Your , Credit & A/R System Executive Summary The Credit Research Foundation An Occasional Paper February 2003 Since September 11, 2001, 67% of the 229 companies responding to our survey have taken increased measures to ensure the security of their data and electronic systems. However, less then 10% of credit executives are concerned about a possible threat to their credit, A/R and customer information systems from a cyber attack. is most often used as a customer service tool, followed by its use in the collection area. Sixtyfive percent use in collections. Fifty-six percent of the respondents have a disaster recovery or business continuity plan in place for functionality in the event of a disaster. Seventeen percent of the credit executives responding said they have experienced an outage that caused a significant disruption to their business.

2 Background The Credit Research Foundation was interested in learning the degree of dependency that credit professionals place on electronic systems in their daily business routine; and the extent to which they feel they are vulnerable to an attack on their electronic systems, customer information and privacy. We queried the membership and received 229 responses in December Our sincere thanks to Lawrence Baye, Principal of the Management Consulting Services section of Grant Thornton LLP for providing the background information on a subject that frankly is not an area of expertise within the CRF staff. How concerned are you about the threat of a breach of your electronic systems? How serious an effect would that have on your credit and A/R organization? Is anything being done in your company to thwart an attack? While we asked several questions about e- mail systems in particular, these and other questions where the focus of this survey. E- mail is an important aspect of security due to its prevalence in the credit workplace and it s convenience for transmitting harmful viruses. Attacks are becoming more frequent and complex, and often go undetected, and business losses from security incidents are on the rise. Incidents and events are very separate terms that are often used interchangeably in error. Each month, nearly 10 million events occur in organizations of even moderate size. Sorting through this extremely high number of events on a day-to-day basis represents a big challenge for many enterprises. An event is any observable occurrence in a system and/or network. Events occur often, and when considered individually can seem isolated and disconnected. Incidents add context among a set of events that enable security administrators to gain understanding and take action if necessary. An incident is a set of one or more security events or conditions that requires action and closure in order to maintain an acceptable risk profile. Here are some examples of incidents, all of which are comprised of one or more events: 1 Large-scale infection by a virus or worm Disruption of service System misuse by an employee Computer intrusions attempts (either failed or successful) to gain unauthorized access to a system or its data Denial of Service attack Anonymous FTP abuse Changes to system hardware or software without the owner's knowledge, instruction, or consent Systems running software applications that are vulnerable to attack 1 Finding the Incident in a Haystack of Security Events, Dec 10, 2002 Symantec Enterprise Solutions 1

3 Business Continuity Grant Thornton defines business continuity risk as: The threat of any incident that may cause an extended disruption of business functions; or, impact the ongoing integrity of the firm. This definition is appropriate for our use in the context of this paper. GT further breaks down the risks of business continuity as Traditional Concerns: Fire Storm Flood Hurricane And less publicized but emerging trends: Intrusion (physical or logical) Control failures Sabotage Terrorist activity (also physical or logical) Here are some statistics: 2 out of 5 businesses that experience a major disaster will cease to exist within 2-5 years (Gartner, 2001) Some believe that as many as 80% of businesses suffering a major disaster will cease to exist as a direct or indirect result (BCC, 2001) Less than 50% of existing business continuity plans meet their firms recovery objectives (KPMG) The average bank robbery yields $2,500; average computer crime nets $500,000 (CSI/FBI 2001 Survey) What is at stake for your organization? Assets "at risk" Customer confidence Employee comfort and confidence Fiduciary responsibility Regulatory and other compliance Insurance 'out' clauses Trading partner relationships What are the consequences for your organization? Customers move to "more reliable" competitors Idle time of non-productive employees Loss of customer service satisfaction Cost of rebuilding lost data (errors/rework) Additional staff needed to resolve problems Fines and penalties imposed by regulatory agencies Fines and penalties associated with existing contracts Breakdown of internal controls 2

4 Below is a summarization of the findings of our study: Since the attack of September 11, 2001, has your company increased its measures to ensure the security of its data and electronic systems? 66.8% Yes 33.2% No How would you rate your concern over a possible threat to your credit, A/R and customer information systems from a cyber attack? (e.g., virus, hacking, etc.) 29.6% Not concerned 61.4% Somewhat concerned 9.0% Very concerned has certainly become a major and indispensable tool for communication. When asked, if is used as an integral part of the process in the following six tasks, here are the responses: is used as an integral part of the process of administering credit and A/R in the following tasks Customer logistics / operations 17% Credit risk management 17% Customer Service 21% Collections 19% Deduction resolution & management 17% Cash Application 9% 3

5 What platform does your credit organization use? 50.9% Microsoft Exchange 26.3% Lotus Notes 5.3% Novell GroupWise 7.9% POP3/SMTP 0.0% IMAP4 0.9% Outsourced provider 8.8% I really don't know How many users are there in your area of responsibility? 34.1% < Than % % % % % % > Than 100 Examining the number of users in relation to the kind of system: Number of Users Within Your Area of Responsibility System Used < Than > Than 100 Microsoft Exchange Lotus Notes Novell GroupWise POP3/SMTP IMAP Outsourced provider I really don't know

6 Disaster Recovery Is there a disaster recovery or business continuity plan in place in the event of a disaster to make functional? 56.1% Yes 8.3% No 35.5% I don't know What would be the effect of getting the SERVICE back almost immediately, but losing all the historical messages? 17.0% Not a problem because I print all important s. 7.4% 59.4% Not a problem because I copy all critical s and attachments to a separate removable storage media (floppy, zip disk, etc.). Not a significant problem because our IT department backs-up incoming and outgoing s. 16.2% That would be a significant problem. Is considered a mission critical application to the areas you manage? 16.2% Very critical: crucial to the operation. 58.3% Important, but not mission critical. 25.4% Not critical to conducting business, it is more of a convenience, we can operate without it. If suddenly became unavailable, how long would it take before the service interruption began to adversely affect your areas of responsibility? 11.0% Almost immediately 7.9% Under 2 hours 9.7% 2-4 hours 7.0% 4-8 hours 15.4% 24 hours 16.3% 2 days 32.6% Never, business isn't dependent on . 5

7 Have you ever experienced an outage that caused a significant disruption in your operation? 16.7% Yes 83.3% No For those who replied YES to the above question, the following is an indication, by length of outage (the hours), the number of times the respondents experienced any substantial outages over the past 12 months regardless of the cause: internal or external, viruses, denial of service attacks, server failures, natural disasters, cut lines, etc. Lasting < than 1-5 hours 22.6% Happened One time 48.4% Happened 2-3 times 16.1% Happened 3-5 times 9.7% Happened 5-7 times 3.2% Happened 7-10 times Lasting 6-12 hours 50.0% Happened One time 50.0% Happened 2-3 times 0.0% Happened 3-5 times 0.0% Happened 5-7 times 0.0% Happened 7-10 times Lasting hours 62.5% Happened One time 37.5% Happened 2-3 times 0.0% Happened 3-5 times 0.0% Happened 5-7 times 0.0% Happened 7-10 times 6

8 Lasting > than 24 hours 50.0% Happened One time 16.7% Happened 2-3 times 16.7% Happened 3-5 times 0.0% Happened 5-7 times 16.7% Happened 7-10 times Lasting > than 48 hours 83.3% Happened One time 0.0% Happened 2-3 times 0.0% Happened 3-5 times 0.0% Happened 5-7 times 16.7% Happened 7-10 times In the event of a disaster, would the senior executives of your company feel that it would be critical to have services available within minutes following the disaster (rather than several hours or days) as a means of communicating with employees and customers? 43.4% Yes 56.6% No Are senior executives (CEO, CIO, CFO) currently pressing for a solution for continuity in the event of an outage or disaster? 13.8% Yes 23.6% No 62.7% I don't know Is your credit and A/R information 100% electronic rather than paper files? 24.8% Yes 75.2% No 7

9 Is there a recovery plan in place for your credit and A/R data (ether electronic or paper data) in the event of a disaster? 75.8% Yes 24.2% No Business Impact Analysis Have you conducted a Business Impact Analysis specifically for the credit and A/R area in preparation for a loss of data? 22.0% Yes 78.0% No If yes, was it conducted internally or by an external organization? 88.5% Internally 11.5% How often do you or your IT people back up your electronic data? Externally * * Responses were primarily major accounting firms rather than disaster recovery specialty firms. Indicate only the most current backup frequency whether from IT or yourself. 20.2% Several times in 24 hours 73.2% Once in 24 hours 1.8% Every other day 1.3% Once a week 0.9% Several times a month 0.4% Once a month 0.4% Once a quarter 0.4% Once every 6 months 0.0% > Than every 6 months 1.3% Actually I have never backed up my data. 8

10 Where is the back-up data stored? 10.0% On site but not really in a protected area 36.8% On site but in a very secure area 28.6% Off site in a company owned location 38.2% Off site with a service company 6.4% Other What is your time objective for system recovery under your disaster recovery or business continuity plan? 4.0% < Than 1 hour 12.0% 1-2 hours 15.5% 2-4 hours 10.5% 4-8 hours 38.5% Under 1 day 13.0% Under 2 days 2.5% Under 4 days 4.0% < Than one week Do you have a contingency plan in place in the event that you can't recover the data? 52.9% Yes 47.1% No Is your data recovery absolutely assured? 35.7% Yes 15.2% No 49.1% I don't know 9

11 Consequences In a recent Grant Thornton analysis for a $200M catalog company, it was calculated that because 40% of their revenue is earned during the Thanksgiving to Christmas 5 week period, a single week of computer outage (assuming they could not catch-up and customers went elsewhere) would cost them $15-20M per week in sales, billings, receivables collection, etc. If the distribution/fulfillment center were impaired, the consequences would be more dramatic, especially if the company supplies mass merchants and department stores that now deem the supplier to be unreliable and look for permanent replacements. This is not limited to consumer industrial products companies: Recently an audit recognized a real estate firm would lose over $10M per month for failure to bill timely...and those tenants already delinquent and facing legal action would get an extension (and perhaps a free ride on their receivables) since required notices could not be issued timely. When the executives were shown the impact, they recognized the potential for disaster and requested a disaster recovery/business continuity plan be initiated immediately...they are also in a very high profile NYC building ("target"). What you should be doing now: The experts at Grant Thornton recommend the following course of action Develop a plan Do you have a comprehensive plan? If NO: Get management buy-in Form a team Perform a business impact analysis Determine your recovery objectives Cover the essentials Develop the plan Train your employees Test the plan Maintain and update the plan Review your plan Changes since last review: new systems, infrastructure changes Are responsible individuals still with your firm? Does it provide for restoration of core business functions? Are your critical resources centralized? Service contracts included? Get a 3rd party perspective Will your plan work in today's environment? 10

12 Test it - at least annually Maintain it Review important processes Are your critical processes paper intensive? Next to people, paper records are the most difficult component of any business to replace. What are my vital records? What are the retention requirements? What would happen if my vital paper records were destroyed? Consider document imaging and workflow automation. Re-think current processes Automate paper-intensive processes Provide an electronic record of important documents. Confirm legal admissibility ROI very high - usually pays for itself What else can you do? Review your outsourced services Does your service provider have a disaster recovery plan? Are they viable over the long term? Many recent ASP, ISP, and carrier failures What controls are in place to prevent unauthorized access to your data? Have these controls been tested by an independent third party? Form alliances Is there a subsidiary, business partner or even competitor that you would be willing to team with? Is there a company that has similar equipment to yours, whose technology resources (e.g. data center) can be made available to you if necessary? Copyright 2003 by the Credit Research Foundation. All rights in this paper are reserved. No part of the paper may be reproduced in any manner whatsoever without written permission. Printed in the United States of America Credit Research Foundation 8840 Columbia 100 Parkway Columbia MD