John O'Neill asks whether we really understand the risks...

John O'Neill asks whether we really understand the risks involved in IT

There can be few businesses that do not rely heavily on IT for their continued existence and growth. Most large organisations have fine-tuned the customer facing elements of their activities with the help of strategically deployed IT. Now they are turning their attention inwards - to their back office processes to see whether IT can work its magic there too, delivering efficiencies in processes and savings in cost.

Everything in business involves risk; it always has. Commercial opportunities come from understanding and managing those risks. It is what separates the innovators from the traditionalists in the business world. But do we really understand the risks involved in IT? The Chartered Management Institute recently published a survey that makes interesting reading.

Respondents to the survey are concerned about loss of IT capacity, loss of skills, people, negative publicity and fire. It is unusual for all these factors to converge, but they did for those businesses with offices in the New York World Trade Center. In our loss adjusting work we often see at least two of these factors in the large insurance claims we handle.

Dependency on suppliers is an increasingly important element in modern business models. Perhaps it is surprising that the importance of some of these trading relationships is often only realised after a severe loss - when it may be too late to develop alternatives. Sole supply arrangements and so-called partnerships are all well and good, but both sides need to understand the focus of risk that they present. As with everything in risk management, provided the risk is understood, minimised and planned for, then post loss management should work smoothly. Yet we often find gaps in the risk management process: insurance, for example, is available, in certain circumstances, against the effects of supplier or customer failure. Such policy extensions are often overlooked.

It is an area worth looking at, because in many industries second string suppliers are not always able to increase their production to meet unexpected market needs. New suppliers might take time to identify and adapt their production runs, or acquire the right skills. All of this conspires against the team trying to restore the trading performance of a business to pre-loss levels.

IT suppliers should be considered in the context of all this, both from a specific viewpoint and from the effects that disruption in the complex IT trading might have globally. The SARS outbreak in the Far East, for example, could lead to supply problems in the UK and cost the worldwide IT industry billions of dollars. The Aberdeen Group, an organisation specialising in IT research, estimates the lost IT spending in the countries worst affected would amount to £1.45bn and this would have a knock on effect for planned improvements in business processes across the globe. Silicon chip manufacturing could also be disrupted and release dates for new hardware and software would slip. If companies such as Intel had to scale back production of chips, the shortage could disrupt many corporate IT renewal programmes, which could then impinge on e-business implementation strategies.

Disruption to business processes can come in a number of ways, and IT is often involved. I have seen what can happen in a large business when changes to complex IT deployments are made by staff working with poor documentation under severe time pressures. All the ingredients for a disaster are there, and we see it time and time again - after the loss has occurred.

Inevitably, when things go wrong in large organisations, accountabilities usually inspire improvements to processes, including change controls. In some cases, particularly with IT-related disasters, the exact sequence of events may become vague, or the cause be attributed to spurious events. This does not help risk managers to manage operational risk holistically, but it may protect the positions of key IT staff. Explaining the loss of revenue when a firewall has been breached and a virus has destroyed valuable data would be an IT director's nightmare, but the lessons learned might be usefully shared at senior level. Commercial interests may preclude wider sharing.

Perhaps it is partly because of risk that outsourcing is now so popular. Cost savings, additional expertise and extra capacity can all be valid reasons for choosing to outsource elements of a process, but could the risks involved go undetected?

Significantly, with IT now enabling real time, low cost communication across the globe, many services involving computers or telephony are now performed for UK companies in far away places. However, do the companies providing the services have robust processes? Are they in turn outsourcing or subcontracting their activities? What backup procedures are there? Do all the processes comply with UK legislation, such as the Data Protection Act? Such questions need to be asked at the outset and periodically afterwards, so that confidence in the arrangements remains high.

Intangible risks
Before the widespread adoption of the internet, most risk was physical. You could see it, touch it and imagine it. It would also typically be confined to one location. The electronic era has changed all that. A digital risk can manifest itself simultaneously across multiple locations in ways that are often difficult to detect and expensive to prevent. A determined hacker, or an active virus can wreak instant havoc across an organisation. As organisations form themselves into loose alliances connected by technology, a hit on one could become a problem for the entire virtual structure. It is certainly a twist on risk as we have come to understand it, but what can we do to guard against it?

Certainly we should remain vigilant and check that we understand the processes that our businesses rely on. Then we can see where the risks lie, where technology plays a part and what we might do about it. This process needs to include organisations where close working relationships exist, to see what the effect of, for example, data unavailability might be. In some industry sectors it could be very inconvenient. How would an online stockbroker fare in these circumstances? The manufacturing sector, serving some of the world's best known brand names, has automated stock control systems that feed data up and down the supply chain, helping component manufacturers to match their outputs with end customer demand. If this data is not available for an extended period, then production cannot be planned so efficiently; stock levels might need to increase - just in case, and costs will certainly rise. Because margins have probably never been finer, at no time in history would such an event have been less convenient.

How alert are we? Turning back to the survey that I cited earlier, there was more concern about the possibility of disruption caused by the fire fighters' strike than the war in Iraq. Security consultant mi2g monitors virus and hacker attacks and reports that the world record for the number of successful verified digital attacks carried out in one month has now been broken with a total of over 20,000 in the first 20 days of May. Should we become concerned in case our businesses are targeted in the future?

According to David Perry, an advisor to the US Government, the world's security experts have struggled to find holes in government systems. He says that a worst case scenario seems to be physical terrorism coupled with denial of service attacks on emergency services. There appears to be a mismatch of information, and risk managers will be left wondering just how seriously to take the threat of electronic terrorist disruption.

There is a view that well organised and educated internet terrorists pose a significant economic threat to their targets, which may include western governments and well known companies. On 15 April this year, for example, five UK government websites were compromised by DkD, an anti US/UK/Israel group protesting against the war on Iraq. Dealing with these kinds of threats requires vigilance on a national and local scale. We all need to develop contingency plans to allow us to trade through the disruption that digital attacks can cause. Particular market sectors may also need to work together as communities to develop such plans. A concerted digital attack on the financial markets, for example, would undermine confidence in a sector still reeling from the effects of several major collapses and long term exposures to a variety of risks. Such an attack may not have the terror factor that the protagonists might want. Instead they may turn to disruption of public services. It is a scary prospect, and one that western governments are taking very seriously.

Perhaps digital terrorists would not want to restrict themselves to predictable IT targets like these. They could instead seek out some of the multitude of industrial controllers that govern a variety of processes. Many are connected to the internet. If one controlling the water supply was tampered with, who knows what the consequences might be? How long would it take for anyone to notice and how far reaching could the effects be?

Ironically, the internet can play a further role in maximising the damage from digital disruption. Adverse publicity could add to the woes of already beleaguered organisations. We all know how damaging bad publicity can be. The internet is a strong vehicle for spreading news and can help tarnish reputations very quickly and publicly. It is, however, one of the most significant innovations of the last century: we should not let its good points become obscured by the risks from e-business.

John O'Neill is special projects director, Cunningham Lindsey United Kingdom, Tel: 0121 233 6771, E-mail: john.o'neill@uk.cunninghamlindsey.com

Risk transfer
Dominic Crosse, underwriter, crime and financial institutions, AIG Europe (UK) Limited says that the complex nature of the risks involved and lack of strong actuarial backup make the underwriting of internet liability exposure difficult. However, insurance can protect a business from the financial impact of a major cyber threat, and such threats are certainly not limited to those businesses which have full e-commerce trading exposure. Any company with access to e-mail or the internet can be susceptible. Risk assessment services can also examine any chinks in a company's armour.

Crosse suggests that major threats to business include:

  • Cyber extortion - where someone gains unauthorised access to a system and steals sensitive information, for example customer credit card details, or places malicious code into a system. The perpetrator would then request a 'consulting fee' not to publish this information, or to inform the company where the destructive coding and security vulnerability can be found. In this situation, the organisation is keen to avoid the details of its lapse in internet security becoming public knowledge - a fact the hacker is quick to exploit. The incident could possibly involve the hacker claiming his actions are carried out on behalf of a terrorist organisation. One must ensure the cyber-insurance policy has been specifically endorsed to provide coverage for such a scenario. Although these incidents are all too common, little information

    about them is released to the public domain.

  • Loss of data and loss of e-revenue - an organisation's revenue generating web operations can be subject to a disruptive attack, for example denial of service, or can be hit by a malicious code where data is lost or corrupted. The company can suffer costs relating to the reinstatement of data (commonly excluded by property/computer policies if following a 'malicious attack') and the lost e-revenue whilst the website is down and in subsequent weeks while normal service is resumed. Almost every day we hear statistics relating to the increased number of attempted and successful hacks and attacks that are taking place on computers accessing the internet. These losses are likely to become increasingly commonplace. It is not only the large 'e-tailers' who are exposed; even a company which simply uses the internet to provide e-mail to its employees can be the recipient of a damaging virus, leading to loss of company information.This cover is almost market-wide excluded from computer 'all risks' policies and similar reinstatement of data/revenue protection coverages.
  • Third party liability - claims for damage or injury suffered by others following a security breach represent a serious threat to an organisation. Loss of, and subsequent misuse of, third party information can result in defence costs, settlements and judgements running into high sums and can cause damage to an organisation's reputation.

    A range of insurance covers is available, each suited to the particular 'cyber activities' of an organisation.

    Ensuring continuity
    Jon Leigh, director of Escrow Solutions at The NCC Group, claims that too many businesses are playing 'Russian roulette' with their technology by relying on a disaster recovery (DR) plan to safeguard their business without including escrow protection for their critical IT systems. "DR plans are designed to provide a framework for continuing your business should a disaster occur, but what happens if it is not your business that is impacted, but that of your software supplier?" he asks.

    Many businesses rely on software companies to develop and maintain their vital systems, and, in the case of a software emergency, they are usually the first port of call. But, if for some reason the supplier could no longer meet his contractual obligations to supply, fix or maintain these systems, where would a business go from there? Leigh says that, as business continuity has risen up the corporate agenda in recent years, businesses have been entering into escrow agreements with their software developer to ensure they will have access to their software DNA in all circumstances. This trend has accelerated in the last 12 months, due to the uncertain economic climate, with businesses making sure they are not left high and dry if their software supplier goes into liquidation.

    An escrow agreement is a contract made between three parties: the supplier (licensor), the user (licensee) and an independent escrow agent. Under this agreement, the licensor agrees to send a copy of the source code to the escrow agent. The escrow agent agrees to hold the source code securely and to release it to the licensee only in the event of certain predefined trigger events. Businesses should check that the escrow agent provides full testing facilities, to ensure that the source code deposited can be compiled and built into the application that they use, advises Leigh.

    Technology and software continue to play an ever-increasing and critical role in all organisations. In this environment, Leigh says that it is evident that only organisations that take a total and continuous view of risk and manage it effectively, through incorporating escrow as an integral part of their disaster recovery plans, will be enabled for successful business in the future.