An industry specialist called one of our sales people to ask "Why did you name this security supplement Bullet Proof, there's no such thing as a bulletproof enterprise!" He was right, of course, but we needed something dramatic to put on our cover. Consider 'Bullet Proof' to be a mission statement, and one slightly out reach at that.
You could kit out your IT people in commando gear, wrap kevlar vests around all systems, subject likely in-house end user' miscreants to painful mind probe techniques, and introduce a sliding scale deterrent regime, (eg, 'you actually opened that @@#%$ attachment! I sentence you to three weeks in the pokey*, stupid' ). This approach would be good for IT dept morale - team building, and all that.
You could also consider some of the prudent steps as discussed in the following pages that aim to ensure that critical corporate information can never be destroyed and systems achieve very high availability in all relevant circumstances.
Of course having technology and procedures in place is one thing, but you may never know your true state of risk and readiness until something goes wrong. Checkout Disaster Diary' from page 18s. Written by an anonymous network engineer, this article tells of a bank that had to vacate its head office for two weeks. The engineer recounts a tale of a successful disaster recovery effort -- to the outside world at least. The inside story involved late nights, the need for duct tape, back-server licensing hassles, alarm systems that people couldn't use, illegal IP addresses, keys to the building but not the server room, camped quarters, and parking trouble. Some of this is not surprising given the bank created its Business Resumption Plans by changing the title on plans prepared for the Y2K disaster that didn't happen. The engineer's advice -- you can't think of everything; Murphy's law is stronger than gravity, relax and cope with it.
More sober advice comes from analysts in their roundtable discussion on pages 20s and 21s. Simon Mingay from Gartner asserts that risk analysis and business impact analysis form the basis of a business continuity plan (BCP). He also points out that BCP is not a sufficiently valued discipline in this country because Australian enterprises rarely experience cataclysmic or high profile incidents'. For a dose of reality, Robert Brigden Jones from Deloittes advises you not waste effort on business continuity projects, where both the probability factors and business impacts are perceived to be low.
General Motors Holden is one company that has done the analysis and subsequent planning, and now aims for five nines' of availability for parts of its operations. Pat Seehan, the CIO at GMH, says the company has built its disaster plan around the business plan. The company has analysed every process in the business, apportioned it a value, and then put in relevant proportionate safeguards. This means that in some cases the car maker has 'hot' back-up standing by (such as for the computers running its production line) while in other places a short period of downtime is allowable' while IT staffers manually switch to a back-up system.
In the end it's all a matter of protecting the business but spending money accordingly. It'll cost more than a few roles of duct tape.
* Any old disused wiring closet with a big lock and small airholes would do. Punishment for lesser crimes, such as whingeing to an IT staffer, could include three weeks of enforced lunch shop duty, at the offender's expense.