A denial of service attack was mounted on a financial services company which resulted in the company’s website and email systems being inoperative for three days. The company invoked its business continuity plan which involved using the resources of a third party continuity supplier. Although basic operations could be carried out from the continuity site the usual standards of service, already strained, fell short and affected the company’s reputation. Significant service backlogs started to build up and service targets were not met on a large scale. Although regular business continuity exercises had been carried out, these were largely desk based and not sufficiently rigorous. As a result of these exercises, formal assurance had been communicated to the board with a ‘green’ risk rating.
Lack of investment over many years in the company’s IT infrastructure had resulted in poor resilience and inadequate capacity planning. There was also an over-reliance on a small number of experienced IT staff who had been working in this company for many years. Most experienced IT staff had left during a downsizing exercise several years before and the newer IT staff did not have the necessary experience to manage the idiosyncratic and disparate environment. Documentation was poor or non-existent, and many of the IT systems were built on old and unsupported hardware and software. Recovering the IT systems to their former level of functionality took a further three days. The backlogs took several weeks to clear and a team of 20 temporary staff were hired to help with this task.
Although the company recovered to its standard levels of service after several weeks, its reputation was damaged and new business sales took over six months to recover.