IT implications of the petrol "strike" Tuesday, 26th September

The protest against fuel prices manifested in the "blockade" of petrol depots was reinforced by attacks against the IT systems of various household name companies, the latest of which appears to be HSBC. The whole sorry story has some important lessons for business continuity planning (BCP) in all large companies.

Part of HSBC's website went offline at the end of last week following an attack in sympathy with fuel protestors carried out by a hacker known as Herbless. The attack succeeded because the Microsoft SQL Server software in use still had the default security passwords installed. This laxity is apparently attributable to a company contracted to run the website rather than HSBC itself but demonstrates once again the widespread failure to observe elementary security precautions.

But the implications of the petrol blockade for business continuity planning are much wider than this. A much needed spotlight was thrown on BCP practices in 1999 as companies prepared to batten down the hatches for the millennium date change. That should mean they were thoroughly overhauled then and could be expected to be in good shape now. But not so, it seems.

A curious aspect of the petrol blockade was that it was highly organised without any clear leadership. In effect, it was a demonstration of what can now be achieved by any popular movement armed with mobile phones and access to the Internet. Legislation constraining how trade unions can act thus becomes redundant.

Governments spend a lot of money identifying and tracking terrorist groups that pose threats to society. However, the spontaneous nature of the petrol protest demonstrates the fragility of the assumption that such threats will come from pre-organised and identifiable groups. It's no longer like stalking tigers, more like understanding the conditions that will cause locusts to swarm.

Within days, supermarket shelves were under-stocked or completely out of stock, the kind of scenario envisaged in worst case Y2K scenarios. Yet moves towards eCommerce are pushing companies to get rid of their batch windows and move towards real-time replenishment scenarios, reducing even further the level of stocks they hold. Moreover, sales over the Internet are increasing companies dependence on logistics to get the goods delivered. And the BCP focus in eCommerce? It's on 7x24 server and telecoms resilience rather than on logistics.

The problem with "just in time" policies generally is that they increase the business risks associated with any hiccup in the supply chain or means of supply. And, as the "time" element of JIT reduces through opportunities offered by technology, so the business risk increases for any company without carefully considered BCP.

The popular movement aspects of the blockade and attacks on companies' IT systems have even more disturbing implications. HSBC hasn't got a lot to do with oil, which means that any popular protest in the future (animal rights, green or third world debt issues for instance) ought to be regarded as presenting possible threats to any IT systems, whether the company is relevant to the subject of the protest or not.

And the ability of the public to organise itself ad hoc on any issue on which it feels strongly suggests that government may be going real-time too in previously unsuspected ways. Governments currently govern in batch mode, "batches" of 4,5 or 7 years, depending on general election intervals, and rely on getting unpopular measures out of the way in the early years of tenure so that they are forgotten when the next election comes around. It doesn't look as if they are going to be able to get away with that any more. This is eGovernment with a different slant and with avengeance.

http://www.it-director.com/00-09-26-1.html

-- Martin Thompson (mthom1927@aol.com), September 26, 2000