Methodology
The following results are based on a telephone survey of 100 Information Technology (IT) executives in the Cleveland metropolitan area. The sample of participating companies was drawn from Dun and Bradstreet’s business list of companies with at least $10 million in revenue located in the Cleveland DMA (Designated Market Area). Interviewing in Cleveland was conducted between January 17 and February 7, 2007, and the interviews averaged 10 minutes in length.
Of the 100 Participating Executives:
- 66% are Managers/Directors of IT or IS
- 40% provide oversight and project management for their company’s business continuity plans, 35% recommend the purchase of security products/services for the plan, and 22% are part of a team designing or evaluating the plan
- 55% represent companies with revenues in excess of $20 million (Dun and Bradstreet’s information)
- 57% represent companies with 100 or more employees (information supplied by respondents)
Key Findings
Overall, Cleveland companies are the least concerned about business continuity planning and the least prepared as compared to other markets included in the study.
While business continuity planning is seen as a “priority” by a majority (55%) of IT executives in the Cleveland area, this is much lower than the national results (69%). Additionally, Cleveland executives are most likely to indicate that business continuity planning is not a priority (42% compared to 30%, nationally). Similarly, six out of ten (60%) Cleveland executives indicate their companies have a business continuity plan which is much lower than the national result (72%).
Nationally, 57% of companies have had these plans updated in the past 12 months compared to only 47% of Cleveland companies, and four out of ten (41%) companies nationally have had the plans tested during the same time period compared to only 29% of Cleveland companies.
Nationally, companies are twice as likely as Cleveland companies to implement protective actions when the federal or state government issues an alert for an impending disaster (34% compared to 16%, respectively). Less than half (48%) of Cleveland IT executives view cyber security as a concern compared to 56% nationally. On a scale of one to five, where “5” means a top concern and “1” means not a concern, fewer than one out of ten (13%) rate cyber security as a “5,” and another one-third (35%) rate it a “4.”
Of the 10 market areas included in the study, Cleveland ranks tenth (bottom of the list) in business continuity preparedness.
The Business Continuity Rankings (from 1 to 10) were computed for each market based on responses on three components: Business Continuity Plan (having a plan, last time updated/tested, taking action when alerted by federal or state governments); Actions Taken on Plan (business continuity measures in place including Internet security measures, establishing redundant servers, educating employees, and using a service provider for outsourcing); and Cyber Security (cyber security is part of overall plan, actions implemented including educating employees, defining corporate security policies, and contracting with an outside service provider to manage security).
The Rankings for the Nine Market Areas are
- New York
- Houston
- San Francisco
- Boston
- Memphis/Nashville
- Atlanta
- Los Angeles
- Minneapolis/St. Paul
- Cleveland
If Cleveland IT executives can’t sleep at night, it is because they are worrying about viruses/worms and security breaches. One-third (35%) indicate that worrying about viruses/worms is most likely to keep them up at nigh, followed by security breaches (19%), natural disasters (14%), man-made disasters (11%), and corporate/eCommerce sites crashing (9%).
Detailed Findings
Priority of Business Continuity Planning
Business continuity planning is seen as a “priority” by a majority (55%) of IT executives in the Cleveland area. One-third (34%) indicate it has always been a priority for their business, and one-fifth (21%) indicate it has become a priority in recent years due to natural disasters, security, and terrorist threats.
Nonetheless, four out of ten (42%) Cleveland execs say business continuity planning is “not a priority.” Reasons for business continuity planning not being a priority include other issues take priority (23%), systems in place are considered sufficient (23%), the probability of a major disaster at the company is small (22%), the probability of a disaster causing business disruption is small (22%), and business continuity planning is too expensive (12%).
Business Continuity Plans
Six out of ten (60%) Cleveland executives indicate their companies have a business continuity plan. One-third (34%) indicate their company does not have a plan, and 6% don’t know if the company has a plan or not.
A plurality (47%) of companies have had these plans updated in the past 12 months, and three out of ten (29%) have had them tested during the same time period. None indicate that their plans have never been updated, but one out of seven (14%) indicate their plans have never been tested. Only one out of six (16%) executives indicates they implement specific protective actions when the state or federal government issues an alert for an impending disaster. The types of business continuity measures that companies have already taken in Cleveland include implemented Internet security measures (57%), educated employees (45%), established redundant servers and/or backup sites (43%), and used a service provider for outsourcing (22%). In the next six months, Cleveland companies plan to implement business continuity measures including establishing redundant servers and/or backup sites (19%), educating employees (14%), implementing Internet security measures (14%), and using a service provider for outsourcing (8%).
Experience with Disasters
Only one-fifth (19%) of Cleveland companies have suffered from a natural or man-made disaster. The vast majority of companies (79%) have no experience with disasters.
The most frequently experienced disasters include blackouts (10%), floods (5%), and fires (4%). Financial damages from disasters tend to be less than $500,000. Eleven companies had financial damages of less than $100,000 and only two had damages between $100,000 and $500,000. One company did experience damages of $1 million to $5 million, while five executives don’t know how much the financial damages were. Given the low experience levels with disasters, the non-financial impact of the disasters appears minimal with only four executives indicating the disaster negatively impacted customer relationships, three indicating the disaster resulted in a reduction in the workforce, one indicating the disaster resulted in a loss of employee confidence, one mentioning the disaster tarnished their company’s reputation, and one mentioning a loss of stockholder confidence. Eleven executives indicate their companies experienced none of these non-financial damages. Even so, almost all (15 out of 19) companies that suffered a disaster did take action to reduce business interruptions in the future.
Cyber Security
Three out of four (77%) Cleveland executives indicate that cyber security is part of their company’s overall business continuity plan. Only one-fifth (22%) indicate cyber security is not part of the plan, and 1% doesn’t know if it is or not.
Actions that Cleveland companies have taken when it comes to cyber security include defined corporate security policies (64%), educated employees (58%), and contracted with an outside service provider to manage security (24%). Viruses and worms are the most significant perceived threats to cyber security in the minds of Cleveland IT executives. Eight out of ten (80%) indicate this is one of the most significant threats, followed by “hackers” (43%). Other perceived threats to cyber security include SPAM (40%), an internal accident (32%), internal sabotage (31%), and customer, partner, and/or vendor access to internal systems (20%).
Less than half (48%) of Cleveland IT executives view cyber security as a concern. On a scale of one to five, where “5” means a top concern and “1” means not a concern, fewer than one out of ten (13%) rate cyber security as a “5,” and one-third (35%) rate it a “4.”
Another one-third (32%) rate cyber security as a “3,” while one-fifth (20%) rate it as not a concern (a “2” or a “1”).
IT Worries
If Cleveland IT executives can’t sleep at night, it is because they are worrying about viruses/worms and security breaches. One-third (35%) indicate that worrying about viruses/worms is most likely to keep them up at night, followed by security breaches (19%), natural disasters (14%), man-made disasters (11%), and corporate/eCommerce sites crashing (9%).