Compliance Management

Dealing with disaster

Employees have other things on their minds, like deadlines and upcoming client meetings. However, there's been some preparation: business continuity plans are in place. So in a few hours, the entire staff will be working on mobile devices from home, and the location and status of the backup data will have become crucial.

This scenario has corporate executives from large and small organizations alike now realizing the importance of maintaining business continuity and disaster recovery plans. But strategies differ, depending on the firm's size and the type of sensitive data they are trying to protect.

Technologies for backup data should depend on a company's specific needs, according to many security experts. For Anderson Hospital in Maryville, Ill., it's critical for staff to be able to access medical records quickly — especially for the patient information entered the previous day.

Anderson uses two backup locations, one at the hospital and one in a bank vault at a different location, according to Michael Ward, director of information services.

"You think about providing care for the patients. When we had our storage area network (SAN) crash, the most important information was from the last 24 hours," says Ward, referring to patients that have just finished surgical procedures. "We talked to the different units and asked them what information they needed so that we could print out and work from paper. Those things we print out every 24 hours, so in the event that we have some sort of technical problem, we can at least print out the information needed."

In addition to news-making natural disasters and other catastrophic events, federal regulations also are driving various sectors, like financial services, to plan to remain open during disasters, says Jim Greenway, vice president of marketing for Milpitas, Calif.-based Array Networks.

"The [federal government] is saying that in any kind of disaster, we're going to stay open, so we expect you to stay open. If people can't go to the office, that's something we have to deal with," he says. "Banks have to be open. So I think we're seeing particular interest from the health care and financial industries because those people have to maintain operations no matter what."

Larger companies, too, back up more information, and often use multiple forms of technology to do so because they are usually better regulated and have a bigger budget to spend, says Matt Fairbanks, senior director of product management for Symantec, Cupertino, Calif.

"Small businesses generally rely more on tape as their recovery times are a little more lenient. They don't have to have as much redundancy as far as their hardware gear. They're relying almost exclusively on backup technologies," he says. "When you start moving up the pyramid, those types of companies are doing that, but they're also adopting very aggressive clustering and replication, to two or three data centers that they have a hosting relationship with. Small businesses don't have the budget or the business requirements to be back up that quickly."

Larger companies will even go so far as to have multiple data storage centers in distant locations. Small businesses, however, are more likely to be able to recover from a loss of revenue after being knocked offline for a few days, says Greenway.

"The larger companies have another data center. The small and medium businesses usually do not have a data center," he says. "With a small business [in the case of a disaster], I'm not saying they won't be impacted. If they're knocked out for a day or two, it's not the same level as the larger businesses. With larger businesses, you have hundreds of thousands of employees being affected. And larger businesses also risk millions of dollars in transactions."

Jim O'Connor, director of product marketing for Bus-Tech, a mainframe connectivity vendor based in Burlington, Mass., said financial firms tend to take fewer chances, keeping copies of important data separate from each other, yet close enough to be transferred easily.

"We work for a lot of financial interests. You'll see that a lot of them have data centers five to 10 miles apart," he says. "A lot of them kept tape, which is then sent to Iron Mountain [Boston-based global leader in information protection and storage services]. Now many use a tape-on-disk application. Instead of cutting physical tape, it actually transmits the data onto the same disk."

Living dangerously

Still, compliance demands and recent terrorist attacks or natural disasters aren't spurring all companies to action. The majority of companies responding to a recent survey by Hewlett-Packard say they do not regularly test and review their disaster recovery plans. Only 26 percent of respondents — out of 340 chief information officers and IT managers polled worldwide — say they routinely put their disaster recovery plans through testing. Seventy-four percent of the poll's respondents represent companies with more than $100 million in annual revenue.

Some experts have warned that while recent examples of both man-made and natural disasters remain in the news, corporate IT spending has not matched the levels of initial interest shown after major disasters.

Unfortunately, many businesses only respond to seeing other, less prepared corporations wiped out by unexpected worst-case scenarios, says Fairbanks.

"What we saw immediately post 9-11 was a sharp spike in interest [in disaster recovery strategies]. As we get more distant from such a disaster, it starts fading from some people's radar screens. It's unfortunate that it takes a tsunami or a hurricane to remind people of such things," he says. "From a business standpoint, that's what has changed since Katrina — the amount of interest and the amount of budget [allocated for disaster recovery]. We saw that first thing after 9-11. We saw that the first thing after the first World Trade Center bombings and the [terrorist attacks] in Europe."

Daily disasters

Readying for natural disasters and other devastating events also keeps corporations ready for the smaller, but still deadly, daily attacks by hackers and malicious users.

"One thing that we are seeing now is that there is a marked shift toward companies preparing for everyday disasters as well as major disasters. And they want to see it done in a low cost, effective way," says Steve Hammond, senior vice president of business development at Unitrends, a Columbia, S.C.-based data protection vendor. He adds that even spam is a nuisance that can slow down a network.

Anderson Hospital's Ward had to deal with a small disaster of his own in recent months — SAN crashes within weeks of each other. At this point, he is using on-site recovery tools to keep his hospital functioning in case of a disaster.

"With something like an earthquake, we haven't come across a scenario like that yet where an off-site recovery plan is needed," he says. "In that regard, there is no physical damage to the infrastructure, as there is with the reformatting of hard drives or a hard drive going bad. With the equipment on site, we can respond to that. We have hot spares available," says Ward. "We noticed that we had database corruption with our email system, and we migrated it over to another system with very little effort. We were able to bring up email with very little downtime."

Worth the money

While high-level executives may not immediately see the dividends of instituting a coherent business continuity strategy, they are, in fact, signing corporations up for insurance policies that could save them millions of dollars in the event of disasters, say security experts.

And, one way IT professionals or supervisors convince executives to endorse a continuity strategy is by showing that dollars can be stretched to prevent both everyday emergencies and regional disasters with the same equipment, says Craig Carpenter, senior director of marketing and global channels for Mirapoint, a Sunnyvale, Calif.-based company offering appliance-based solutions for secure message networks.

"People should realize that you can have an effective business continuity solution that doubles as something else. It just depends on where you place your assets," he says. "You can stretch budgets a lot more than some people realize. We found out the hard way when people started doing it on their own. The key is to stretch that budget dollar."

We welcome your comments. Email us at [email protected].



Be prepared

Here are a few ways your business can be prepared for a natural disaster:

1. Know what you have

Before buying new software or hardware, a business needs to conduct a risk analysis to understand what data needs to be backed up and how often.

Businesses should conduct an inventory of their IT assets to identify the most important assets of the IT infrastructure and how service would be affected if one went down.

Then stay up to date with software maintenance, which will also minimize the threat of an attacker accessing the system.

2. Prioritize business operations

Your recovery plan should consider every aspect of your business, including loss of premises, software, hardware, communication, machinery, documents and vital information. Consider what is critically needed for businesses to operate should a disaster strike.

3. Secure and protect your systems

Create a risk assessment list that relates all of the possible risks that can threaten your system's availability, including virus attacks, floods, fires, thefts, etc.

Deploy a wireless solution so that users can access pertinent applications and resources via mobile devices. Put in place a wireless security solution.

4. Create a disaster recovery plan

Create a well-defined, coordinated disaster recovery plan to store and protect files. It's also best to have a written plan and a team of employees who would be involved. Practice your disaster recovery plan several times a year.

Source: CA

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.