Disaster recovery: Be prepared... or else

It?s a little-known statistic that the chances of winning the lottery are similar to those of having a plane crash into your house. And just as the National Lottery is a licence to print money, so some disaster recovery vendors use scare tactics to sell you their products and services.

The threat of terrorism may have receded over the last couple of years, but terrorist incidents have focused organisations? minds on their vulnerability ? and the impact on business when an IT disaster occurs.

?A business can just as easily go under as a result of a fire, industrial action, computer breakdown or robbery,? argues Barney Bannington, financial director of Telehouse Europe. ?In terms of frequency, disaster recovery plans are more often invoked due to a computing problem than any major incident ? although full relocation will most often be due to a fire.?

For some time now, disaster recovery planning has been essential for front-line offices such as dealing rooms. With the growth of computer users in all departments ? ranging from computerised accounting systems to sales leads records ? contingency planning has become an essential for all areas of the business.

?As an incentive, insurance companies and auditors are advising organisations to implement effective disaster recovery plans by rewarding them with up to a 40% reduction in premiums,? says Dave Kennington, managing director of recovery specialist, Barron McCann. ?Even though 86% of companies have their technology insured, only 9% assign a monetary value to their business information, which is far more valuable,? he continues.

The growth in computer technology has prompted growth among disaster recovery suppliers. More and more companies are now making a serious commitment to disaster planning to minimise the disruption caused should disaster strike. At the same time, a growing number of organisations are using back-up systems to maximise the efficiency of normal operations.

?The existence of a resilient business continuity plan, or lack of it, may play an important part in the future purchasing policy of many organisations.

?It is not beyond reason to expect that companies may soon be required to include in their audited financial statements whether or not they have a disaster recovery plan in place ? as this may affect its credibility as a going concern,? continues Bannington. ?Most companies suffering a disaster will not survive beyond 18 months of the event.?

The potential fall-out from a disaster affects a wide circle of direct and indirect groups, from employees and shareholders, to customers and suppliers. All stand to lose substantially if a business continuity plan is not in place.

Disasters that deny individuals access to their places of work can be big or small, ranging from acts of God and terrorism to careless road diggers. However, that risk not only needs to be avoided but effectively identified, monitored and controlled.

According to Peter Alexander, managing director of the Montal Group, most people?s perception of disaster recovery is still based around mainframes, emergency generators, mobile offices and so on. The reality is that companies now rely completely on computers at all levels.

Since most organisations are now online they tend to focus on re-establishing the computer centre with small and portable computers.

?With traditional disaster recovery geared towards the larger user, service providers have had to radically alter their services,? says Alexander. ?The nature of the risk affecting us all is changing.?

Ultimately, disaster recovery is a form of insurance, and one can pay for basic cover or for a number of additional policies ready to be used in the event of an emergency. However, identification of the risks is the essential first step in planning a disaster recovery process. They also need to be prioritised.

Some risks might expose a company to a degree of financial loss; others may fatally damage an organisation.

?Imagine no offices or factories, no phone systems or computer networks. Then the need for an effective disaster recovery strategy appears sound business sense,? says Bannington.

In evaluating risk you must first quantify the probability and maximum threat of each risk exposure. Once identified, these risks can be divided into those that are within the compass of your company?s control, and those which are not.

?A business needs to take steps to reduce the effect of exposure to preventable risk, if not eliminate it altogether. However the cost of doing this may well exceed the maximum possible loss arising from the risk,? adds Bannington.

Emphasis should be as much on prevention as recovery. A wide variety of services are available to advise on insurance against business interruption, alternative and mobile sites, off-site data storage and archiving, planning software, restoration and damage limitation and of course, consultancies offering assessment, testing and support.

Unfortunately, as the number of disaster recovery suppliers grows, the threat of sub-standard facilities can arise. This is exacerbated by the intricacies of an IT service. ?Indeed, it is very difficult if not impossible to inspect what is actually available, or planned, or perhaps what is promised without contention,? says Bannington.

?Services need to be checked, diverse routes verified, DR staff vetted, information services contracted, to ensure that the site can distribute data as contracted. The only real measure is a full disaster recovery test,? he adds.

UK companies: The disturbing facts

Business continuity and disaster recovery user group, Survive!, defines a disaster as ?any event causing loss in excess of #10,000, or which inhibits the organisation from achieving its mission. A recent Survive! survey found that 7.5% of UK organisations suffer ?disasters? each year. The Business Information Security Survey ?98 reports that half of all respondents have suffered from an information security breach. According to findings in ?Corporate UK and The Internet?, just released by the Federation Against Software Theft, research amongst 200 UK businesses shows that 47% openly admit that they do not know how to protect against the misuse of the Internet within their organisation

Survival tips from top to bottom

Conduct a risk management audit within your company. What is the most likely threat to your business? Is it, for example, fire, flood, power blackout or malicious damage? Identify critical business functions necessary for the short term survival of the business. Then provide back-up facilities for those functions. Consider the human factor. Whatever the incident, you will be expecting people to work over and above their normal contractual obligations. Select a team of appropriate people to manage a disaster ? one person per area of business activity that would be most affected by a disaster (be it the chairman, personnel, operations, finance purchasing and distribution, PR or communications).You should also appoint a somebody to lead the disaster recovery team. Stage a mock disaster to check procedures. Formulate a strategy and schedule. Emphasise the process of communication ? internally and externally. Ensure that your organisation performs a security review at least every three months. Make sure that access codes are changed regularly. Properly thought out and tested plans can make the all the difference. Interruption to a business is often unexpected and even if essential elements are available, people need to know what to do at the time of a crisis. Ensure that your building is protected from unwanted intruders. Install high-security surveillance systems, including video monitoring, 24-hour security and sound detection monitors. Ensure that you have made adequate provision against disaster and that it is regularly reviewed. Find out what the situation is with your insurers for immediate assess damage and make interim payments. Ensure your plan guarantees a full recovery within an acceptable time acceptable to the business ? whatever the cause of system discontinuity Source: Guardian Computer Services and Telehouse