Recovery position

One minute you're sitting at your desk, the next you're blown off your chair. A year ago this week, that terror became reality for workers caught in the Docklands IRA bomb blast.

The human life that was lost can never be replaced, but your data, equipment and business can, providing you follow a disaster recovery contingency plan. This plan had better be good, however, because a bomb can blow apart all but the most foolproof schemes.

In the Docklands disaster, damage to buildings and lost business cost a devastating #200m and many of the companies affected have still not fully recovered. But has this terrorist activity roused the UK business community from complacency and encouraged them to put in disaster recovery plans?

Not really, according to Mike Quinn, sales and marketing director at disaster recovery firm Guardian Computer Services. 'When a bomb goes off, people go into headless chicken mode. Unfortunately, the issue of disaster recovery slips down the agenda over time.'

Peter Barnes, general manager of Survive, a trade association which advises on disaster recovery, does believe that the Docklands and Manchester bombings have had an effect. Membership of Survive has grown about 24% in the last year. Before the bombings, there was little change in membership levels, he says.

However, this is only a qualified pat on the back for the industry. He warns that companies with inadequate disaster recovery plans outnumber those that are prepared, a fact borne out by market research.

Insurance companies are also putting pressure on their customers to implement disaster recovery plans. Some will lower the cost of policies given evidence that an adequate disaster recovery programme is in place.

The threat of terrorism spurred London legal firm Manches into reviewing its disaster recovery plan. Alun Lamerton, chief executive of the firm, says: 'Manches is in a vulnerable spot, surrounded by embassies and the High Court. We realised that we needed to review our security and disaster recovery procedures as part of our overall business plan.'

Derek Brookes is IT director at Manches. 'Our product is words. Our lawyers spend most of their time using words to create the documents vital to our business. Most of this information is now stored on computers. We needed to ensure that, no matter what, we could secure and retrieve this information. Bombs are not the only threat, we are also at risk from fire, theft and human error,' he says.

The firm analysed its business model and realised that it couldn't survive without an IT system for more than four to six hours. It chose a third party, IBM, to supply a complete business recovery plan. This offered everything the firm required to cope in an emergency - computers, desks, fax machines, phones and switchboard facilities, meeting rooms, post facilities and photocopiers.

Mike Harper, European product manager at storage supplier StorageTek, says that replacing IT hardware is probably the easiest part of dealing with a disaster. 'These days you can replace hardware very quickly, but a company's information is its business. It is more important to have a set of documented procedures and to recreate an office environment,' he concedes.

Harper suggests that the key to a watertight disaster recovery plan is making sure the right people are available at the right time. This means having up-to-date names of key holders and IT administrators who have network passwords.

'It's no good having a disaster recovery plan if the person central to the operation is in the Bahamas,' Harper pragmatically points out.

Conventional wisdom advises that duplicate data should be stored at least 20 or more miles from the originals. In a networked environment, this can be accomplished by sending data to a secure location many miles away.

But even with this contingency, it's vital to check the data you are backing up, says Harper. You should also make sure the service level agreements you have with your disaster recovery firm are up to date. Otherwise you could find yourself in a situation where your replacement PCs turn out to be 386s when you need Pentiums, simply because no-one had looked at the contact since 1992.

To ensure business continuity, companies must decide what needs to be recovered first, says Vernon Lloyd, principal consultant at help desk vendor Ultracomp. 'There is no point recovering information about the company's payroll or other non-essential information that is stored on computer until the crisis has been averted,' he says.

Some companies are over-budgeting for disaster, trying to reproduce the office set up instead of just establishing a skeleton crew operation. 'If 200 people are employed at a company, managers should ask how many staff the business can temporarily do without, until the crisis is over,' Lloyd says.

Despite the precedent set by the Docklands, Manchester and other more mundane threats, there is still an air of complacency about disaster recovery in the UK, believes Lloyd. Many companies just prefer to think it could never happen to them.

However, the number of companies adopting disaster recovery plans is growing - slowly. But it is not the hot priority it should be. One of the reasons for this is the constant stream of technology coming onto the market, bringing new problems and forcing companies to revise their plans.

One development which could have a positive effect on disaster recovery plans is the network computer. Important data will not be kept on the desktop but on a central server, which is easier to back up. In addition, some companies are inadvertently helping their security by laying private fibre optic cables for remote mirroring of data.

But sometimes hi-tech wizardry and disaster recovery contracts aren't needed to save the day. One company was saved from catastrophe simply by a wooden desk. When thieves broke into the office they missed the file server used for backing up data, because it was hidden behind the desk.

The facts - Who's ready for disaster?

The Information Security Breaches Report, published by the National Computing Centre (NCC) late last year, showed that disaster recovery is still not a priority for most companies.

Nearly two thirds (63%) of the 661 companies surveyed had formal disaster contingency plans. But this was only an improvement of 4% on the same survey two years ago.

Large organisations and certain industry sectors, particularly finance (91%) and utilities (72%), were more likely to have some kind of disaster recovery strategy.

The IT, health and education sectors were less likely to have a plan, the survey found.

Although 60% of UK businesses had a disaster recovery plan in place, 25% of the respondents had never tested it.

Large organisations and companies in the finance sector were found to be most likely to carry out routine checks. But all the companies with plans appeared to understand the need to update them regularly.

Overall, the survey found that 90% of respondents with contingency plans had reviewed them in the last two years.

While 52% of organisations with a disaster recovery plan said they normally review their plans annually, 56% of respondents in the finance sector indicated that contingency plans were reviewed more than once a year.