In the information age, productivity miracles have become almost commonplace. But living digitally, also entails risk – the kind of risk that can bring a business to the precipice:
- A new Veritas Software / Dynamic Markets survey found that, three years after 9/11, 43 percent of organizations worldwide are still not ready to respond to a major disaster. The report, which surveyed 1,259 IT professionals around the world, found that only 38 percent claimed to have comprehensive, integrated disaster recovery and business continuity plans in place – even though 92 percent acknowledged that serious consequences would result if they were faced with a major disruption to their IT infrastructure.
- Big business is grimly aware that disaster recovery is not the priority it should be. In a SunGard / Harris survey of Fortune 1000 companies, those responding gave themselves just a B when grading their company's ability to access business-critical data after a disaster.
For small and mid-size businesses, a disaster recovery plan is not just a good idea, it's a necessity. But whatever a company's size, the threat of disaster is real, with new virus and worm attacks launched regularly, threatening data and network security at every turn – and the pressure to protect information and business systems is not only economic but now comes with the full force of the law. Legislation such as the Health Insurance Portability and Accountability Act (HIPAA), along with Sarbanes-Oxley compliance and stringent SEC and IRS regulations, require many industry segments to provide information, safeguards in case of disaster.
For an organization which very existence depends upon its web-based applications, disaster can strike in any number of ways: viruses, worms, network failure, hardware crash, power outage, fire, natural disaster or cyber terrorist denial-of-service attack. But despite the growing threats, small and mid-size companies are especially vulnerable when it comes to disaster preparedness – in part because many lack both the consciousness to integrate disaster planning into the "normal" routine and the tools / staff to make preparedness happen.
According to a nationwide survey conducted for BroadSpire last year, more than one-third of American workers are "quite" or "somewhat" concerned that a natural disaster or terrorist act could take out computer systems at work. Another survey, conducted by Imation, reports that about 30 percent of companies lack a formal disaster recovery strategy and 64 percent of companies say their data backup and disaster recovery plans have significant vulnerabilities.
Virtually every corporation of any appreciable size has an IT department staffed with people who are trained to analyze their company's level of preparedness and then enhance it, as needed. But smaller firms – many of which do not have any specialized IT knowledge in-house – must make a conscious effort to learn the vocabulary and practices of disaster preparedness.
Who's at Risk?
Almost every small and mid-size company is vulnerable to the effects of a disaster to a certain extent, but businesses that have the most to lose are those that are highly on e-commerce, email or other Web-based communication, and online collaboration tools to sustain their critical business functions. The more connected they are, the higher the risk and the more they have to lose.
Unfortunately, many smaller companies increase their own likelihood of encountering disaster with indiscriminate processes – like installing random applications on computers without knowing the implications, opening email attachments from unfamiliar addresses and downloading trial versions of software and leaving them on the server. Technology redundancies, while helpful in many cases to keep things running, can cause a small failure to quickly turn catastrophic as it moves unimpeded through an entrenched network.
Further, small and mid-size businesses are perennially understaffed, often leaving preventative routines like data backup and virus software updates to fall by the wayside – making companies vulnerable to disaster and not prepared to mitigate the damage once a disaster occurs.
But disasters can be anticipated and planned for, and data and systems often can be recovered. All it takes is forethought and some preventive action. Disaster recovery plans are not just for the big guys. With so much riding on data integrity, no business can afford to ignore disaster planning. There are several basic steps a company of any size can incorporated to fend off disasters and increase the chances of recovery when one occurs.
Procedures as the Secrets to Prevention
Many of the most important steps in disaster recovery are inexpensively and reliably easy to implement. The key is developing procedures that mitigate risk while protecting critical business functions and information.
Begin by developing a clear, repeatable process for backing up data and your entire network – and then make sure to follow through and do the backups faithfully, according to that schedule. This is the basis for all disaster recovery plans – even if it's just one person using the Windows backup software, copying data to a DVD or CD and taking that media home or to another location. It's basic, it has zero cost implications and it works.
The next key step is to make sure backups are in fact usable. According to a recent study by Storage Magazine , only half of all businesses ever test their tape backups and of those that do, 77 percent find that they are unable to fully recover data from those tapes.
Retail virus detection software solutions provide another critical layer of protection, as long as they're kept up-to-date. In addition, install an email filtering program and keep Windows updates current.
Do not store everything – email, accounting software, customer database, etc. – on one server. Distribute key data and applications on to more than one machine, so all is not lost if a system crashes.
Once all these pieces are in place, establish some company-wide guidelines to help prevent a virus-related disaster. These may include shutting down computers every night, a schedule of regular updates and patches, periodic password changes, rules about opening email attachments, guidelines on how to protect data while working in public places (like airplanes or Starbuck's), and tips on how to ensure the physical security of laptop computers and actual office buildings.
Plan, Plan, Plan
Any business that has data to lose should have a disaster recovery plan in place. It does not require an IT expert – in fact, there's software available that helps companies form their own plans. Some key elements of a good plan include:
- Assignments – Employees need clear-cut roles once disaster disasters, and these need to be determined before disaster strikes. For example, someone should be in charge of communications (working with the phone company or email host to re-establish connection, if necessary), another person can exceed data recovery, someone else can make sure the company Website is accessible, etc.
- A communication plan – Provide a list of key cell phone numbers to employees to keep hands in case you lose phones and email. Have someone designated to call important contacts – clients, vendors, partners – to tell them what's going on and how to reach you in the meantime. Make arrangements in advance with your host (if applicable) to provide a backup email system to access during or after a disaster, to keep critical business communications flowing.
Outside Help – Look to Your Host
If your company works with a Web hosting company, your host can do a variety of things to protect data and Web functions in case of disaster, speeding up recovery time significantly.
For starters, ask your host to keep your contact and vendor lists in a secure, web-accessible location outside the company's data center. This may not seem important at the moment, but after a fire the last thing you want is to realize the only surviving copy of these lists is stored at the home of your former business manager – who moved out of state two years earlier.
Also ask your host to provide an instant messaging platform to serve as the critical communications system between all employees when disaster strikes, a backup email system to capture corporate email and prevent "bounces" during an outage at the main data center, and a "hot "standby email system for communication during disasters. This system will work when company email does not, and will allow all employees to communicate with one another – with all communications stored in backups.
Make sure your host can provide you with a geographically diverse DNS and a dedicated server to allow corporate websites to stay online even during a disaster. This service either can move corporate Web traffic to this standby server, or simply display a notice to end-users. Traffic can shift back to corporate data centers once the outage has been rectified.
While most disasters are not entirely preventable, there are measurable steps that small and mid-size companies can take to protect their critical business functions. The modest up-front investment will pay dividends down the road, sometimes even saving a business from the ultimate disaster – bankruptcy.