Disaster recovery is understandably a top concern today for IT organizations, given the tragedies that took place on September 11, 2001. Yet while many enterprises have disaster plans in place, a startling few have yet to test backup plans and security mechanisms.
Experts say the lack of follow-through on IT testing and mock-scenario response is mainly due to human nature and not an intentional oversight. Bill Van Emburg, cofounder and COO of Quadrix Solutions, a systems integrator in Piscataway, NJ, points out that fully tested disaster recovery programs are the primary reasons why New York organizations hit by the recent terrorist acts were back to work so quickly.
"The IT departments in New York that were able to get systems up and running quickly after the recent attacks were able to do so because they had the right people, processes, and infrastructure in place,” says Van Emburg.
In this article, we’ll outline the steps and necessary follow-through required to ensure that recovery plans can restore the IT organization when the unexpected hits an enterprise.
Implement a disaster plan now
The first point, experts stressed, is that it’s never too late to put an IT disaster recovery and response plan together. In fact, according to Mark Schertler, director of network security for IT consultant Primitive Logic in San Francisco, there hasn’t been a better time to prepare for the worst.
“You really don’t know when an attack is going to occur, as the New York tragedy showed us,” said Schertler. “One thing that is really overlooked is some people put the plans in place, but they never test them,” he said. And as many organizations in New York unfortunately discovered, “things may not exactly work how you thought.”
It’s highly likely that many companies would experience that scenario if hit with a disaster today. According to a recent research report by Oak Brook-IL based IT management consulting firm Compass, just 25 percent of UNIX midrange data centers have a disaster recovery plan in place. Moreover, one-third of those surveyed with a recovery plan in place have yet to test it. The research was based on performance analyses of approximately 150 midrange data centers over the past 18 months.
“Many managers of midrange data centers either feel the applications involved are not mission critical, or they simply don't see disaster recovery as enough of a priority to spend the money," explained Compass senior consultant Doran Boroski.
Peter Giannacopoulos, president of Myrmidon Networks Inc., knows too well the importance of preparing for a potential terrorist attack. His firm helped reactivate three businesses impacted by the World Trade Center events.
“As a businessperson, you need to realize that you're at war with people trying to steal your intellectual property or disrupt your business operations for their own purposes, regardless of whether you’re a startup or an established enterprise,” said Giannacopoulos. “It’s critical to instill the proper discipline and mindset throughout a company to stick with strong security procedures and not to underfund your security infrastructure.”
What steps should your company take to prepare?
Frank Boscarillo, senior vice president for network operations at KMC Telecom in Bedminster, NJ, serves as KMC's designated disaster recovery manager. He provided 10 steps CIOs can follow to better prepare and manage a crisis:
- Be prepared. Take time to sit down and consider the possibilities of what could happen, envision the worst-case scenario, and plan accordingly. "By designing a plan that is meant to react to the worst-case scenario," Boscarillo said, "you will ensure that measures are incorporated which can be applied to lesser emergencies."
- Document your plan. Put the plan down on paper and share it with all employees. "Your employees must know the procedures in place to carry out the plan," advised Boscarillo. "Documentation and education are critical to ensuring that people are ready to act when the unthinkable happens."
- Designate and define roles and responsibilities. Designate emergency managers within the IT shop to handle procedures in case of a disaster. Define their roles and make sure everyone knows their responsibilities in case of an emergency.
- People come first. In the event of a disaster, plan for the safety and well-being of IT staff and customers first. In some cases, this may mean calling security or reaching out to get food, water, and medical help.
- Back up the data. Part of the day-to-day activity within IT should include backing up data and documents. Boscarillo recommends keeping one copy of your backup in a fireproof box on-site and keeping another copy in a fireproof box off-site.
- Select alternate IT locations. Identify, in advance, where IT would relocate in a disaster scenario. Select primary, secondary, and third-choice options, any of which could mean relocating to a different building, another city, or another state.
- Establish a communication plan. How would IT function if it lost phone lines, high-speed connections, and/or third-party connectivity? Be sure to review plans and backup with all service providers.
- Document a restoration plan. List all critical names and contact information, including phone and cell numbers, pagers, and e-mail for the following:
—Company emergency team
—Critical IT personnel
—Service and emergency management
- Educate employees. Be sure everyone in the IT department knows emergency evacuation exits and processes in place for shutting down systems in an emergency situation.
- Review. Review the disaster recovery plan once every quarter and update all names and numbers. "This is an important step to ensure your readiness to act in the face of disaster," Boscarillo stressed.
Are you ready?
Do you have a disaster plan in place? If so, have you tested it? Write and tell us how you’re prepared for the unknown.