Small and medium-sized businesses must take action to
protect their data, networks and key staff to ensure they can cope
with any eventuality. Helen Beckett investigates the key
issues.
Physical disasters such as last December's explosion at the
Buncefield oil depot hit the headlines and prompt the realisation
among business people that catastrophes need to be a key element of
all strategic planning, especially as even small companies are
dependent for their survival on IT systems being up and running at
all times.
Just as pervasive virus attacks have forced computer security on
to the radar of small companies, so physical disasters have
prompted the realisation that "it could happen to me".
However, the ostrich tendency is still evident among UK
companies, particularly in the small and medium business community,
where uncertain cashflow persuades owners they cannot afford
contingency planning. According to research conducted by Henley
School of Management last August, 46% of UK SMBs have no business
continuity plan.
Typically it is not until disaster strikes that a business takes
action. One business that survived the Buncefield oil depot fire by
thinking on its feet was contact centre equipment distributor
Dacon, which admitted its brush with disaster has prompted it to
think about taking a more formal approach to business
continuity.
Statistics show that businesses cannot afford not to invest in
some sort of contingency plan to ensure their survival. A
University of Texas study of companies that suffered a catastrophic
data loss found that 43% never reopened, 51% closed within two
years and only 6% survived.
In the UK, the Department of Trade and Industry's 2004
Information Security Breaches Survey found that small companies
lose an average of two days of business after a security incident,
and each incident costs between £5,000 and £10,000.
Increasing volatility in the world and digitisation of business
makes risk assessment more complex, and it is important for IT
managers to keep talking to their colleagues. Traditional lines of
responsibility are being redrawn and silos of thinking intended to
address specific aspects of contingency are being pushed
together.
"'How can my business function when bad things are happening,
whether it's a Trojan attack or a plane falling out of the sky?
These conversations have converged," said Bill Henry, chief
executive of managed service provider Star Systems.
He pointed out that many discussions in companies of all sizes
are spearheaded by the finance director because that person tends
to be the most risk-aware.
Increasingly, the terms disaster recovery, business continuity
and even data availability are becoming interchangeable. Noel
Carey, business continuity and recovery consultant for IBM
Services, said an even more useful concept for small firms is
business resilience. It enables a company to think ahead about how
to cope with massive and unforeseen demand for product, he
said.
Apart from high-profile disasters, two other factors push owners
to make plans for business continuity. First, the spread of
e-commerce means fewer businesses work in a silo and there are more
points at which they connect to customers and suppliers over the
internet.
This lengthening of the digital supply chain is bringing
pressure to bear on small businesses to prove they have adequate
contingency plans.
Second, trading regulations such as the US Sarbanes-Oxley Act
and the UK's imminent Companies Act require firms to show they have
good governance procedures. "Two years ago, most mid-sized
companies viewed business continuity as a 'big business' problem,"
said Henry. "There has been a change in perspective and that has
been driven by governance."
Whether you call it disaster recovery or business continuity,
common principles underpin a sound strategy. Three elements - data,
networks and people - figure in all disaster scenarios.
And while a business with 50 people or fewer may struggle to
afford the solutions that are at the disposal of bigger companies,
it is possible to take simple, practical steps to safeguard these
elements.
First, get a decent plan in place and work out which
applications are critical to the survival of the business. It is
usually feasible to do without HR and payroll for up to two weeks,
for example. An audit by a consultant to identify risk may be money
well spent if it is matched with appropriate investment.
"The aim is not to spend too much money on disaster recovery but
not to spend too little either," said Rob Thomson, director of
SunGard Availability Services.
A third-party opinion may also avert the common mistake of
focusing exclusively on data. As Evolution Security Systems'
technical director, Peter Jackson, pointed out, "It is all very
well having data backed up or having a spare server ready to go,
but what if the building or people are not there?"
Nonetheless, most experts agree that data is a good starting
point and is also the most straightforward part of the plan.
"Essentially, disaster recovery boils down to back-up and it can
cost relatively little," said Jackson.
Making sure data is backed up and a copy kept offsite - usually
on tape - is the equivalent of reaching first base in data
availability. And the good news is that it need not cost more than
a few hundred pounds.
Beyond basic back-up, there are methods of ensuring that data
can be processed and accessed by staff that come in rising levels
of sophistication - and cost. At the top end is the "hot site", a
fully replicated configuration of computers plus office space for
staff to move into. A more modest variation might be a "ship to
site" where a replica server is kept in an airtight case and
transported to the client's alternative office.
The people aspect is the hardest to plan for, and no one has
really cracked the problem of what to do if you lose critical
staff. Planning where to put people if an office disappears is an
easier task, and smaller companies may have the advantage here
because they can relocate to someone's house if push comes to
shove. Thomson suggests it might even be possible to have a
reciprocal arrangement with another company in another location to
accommodate one another in the short term.
The network part of the contingency plan has traditionally been
the most challenging and the preserve of large, well-heeled
companies. As Thomson acknowledged, "Maintaining a fully redundant
network is prohibitively expensive for any size of business. The
advantage of using disaster-recovery specialists with datacentres
is that they have multiple access points from multiple telecoms
carriers. It is possible to rig up lines and capacity to fit most
situations."
But the advent of affordable networking technologies that make
remote access possible may encourage smaller businesses to opt for
DIY disaster recovery. Many homes, for example, are wired with
broadband and may be able to provide temporary network capacity.
Small businesses have also been quick off the mark to adopt voice
over IP. The driver may be cost saving, but the flexibility to plug
an IP phone into any computer on the network has not passed them
by.
But David Beesley, director of consultancy Network Defence,
cautioned IT-savvy companies not to think they can improvise. "Yes,
distributed technology makes elements of DIY disaster recovery
easier," he said, but pointed out that IT configurations are
getting more complex all the time. "Even though you can now extend
the office phone to someone's house, all the core data and systems
are still at the centre at the end of a virtual private network
tunnel."
In some crises, remote access may be sufficient. Beesley cited
the example of a legal firm in Birmingham that could not enter its
city-centre offices because of a bomb scare. However, because the
power was still on and the applications were still running, key
staff could continue working from home, even though the company's
offices were cordoned off. On the other hand, Beesley described how
a services company had to switch its central power off and was
without key data for three days after a major incident.
It is hard to predict the timing and scale of any crisis, but
the message from the experts is that small businesses must put
aside some thinking time. Beesley said, "The starting point is data
availability. It's the pillar of business continuity."
Case study: Buildingsociety's
dedicated approach
"What happened with 9/11 prompted us to scrutinise how quickly
we could get information back," said Neil Williams, assistant
general manager at Market Harborough Building Society. The company
therefore reviewed business continuity from an operational risk and
IT perspective.
The main banking product used a dedicated data recovery server.
The building society spent £40,000 on hardware, licensing and
consultancy to get applications to a data recovery centre in a
state that would fail-over should the office server fail.
Williams explained, "We were becoming increasingly dependent on
other applications, including e-mail." In March 2003, the firm
installed an e-mail archiving system to ensure every e-mail was
stored for data protection purposes.
"E-mail was the weak link," said Williams. "All paper
correspondence was scanned but e-mail retention was down to the
individual."
The e-mail archiving system from Zantaz archives to its own data
store and keeps an index in an SQL Server database. For the
purposes of business continuity, when the e-mail is written to the
data store, it is also mirrored, using Doubletake, to another
server off-site.
Case study: Dacon is quick on its feet
"I got a call from the alarm company at 7.15am. They couldn't
get hold of the police or fire brigade and so I set off up the M1.
At Junction 10, there was a glow on the horizon." The words of
Richard Hollinshead, IT services manager for contact centre
equipment distributor Dacon, recall the start of a recovery
operation from the Buncefield fire. His quick response enabled him
to salvage three servers from Dacon's damaged offices before the
fire brigade cordoned off access.
The swoop meant Hollinshead could plug the accounting, mail and
file servers into his home broadband, which became the backbone of
a makeshift office.
A main concern was keeping e-mail up and running. "It was easy
to set up a VPN from the routers, and so 12 key personnel could
securely log in and out of the new home network."
Dacon had an advantage - it sells call-centre telephony
equipment. Hollinshead reconfigured a digital line extender to a
number in Wales that took all incoming calls. "We had a limited
telephony function, but crucially the sales and technical calls
could continue," he said.
"I'm happy with the things we did and the way we responded. But
it did make me think about back-up plans and putting things in
place more seriously."
Look out for the SMB Handbook
You don't have to be the biggest of companies to get the best
from IT. On 14 March Computer Weekly will publish a 36-page
handbook showing how SMBs can use IT to transform the company.
The SMB Handbook will look at the latest IT products and
services; how to get the best from your IT budgets; how to
calculate total cost of ownership and return on investment; and how
to get the best deal from external suppliers.
Find out how SMBs can level the playing field when competing
with the larger companies as well as their peers. It's all in The
SMB Handbook: the essential guide to IT for SMBs.
The SMBHandbook will be distributed free to selected readers
with the 14 March edition of Computer Weekly.
It also be available for free download from 14 March to all
visitors to:
www.computerweekly.com
SMB Focus: The power of now