Small and medium-sized businesses must take action to protect their data, networks and key staff to ensure they can cope with any eventuality. Helen Beckett investigates the key issues.
Physical disasters such as last December's explosion at the Buncefield oil depot hit the headlines and prompt the realisation among business people that catastrophes need to be a key element of all strategic planning, especially as even small companies are dependent for their survival on IT systems being up and running at all times.
Just as pervasive virus attacks have forced computer security on to the radar of small companies, so physical disasters have prompted the realisation that "it could happen to me".
However, the ostrich tendency is still evident among UK companies, particularly in the small and medium business community, where uncertain cashflow persuades owners they cannot afford contingency planning. According to research conducted by Henley School of Management last August, 46% of UK SMBs have no business continuity plan.
Typically it is not until disaster strikes that a business takes action. One business that survived the Buncefield oil depot fire by thinking on its feet was contact centre equipment distributor Dacon, which admitted its brush with disaster has prompted it to think about taking a more formal approach to business continuity.
Statistics show that businesses cannot afford not to invest in some sort of contingency plan to ensure their survival. A University of Texas study of companies that suffered a catastrophic data loss found that 43% never reopened, 51% closed within two years and only 6% survived.
In the UK, the Department of Trade and Industry's 2004 Information Security Breaches Survey found that small companies lose an average of two days of business after a security incident, and each incident costs between £5,000 and £10,000.
Increasing volatility in the world and digitisation of business makes risk assessment more complex, and it is important for IT managers to keep talking to their colleagues. Traditional lines of responsibility are being redrawn and silos of thinking intended to address specific aspects of contingency are being pushed together.
"'How can my business function when bad things are happening, whether it's a Trojan attack or a plane falling out of the sky? These conversations have converged," said Bill Henry, chief executive of managed service provider Star Systems.
He pointed out that many discussions in companies of all sizes are spearheaded by the finance director because that person tends to be the most risk-aware.
Increasingly, the terms disaster recovery, business continuity and even data availability are becoming interchangeable. Noel Carey, business continuity and recovery consultant for IBM Services, said an even more useful concept for small firms is business resilience. It enables a company to think ahead about how to cope with massive and unforeseen demand for product, he said.
Apart from high-profile disasters, two other factors push owners to make plans for business continuity. First, the spread of e-commerce means fewer businesses work in a silo and there are more points at which they connect to customers and suppliers over the internet.
This lengthening of the digital supply chain is bringing pressure to bear on small businesses to prove they have adequate contingency plans.
Second, trading regulations such as the US Sarbanes-Oxley Act and the UK's imminent Companies Act require firms to show they have good governance procedures. "Two years ago, most mid-sized companies viewed business continuity as a 'big business' problem," said Henry. "There has been a change in perspective and that has been driven by governance."
Whether you call it disaster recovery or business continuity, common principles underpin a sound strategy. Three elements - data, networks and people - figure in all disaster scenarios.
And while a business with 50 people or fewer may struggle to afford the solutions that are at the disposal of bigger companies, it is possible to take simple, practical steps to safeguard these elements.
First, get a decent plan in place and work out which applications are critical to the survival of the business. It is usually feasible to do without HR and payroll for up to two weeks, for example. An audit by a consultant to identify risk may be money well spent if it is matched with appropriate investment.
"The aim is not to spend too much money on disaster recovery but not to spend too little either," said Rob Thomson, director of SunGard Availability Services.
A third-party opinion may also avert the common mistake of focusing exclusively on data. As Evolution Security Systems' technical director, Peter Jackson, pointed out, "It is all very well having data backed up or having a spare server ready to go, but what if the building or people are not there?"
Nonetheless, most experts agree that data is a good starting point and is also the most straightforward part of the plan. "Essentially, disaster recovery boils down to back-up and it can cost relatively little," said Jackson.
Making sure data is backed up and a copy kept offsite - usually on tape - is the equivalent of reaching first base in data availability. And the good news is that it need not cost more than a few hundred pounds.
Beyond basic back-up, there are methods of ensuring that data can be processed and accessed by staff that come in rising levels of sophistication - and cost. At the top end is the "hot site", a fully replicated configuration of computers plus office space for staff to move into. A more modest variation might be a "ship to site" where a replica server is kept in an airtight case and transported to the client's alternative office.
The people aspect is the hardest to plan for, and no one has really cracked the problem of what to do if you lose critical staff. Planning where to put people if an office disappears is an easier task, and smaller companies may have the advantage here because they can relocate to someone's house if push comes to shove. Thomson suggests it might even be possible to have a reciprocal arrangement with another company in another location to accommodate one another in the short term.
The network part of the contingency plan has traditionally been the most challenging and the preserve of large, well-heeled companies. As Thomson acknowledged, "Maintaining a fully redundant network is prohibitively expensive for any size of business. The advantage of using disaster-recovery specialists with datacentres is that they have multiple access points from multiple telecoms carriers. It is possible to rig up lines and capacity to fit most situations."
But the advent of affordable networking technologies that make remote access possible may encourage smaller businesses to opt for DIY disaster recovery. Many homes, for example, are wired with broadband and may be able to provide temporary network capacity. Small businesses have also been quick off the mark to adopt voice over IP. The driver may be cost saving, but the flexibility to plug an IP phone into any computer on the network has not passed them by.
But David Beesley, director of consultancy Network Defence, cautioned IT-savvy companies not to think they can improvise. "Yes, distributed technology makes elements of DIY disaster recovery easier," he said, but pointed out that IT configurations are getting more complex all the time. "Even though you can now extend the office phone to someone's house, all the core data and systems are still at the centre at the end of a virtual private network tunnel."
In some crises, remote access may be sufficient. Beesley cited the example of a legal firm in Birmingham that could not enter its city-centre offices because of a bomb scare. However, because the power was still on and the applications were still running, key staff could continue working from home, even though the company's offices were cordoned off. On the other hand, Beesley described how a services company had to switch its central power off and was without key data for three days after a major incident.
It is hard to predict the timing and scale of any crisis, but the message from the experts is that small businesses must put aside some thinking time. Beesley said, "The starting point is data availability. It's the pillar of business continuity."
Case study: Building society's dedicated approach
"What happened with 9/11 prompted us to scrutinise how quickly we could get information back," said Neil Williams, assistant general manager at Market Harborough Building Society. The company therefore reviewed business continuity from an operational risk and IT perspective.
The main banking product used a dedicated data recovery server. The building society spent £40,000 on hardware, licensing and consultancy to get applications to a data recovery centre in a state that would fail-over should the office server fail.
Williams explained, "We were becoming increasingly dependent on other applications, including e-mail." In March 2003, the firm installed an e-mail archiving system to ensure every e-mail was stored for data protection purposes.
"E-mail was the weak link," said Williams. "All paper correspondence was scanned but e-mail retention was down to the individual."
The e-mail archiving system from Zantaz archives to its own data store and keeps an index in an SQL Server database. For the purposes of business continuity, when the e-mail is written to the data store, it is also mirrored, using Doubletake, to another server off-site.
Case study: Dacon is quick on its feet
"I got a call from the alarm company at 7.15am. They couldn't get hold of the police or fire brigade and so I set off up the M1. At Junction 10, there was a glow on the horizon." The words of Richard Hollinshead, IT services manager for contact centre equipment distributor Dacon, recall the start of a recovery operation from the Buncefield fire. His quick response enabled him to salvage three servers from Dacon's damaged offices before the fire brigade cordoned off access.
The swoop meant Hollinshead could plug the accounting, mail and file servers into his home broadband, which became the backbone of a makeshift office.
A main concern was keeping e-mail up and running. "It was easy to set up a VPN from the routers, and so 12 key personnel could securely log in and out of the new home network."
Dacon had an advantage - it sells call-centre telephony equipment. Hollinshead reconfigured a digital line extender to a number in Wales that took all incoming calls. "We had a limited telephony function, but crucially the sales and technical calls could continue," he said.
"I'm happy with the things we did and the way we responded. But it did make me think about back-up plans and putting things in place more seriously."
Look out for the SMB Handbook
You don't have to be the biggest of companies to get the best from IT. On 14 March Computer Weekly will publish a 36-page handbook showing how SMBs can use IT to transform the company.
The SMB Handbook will look at the latest IT products and services; how to get the best from your IT budgets; how to calculate total cost of ownership and return on investment; and how to get the best deal from external suppliers.
Find out how SMBs can level the playing field when competing with the larger companies as well as their peers. It's all in The SMB Handbook: the essential guide to IT for SMBs.
The SMBHandbook will be distributed free to selected readers with the 14 March edition of Computer Weekly.
It also be available for free download from 14 March to all visitors to: