Secure business: The usual suspects

Disaster recovery needs to shift to focus more on everyday threats. John Kavanagh looks at how to ensure business continuity that will definitely work, at an acceptable price

Disaster recovery needs to shift to focus more on everyday threats. John Kavanagh looks at how to ensure business continuity that will definitely work, at an acceptable price

Terrorist attacks and floods may hit the headlines, but IT managers see the most likely causes of business interruption being everyday things such as software maintenance and network failure.

This finding from research by disaster recovery systems specialist SteelEye Technology – which puts terrorism, natural disasters and denial-of-service attacks bottom of the list of concerns – is backed by many experts who see a need to balance the worst nightmares against the reality of day-to-day IT and business life. Indeed, some say focusing on everyday potential incidents can actually provide better recovery from major disasters.

Business continuity plans and stand-by sites, whether owned or part of a disaster recovery service from a specialist supplier, seem to be the norm these days: 73% of organisations questioned by SteelEye Technology have plans, and 87% of those have stand-by sites.

Almost 65% have automated data replication, and 36% have automated processing switch-over. About 45% have had to activate their plan after an unexpected incident.

But beyond this traditional disaster recovery approach, thinking is changing in line with new threats, new ways of working, and new technology.

On the technology front in particular, fast communication, data compression techniques and storage area networks mean that back-up datacentres can and should be many miles away from the main centre, experts say.

Yet the survey shows that 39% of European companies have their stand-by centre in the same city. Specialists point out that in these cases big incidents could affect both the main and back-up centres; in addition, staff might not be able to get to either centre if transport was hit.

This point was underlined by John Milne, head of business continuity at the Financial Services Authority, at the recent opening of a back-up centre in Romford, Essex, by ICM Computer Group to support City companies.

“Companies need to appreciate the risks inherent in having their disaster recovery centres too close – some in walking distance,” Milne said.

“In a disaster ranging from terrorism to something as straightforward as a gas leak, many locations could be affected. Companies should seek a continuity centre which is geographically separate.”

The business need for continuity preparations is certainly greater than ever, experts say.

“Today’s rigorous market conditions mean that the risk to customer confidence, brand value, market position and the financial implications of being kept from doing business for any period of time are too great to be ignored,” says Ian Bond, a consultant at Cisco Systems UK.

“In addition, there is now pressure from national and international regulators to reduce corporate risk exposure.”

Bond points out that terrorist attacks are rare, but adds that they need to be planned for nonetheless. Other threats, although out of the ordinary, also need to be considered.

“Hurricanes might be few and far between in the UK, but floods are less rare. Snow has been known to knock out power supplies and isolate urban areas; an epidemic could put an area into quarantine.

“Then there are digital threats: malware and even user error, plus denial-of-service attacks, can take servers, branches and even datacentres out of commission for indeterminate periods.”

Even more mundane threats are highlighted by Chris Gabriel, business continuity specialist at systems consultancy Logicalis – and he is one who questions traditional disaster recovery approaches.

“Organisations do need a duplicate datacentre, but many focus other spending on things that are not likely to be needed, and they do not look at everyday things that hit their continuity,” Gabriel says.

“For example government statistics show that 176 million working days were lost through sickness in 2004, but two-thirds of this was when people were not ill enough to go to the doctor but just felt unwell and not fit to commute – and they would have worked at home if they could.

“There are issues of transport strikes, severe weather and traffic congestion delaying people getting to work. Child sickness can keep parents at home.

“In the South East people increasingly cannot afford housing, and it is becoming increasingly expensive to drive and commute, so getting staff is becoming a business continuity issue there.

“We need a shift in thinking beyond floods and bombs. Very few datacentres have been destroyed by such incidents. Think instead about flexible working and remote working, for example: extend your network into people’s homes – and they might do an extra hour at home in the evening even on a normal day.

“Such thinking about the many minor interruptions makes sense for major disasters too. If your head office is in London and you keep an empty stand-by office in Swindon, do you expect staff to commute there every day during a disaster? If there is a bird flu epidemic the advice is to stop people congregating anyway. So an empty stand-by office is no stand-by against individual sickness, an epidemic, a transport strike or severe weather.

“One utility company told us recently that it spends £1m a year on business continuity – and £600,000 of that pays for an empty office 90 miles away. When we asked why they might ever use it, they could think of nothing apart from the head office blowing up, which they saw as highly unlikely.”

Many organisations are looking at flexible working without thinking about business continuity, and if they took a broader view they could get a better return, Gabriel says. “The human resources department is thinking about flexible working, and IT is spending on duplicate datacentres and empty offices.

“Maintain the spending on a duplicate datacentre, but review the empty office and look at spending on day-to-day operations – which will also support you in a crisis. Companies want business agility and business continuity, and these can be covered by the same investment, giving the best return.

“Companies are also interested in social responsibility, and in particular green issues. Flexible working supports this too, by cutting travel, office space and related emissions.

“IT can take a lead in all three of these business areas – agility, continuity and social responsibility – and get closer to the business at last.”

The emphasis on business in all this underlines the shift in thinking in disaster recovery, from IT stand-by to business continuity. The Gartner research group talks about business impact analysis as a first step in business continuity, and points to its wider benefits.

“Business impact analysis clarifies business expectations by identifying critical business and IT processes,” says Roberta Witty, co-author of a new Gartner report on the topic. “It establishes the cost of downtime and determines recovery time objectives.

“But it also delivers other benefits: it identifies interdependencies between business processes and technology, and helps improve day-to-day business processes and their resilience. It also takes senior management through a decision-making process they may not have been through before, which helps educate them about their business and its risks.”

Senior management needs to be involved for other reasons too, according to Gartner. Just as with IT projects generally, senior management support is key to achieving buy-in throughout the organisation.

“A common mistake is to invest in continuity as a one-off project. Business continuity is evolving. For example, as an organisation’s network of service providers grows it is essential that it evaluates its partners’ business continuity to ensure that any weaknesses in its supply chain are identified and mitigated,” says Floris van den Dool, head of the European security practice at consultancy Accenture.

Best practice guidance in business continuity planning is now emerging, in particular a British Standards Institution standard. The draft standard BS25999 has just been release for public comment.

It consists of a code of practice and a specification for business continuity management. It is intended to replace the widely used PAS56, a Publicly Available Specification developed through the British Standards Institution four years ago.

Some organisations also recommend using the IT Infrastructure Library, which covers continuity management in the service delivery section. In addition, the Business Continuity Institute, formed in 1994, has detailed professional guidance and standards for individual specialists.

Whatever approach companies take to business continuity, the SteelEye Technology survey underlines the need for action. When asked how long the most important services could be lost before the downtime became potentially fatal for the organisation, just under 30% said as little as four hours, another 17% said between four and eight hours and a further 24% gave themselves up to 24 hours.

This means the stark reality of failing to prepare for a disaster – whether a flood or some careless software maintenance – is that nearly 75% of companies could go out of business in a less than a day.


The Buncefield blast: business continuity in action

After the huge Buncefield oil depot explosion near Hemel Hempstead last December, IT services company Steria had its headquarters so badly damaged that access was prohibited by the police for several days.
Yet by the end of the day of the explosion – a Sunday – the company, which has 400 staff at the site, was largely back up and running, and none of its critical business had been interrupted.

Steria’s business continuity plan had identified different priorities for different systems and services. Priorities were broken down by the hour for some, and by three hours, a day or a week or more for others. This meant managers knew what needed to be done in what order.

Steria encourages mobile working, so many staff were already equipped to work from home. Some staff without equipment were sent laptops overnight. Alternative office space was found for clerical staff.

Alternative IT meant Steria could keep important systems running and also keep staff updated via the company intranet and e-mail, plus the phone and SMS. Managers used a cascade system to filter information down.

Steria says its business continuity culture and service company ethos meant staff were willing to go beyond the call of duty. Some staff with broadband links at home set up makeshift offices for colleagues in their living room.


Basic questions to ask

  • If the worst happens, what business processes are critical?
  • What will be the cost of interruption for different processes?
  • How much data can you afford to lose, and how quickly must different IT services be restored: minutes, hours, days?
  • Does your continuity plan cater for these different demands?
  • What is the business and IT command chain? What if it is broken?
  • Which staff are vital and how will you contact them and keep in touch?
  • How will you communicate with customers?
  • Who are your suppliers and what are your dependencies on them?
  • If you are considering a stand-by service, how many subscribers are there? How many are in the same geographic area?
  • Are there other ways to do business?

Sources: Accenture, Gartner, ICM, Siemon

Most businesses have IT security measures in place, but fewer perform a systematic risk analysis. We find out how it is done

Secure business: Knowing the dangers

Vote for your IT greats

Who have been the most influential people in IT in the past 40 years? The greatest organisations? The best hardware and software technologies? As part of Computer Weekly’s 40th anniversary celebrations, we are asking our readers who and what has really made a difference?

Vote now at:

Read more on IT risk management