When Mother Nature strikes, the effects can cripple the security of an organization's IT department. Such was the case at Jackson, Tenn.-based Aeneas Internet and Telephone on May 4, 2003--the night a tornado tore through the town and turned company headquarters into a rubbish pile. For a few hours, all of the customer records at the small ISP were vulnerable to theft, manipulation and piracy. Today, nearly four months later, CIO and Operations Manager Josh Hart reports that all of the data is secure.
CSO: Tell us what happened that day.
JOSH HART: We had been expecting the tornadoes for hours. My network administrator called me around 2 a.m. to tell me that everything was in shambles.
How did you secure the area?
We saw papers and pieces of our computers halfway down the street. There was no way to secure everything. We focused most of our energy on restoring service to our (10,000 Internet and 2,500 telephone) customers.
When was service restored?
We had everything running live again about 72 hours after the twister touched down.
When did you consider the data security?
Right away. We knew we had an electronic tape backup of all of our customer records. We found the tape on the fourth day after impact, but it was so waterlogged that we couldn't extract anything off it. Only after we obtained help from a third-party vendor (Minneapolis-based Kroll OnTrack) could we extract data, and even then, we got it off hard drives that we plucked from the mess.
This was the only copy of the database?
We had the database mirrored on a few other (hard) drives, but again, by the time we extracted this hardware, the site was crawling with Aeneas employees. There was no way anybody who didn't work for the company was walking off with anything.
How have you enhanced security to prepare for the next disaster?
We're scanning and electronically filing paperwork. We back these files every night and store them offsite, to prevent ourselves from getting into a similar situation of mission-critical data extraction down the road.
What advice do you have for companies building disaster recovery plans today?
Address the matter at hand, but don't let your guard down. Recovery is important, but it's important to remember that you should never compromise your security practices.