Nearly two years after the September 11 attacks, many organisations remain woefully unprepared to quickly recover their IT systems and key business processes in the event of a disaster.
While interest in disaster-recovery systems peaked in the immediately after the terrorist siege, IT managers acknowledge they have yet to follow through on many of their intentions. A lack of funds has been a big reason, but other factors include miscommunication between IT executives and other top executives, and the realisation by some companies that their basic IT infrastructures needed shoring up first.
"Since 9/11, we have built in replication services, but don't have an off-site location yet to replicate data to," says Rich Banta, senior enterprise systems engineer for St. Vincent Hospital and Health Services in Indianapolis, which backs up data onsite and stores tapes at another one. "We plan to do mirroring over fiber-optic (cables) in the next six months, although it's not cheap," he says, adding it would cost of at least $US2000 a month per mile.
Maimonides Medical Centre in New York also cited financial issues for stalling its advanced data replication ambitions.
"After 9/11, the government made available (Federal Emergency Management Agency) money for hot sites," says Mark Moroses, senior director of technical services and security officer at the healthcare organisation. "Then New York state (government took all the money back) and the governor reallocated it to the Port Authority, which hurt us. . . .We still rely on a warm site at Comdisco that can be brought up in 12 hours."
According to a recent Gartner survey, one in three US businesses would lose critical data or operational capabilities if struck by a disaster. Only one in five companies has hot sites where people can connect with their most important applications, according to a recent Harris Poll of 52 Fortune 1000 company executives.
"The flurry of activity and interest in disaster-recovery services didn't translate into a lot of people necessarily doing anything about it," says David Palermo, vice president of marketing for SunGard Availability Services, a company with a big stake in the business-continuity market. IDC estimates that the business-continuity was a $27.5 billion market in 2002.
Starting from scratch
Many companies just haven't been in a position to roll out a disaster-recovery plans.
"Businesses needed to clean up some of the basics before they even started to worry about disaster recovery," says George Symons, CTO of storage management vendor Legato System, which is in the process of being acquired by EMC. "They couldn't even recover data locally, so they needed to get that working before they started transitioning to other forms of disaster recovery."
Companies also have needed to prioritize which applications and systems need to be brought back first in a disaster scenario, Symons says.
"They need to understand the order in which they bring things back, because they can't support all applications on the same level," he says.
David Bratt, technology architect for H Lee Moffitt Cancer Centre in Tampa, Florida, agrees.
"There are obviously certain systems such as our Lawson ERP, email and Cerner healthcare information technology system that have different urgencies than others," he says.
Recovering applications from tapes stored offsite are among Bratt's plans in the event of an emergency. Replication technology and hot sites, he says, have been put off for another year.
Also holding back disaster-recovery implementation is an apparent disconnect between what CEOs and other chief executives think is in place and what IT managers actually have installed.
"The business executive is unrealistically optimistic of how quickly they can recover," SunGard's Palermo says.
"Pre-9/11, CEOs universally thought they were protected, and the CIOs knew they weren't," Legato's Symons says. "Post-9/11, there was a tremendous amount of talk about how 'we're going to jump on disaster recovery,' and 'budgets are not an issue.' Then, reality started to set in."
In the Harris Poll, for instance, CEOs and other executives said their applications and data could be recovered in 10 hours in the event of a loss. IT managers though, say it would take as long as 30 hours.
"That's a 20-hour difference in perception," Symons says. "In that 20 hours if a customer is losing $400,000 an hour, that's not a minimal difference."
Among the biggest shortcomings in existing disaster-recovery plans, experts say, is that they are too focused on systems and not enough on the people who would use those systems.
"What really came out on September 11 was that people were virtually ignored," Palermo says. "I don't think the major brokerages lost much data, because it was all sitting in New Jersey. But for people who needed (that data) to do their jobs and couldn't get to (it), (disaster planning) was a bust."
Ken Walters, senior IS director for the Public Broadcasting Service in Alexandria, Virginia, also says people can be overlooked.
"You spend a lot of time to get your systems up in a couple of days and you've called a party, but no one shows up," says Walters, whose organisation restores data from tape kept offsite by IBM, but does not have a hot site or remote replication in place. "We need to worry about all the staff here — (how to provide) telephones, coffee pots, desktop computers, things like that," he adds.
Oftentimes, a company's employees are untrained on what to do, even if there is a disaster-recovery plan in place.
"How machines are maintained and how people are going to get access to them is what hit us in the face," H Lee Moffitt's Bratt says.
Senior Editor Jennifer Mears contributed to this story.