September 11 concentrated the minds of many on the challenges of security and disaster recovery. But rather than terrorism, New Zealand firms face threats from fires, floods and earthquakes. The principles are essentially the same. Darren Greenwood looks at local disaster recovery and business continuity planning options, and asks what New Zealand organisations are doing about it.
These include a complete loss of power or telecommunications for extended periods, volcanic eruptions (Auckland has a clutch of volcanic cones, whose frequency and magnitude of eruptions seems to be increasing with time — see Auckland Regional Council's website), earthquakes (Wellington being particularly at risk), tsunami (apparently we’re overdue for this once-in-a-thousand-years event), increasingly variable weather, physical terrorism and strikes, he says.
IBM business continuity recovery services manager Andrew Stevens-Clark notes that a disaster need not be a large-scale catastrophe. They could include everyday incidents like burst water pipes, a fire in a fuse box, a burglary or vandalism.
“All can be extremely disruptive if an organisation does not have a plan for dealing with them and is not able to cope efficiently with the after-effects and resume normal service as soon as possible,” says Stevens-Clark.
Brian Eardley-Wilmot, of Auckland-based Computer Forensics, whose company offers a dedicated data recovery service, naturally believes firms are more at risk from data loss than any other disaster.
“This is because all components of an enterprise’s network are constantly exposed to a variety of disaster-causing situations including accidental or deliberate file deletion, disk formatting, ghosting, OS installation, hard disk physical failure, disk index table corruption and the like.
“Whilst it is easy to imagine that the majority of organisations will suffer a loss of data over time — say five years — it is far less likely they will suffer from disasters such as flood and fire,” he says. Even so, firms should be prepared, as a firm being out of action for more than a few days faces risks of insolvency.
Computer Associates NZ marketing manager Andy Cooper cites a UK study after the IRA bombings in London’s financial district in 1992 and 1993, which found that more than half of those without adequate disaster recovery procedures ceased trading.
US data recovery firm OnTrack produces a whole list of worrying facts and figures on its website. It says one out of 500 data centres will have a severe disaster each year. It also predicts that 43% of businesses experiencing disasters will never re-open while 29% will close within two years.
“The bottom line is that disasters do and can happen,” says Cooper. “Businesses that are prepared will survive and will prosper; those that don’t probably won’t.”EDS’s US-based director of global enforcement programmes, William Bogart, says September 11 “expedited something that needed to happen”.
EDS says that whereas disaster recovery was previously considered a reactive, defensive policy, now it is more often regarded as proactive and called business continuity. Firms need the ability to work through any situation.
The IT services company, which operates many of New Zealand’s banking systems, has invited Bogart to speak in Auckland next week on the issue.
The real cost
EDS cites studies from IDC saying the worldwide market for information security services will more than triple from $US6.7 billion in 2000 to $US21 billion by 2005. The financial services sector will continue to represent the single largest source of information security services spending, growing from $848 million in 2002 to about $2.2 billion in 2005.
Gartner’s total cost of ownership model for information security says on average in the US, only 0.4% of a company’s revenue is dedicated to information security. By 2011, that figure will accelerate tenfold to 4%. By 2004, says Gartner, 80% of enterprises will be using the internet as an integral part of their business processes.
Half will experience a financially significant loss due to internet-borne incidents by that time.
The ILOVEYOU virus cost businesses about $US6.7 billion in the first five days, says Computereconomics.com, and in 2000 computer viruses caused $US17.1 billion in damage.
Consequently, says Bogart, organisations are looking hard at service providers and asking them how well they can assist in business continuity planning.
“Last year it was low cost, low price that mattered. The issue [now] is how we start mitigating [against disaster] within the resources you have and the expectations of your constituents.
Just as customers expect that emergency services or a bank ATM won’t be down for three days, the market will continue to demand more information as to how organisations view and review their recovery plans, Bogart says.
“Corporations that want to stay in business are going to have to have resources and give issue to their business continuity policy.”
Vital services: We're ready
What to do