Fire, flood, computer viruses, hackers, terrorism—when disaster strikes, it usually happens fast – Small business has a poor track record with disaster recovery and business continuity plans – Angus Kidman looks at how you can protect your business without spending a fortune in money and time.
Any business residing in a multi-storey building might worry about earthquakes and rampaging planes, but floods are not likely to be on the list of major disaster concerns. However, inbound travel management company, ATS Pacific, had to survive not just one flood last year, but two.
“You think about fire, but flooding is not something you really contemplate when you’re in a 10th-storey office,” says Tania Bessant, IT manager for the company.
The first disaster happened in August, when a routine check of the fire hydrants in the building unexpectedly flooded ATS Pacific’s central Sydney office early one afternoon. Everyone was quickly evacuated, and Bessant immediately rang the company’s IT support provider, Brennan IT, to ask for advice. Brennan advised her on how to safely shut down the company’s servers—fortunately the water hadn’t yet reached the server room. “We didn’t have any damage to the servers or loss of data,” Bessant says.
Then when she was on holidays in October, overnight the building flooded a second time. Staff arriving early in the morning faced an office again filled with water. “Fortunately, it was isolated on one side of the building,” says Nicole Lewis, systems co-ordinator. Many PCs, which had been sitting on the floor during the previous flood, had also been permanently moved to higher ground. However, the threat did appear more immediate. “The water was encroaching on the server room door,” says Lewis.
Lewis again contacted Brennan IT, who suggested the servers could be relocated to their own server laboratory until the office was fit to be reoccupied. ATS Pacific’s general manager was keen, mindful of the previous disaster, and when staff were granted access to the building by emergency workers at 10am, they began shifting machines into Brennan’s offices. By 3pm that afternoon, the systems were up and running as normal, with staff able to connect to key applications remotely.
While ATS Pacific may seem unlucky, having a well-developed backup and recovery plan meant it survived incidents that could have derailed many businesses. Having confidence in, and flexibility from, its external IT provider was also a huge help. “It’s always nice to know you’ve got someone to fall back on when things go terribly wrong,” says Bessant.
Unfortunately, that kind of experience is the exception rather than the rule in the small and medium business world. “There is not enough attention paid to business protection within the small business market,” says Matt Lovegrove, Brennan IT’s general manager for sales and marketing. “Often it’s because of a misconception that it is too expensive or too hard to implement.”
According to Forrester Research, while disaster recovery is often a major factor in budget planning at large enterprises, it is rarely on the radar for small business. “Traditionally it has only been larger companies that have thought about protecting their data or information, primarily because of the cost and complexity,” says Jordan Reizes, marketing director for storage systems vendor EMC Australia and New Zealand.
Ensuring business continuity may also become an obligation, as well as a wise idea. “Information or data protection also has legal and regulatory compliance implications,” says Robin Johnson, product manager for Sun Microsystems. “For small Australian businesses, there is no clear guideline as to what businesses should and, more importantly, should not do when it comes to backup and archiving methods.”
Without such legal impetus, progress has been slow. “Most small to medium businesses—with their restricted IT budgets and time—simply don’t have a robust backup plan,” says Guy Riddle, who manages the Sydney operations of CBL Data Recovery, which specialises in recovering data from failed PC hard drives.
“As more and more businesses rely on data, losing it is a big risk,” says Reizes. “This makes reliable backup, recovery and information protection essential, regardless of the size of the business. Today, when you talk to most small businesses they have a story about losing some critical piece of information.”
Electronic Attack
As well as physical threats such as floods, businesses need to contemplate potential damage from malicious attacks such as viruses or targeted hacking. One survey by AusCERT in 2004 found half of all Australian businesses had been subject to some form of electronic attack.
Even with a plan in place, disasters are common. One client of Riddle’s backed up every system except one holding critical accounting data. Ironically, that was the one that failed.
The problem is understandable. “Traditionally, the IT manager in an SME hasn’t had the time or resources to ensure its information has the type of protection it needs. Many companies rely on backing up their servers as the primary way of protecting their information. The issue is that many servers are only backed up once a day, so companies risk losing at least a full day’s work if they have a problem.”
Even if you are organised enough to produce regular backups, other issues may arise. “One company had purchased and configured a high-end, expensive and full-featured library for the company’s system backups,” says Riddle. “Unfortunately, the backup library was placed right beside the primary system. When the primary system got fried, so did the backup library. Another company suffered a serious disk failure, only to discover that its automated backup hadn’t been running for 14 months. A tape had jammed in the drive but no one had noticed.
“Ironically, the biggest enemy of regular, properly executed backups is the reliability and efficiency of today’s IT systems,” Riddle argues. “Their dependability means restoring data is rarely necessary; seldom used systems often fall into decay and this is where the real danger lies.”
While technology is critical, it isn’t the be-all and end-all for business continuity. “Small businesses obviously need the technological capability for disaster recovery, either in-house or remotely, but more important in a small business environment are procedures and staff training to ensure adequate use and testing of technology,” Riddle says. “The majority of data failures arise from human error and this includes errors in reinstating data from the backup.”
“A disciplined process needs to be put in place to ensure that the media is changed regularly and that trial restores occur regularly,” Lovegrove advises. “There is no point backing up the data and leaving the media on the premises, as many companies do.”
One useful development in recent years has been the growth in managed services, which allow smaller companies to implement backup and recovery systems without having to make extensive investments in hardware or employing full-time IT personnel. Such systems use the internet to connect business computers to an external provider, providing effective access to systems that might otherwise be unaffordable. It’s worthwhile to look for services that charge by the month, as this can be more efficient for accounting purposes and also allows you to easily switch or upgrade services as your needs change.
“Small businesses don’t have to go from nothing to a Ferrari plan overnight, there are various stages and each provide a certain level of protection,” says Lovegrove. Even basic backup via
a broadband connection to an external provider is a considerable improvement on what most businesses currently use.
“With the advances in technology over the last few years, it has become less complex and expensive to protect important information,” says Reizes. “Also, companies can leverage backup, disaster recovery and PC backup managed services so they don’t have to invest in their own infrastructure. This means that just about every business can afford to start to protect their information.”
Beyond I.T
As well as having backup systems and procedures, continuity or business interruption insurance is a critical consideration for any business. You might be able to access backups of your critical data, but if you haven’t got an office to operate from, or your critical suppliers can’t reach you, that’s not going to help much.
In a summary of non-IT issues which businesses should consider and insure against in the wake of Hurricane Katrina, Forrester identified the following key issues:
• Focus on site selection—if you knowingly set up in a flood-prone area, you need to take precautions. Understand the challenges posed by your local area.
• Understand your dependencies on public infrastructure and physical distribution channels. If you rely on Australia Post, couriers or regular delivery trucks, regular service may take some time to resume.
• Don’t rely on mobile phones. While the network itself will often survive disaster, the surge in demand may mean you only get intermittent signals.
Don’t know where to start? Learn from the experience of a small business owner on Wall Street during ‘September 11’. Thanks to a contingency plan, she was able to survive the months of interruption to the business, without being adversely affected—unlike the majority of other businesses in her building, which went out of business in the months following the attack.
In their book Contingency Planning and Disaster Recovery: A Small Business Guide, Donna Childs and Stefan Dietrich explain how to prepare, respond and recover when disaster strikes, as well as sample solutions showing how SMEs can get through disaster periods.
Available through www.amazon.com (US$46.92*).
Price correct as of March 2006