In-Depth

Q&A: Natural Disasters Drive Renewed Focus on Backup/Recovery Plans

Best practices for creating your disaster recovery plans

• By Mathew Schwartz
• 11/08/2005

With hurricanes Katrina, Rita, and Wilma in the United States, not to mention earthquakes abroad, it’s been a banner few months for natural disasters. No surprise many businesses are wondering if their disaster recovery plans are good enough—or if they even have one.

To discuss the need for disaster-recovery plans—to counter both information-security attacks and natural disasters—plus best practices for creating them, we talk with Christopher Faulkner, CEO of Dallas-based C I Host, a Web hosting and data center management company.

What’s the state of disaster recovery planning today, especially following the recent spate of hurricanes and other natural disasters?

Five years ago, disaster recovery was just for the Fortune 1000, but now small and medium businesses are starting to take notice of it.

When did that shift occur?

Post-9/11 we saw some of it occur especially with small business owners. … Not to make profit off tragedy, but people start thinking, "It could be me involved." Mother Nature seems to be picking up speed on us, and when you couple that with cyber-terrorism threats, viruses, and worms that you read about in the newspaper all the time … [it’s not surprising that] just in the last 12 months, we’re seeing a large increase in requests for offsite storage.

To what extent do companies today back up or use offsite storage?

From my traveling and talking to audiences and small businesses, I’d say less than a third of businesses have a backup process in place today, and I’d say out of that third, more than half of them [use] a local backup mechanism that’s in the same premises as the original computer. And I’d say two-thirds of small business owners do not have backups in place, or have an untested solution, meaning they’ve backed up for a year straight, and never tested the restore.

Why don’t more businesses—especially small businesses—back up?

It’s not because of cost I don’t think, because technology has gotten so cheap. … A lot of business owners aren’t educated about what is available to them. And there’s a lot of that … head-in-the-sand [mentality]. They don’t think it will happen to them, though that is changing.

[B]usiness owners are really focused on getting new customers, and most of [them] have roving IT guys who come in once a week or month, and these small business owners don’t pay attention to these small details, and it’s the small details that can put you out of business. …

Can businesses without a disaster recovery plan recover?

A lot of times … people who are involved in disasters don’t even know where to start, because … when you’re in a major catastrophe, you don’t even remember your name, never mind your checking-account number or contact information for all of your customers.

There are a few people who get wiped out and come back, but 90 percent of the companies that suffer massive data losses and aren’t back up in 10 days, they go out of business.

What should organizations focus on when writing a disaster recovery plan?

The first point is, people first. In any kind of disaster, your first effort should be focusing on them [and their safety]. …

Second, locate [your employees] and let them know what’s going on, because having five heads is better than one.

Third, distance matters: put your backup storage center far enough away from the primary center to ensure continuity during a major hurricane, storm, or earthquake.

Fourth, prioritize your business. Focus on your information and data systems that matter the most: customer records, employee records, tax databases, billing databases, vendor accounts payable. Prioritize which information matters the most … then make sure all that data is backed up safely, because having data and being destroyed, versus not having data and being destroyed, is the difference between your business surviving or not.

Finally, expect the unexpected. Be prepared that everything is not going to fall cleanly into place. For example, a lot of companies, after Katrina hit New Orleans, said they’re never going to return to New Orleans. But the main thing is at least you have your data, your people, and you’ve prioritized what you need and when you need it, and that’s key to coming back after a disaster hits.

What do you say to business owners who don’t think it can happen to them?

[Sometimes] you just don’t see disasters coming. One example is the Witty worm, which was a zero-day attack … and it infiltrated computers running BlackICE. … It hit the computer, scanned every drive letter, and erased hard drives, starting with drive letter A and running to the letter Z. So people who backed up to a hard drive said, "What are the odds that something will wipe out both drives?" But Witty came through and erased both of the drives at the same time. So people realized that with Witty, they should have backed up differently.

Should they should have used offsite storage?

You don’t have to have offsite storage, just keep a copy at your home.

Beyond data backup, is there a trend toward reserving backup office space?

What I’m starting to see is shared, offsite office space—basically an insurance policy that they’ll guarantee you 20 office seats at one time, and they’re betting that not everyone with a policy will need the whole pool of seats at once.

Couldn’t telecommuting obviate the need for backup office space?

Offsite office space isn’t required if you can just go home and make calls, but it is if you have a call center. If you have 50 order-takers in there, [consider getting] a contract with an Indian outsourcing policy. It’s cheap because they can bill you for $500 or $1,000 per month as a basic service fee, then if you get wiped out, you forward the calls to the Indian call center. …

In a catastrophe, revenue is crucial to getting up and running again, and recovering from a disaster is not cheap. I was reading in the paper that insurance companies, after Katrina, [will take] 12-18 months before they cut checks for everybody, for the damages done.

So outsourcing can be a useful part of a backup strategy?

I like the Indian outsourcing thing only as an emergency, last-ditch effort. I’m not a big proponent of outsourcing anything where you can’t control the customer service levels or can’t control your brand. … But it makes a lot of sense in disaster recovery: it’s a stopgap, they can focus on doing business while you get the store rebuilt … and it’s very economical.

Related Articles:

Regulations Driving E-mail, IM Backup and Recovery
http://www.esj.com/news/article.aspx?EditorialsID=1545

Giving Users Control of E-mail Archiving for Compliance
http://esj.com/Security/article.aspx?EditorialsID=1473