In-Depth
Two Near-Disasters Highlight Backup/Recovery Deficiencies
During a regional disaster, a large company will quickly discover that the damage to small firms in the area can dramatically reduce its own recovery
Last week, I took a whirlwind tour to Southern California, site of a recent 5.4 magnitude earthquake, and to southern Texas, just visited by a Category 1 hurricane. Truth be told, the travel arrangements were made well before these events, part of a disaster awareness campaign mounted by Office Depot.
Nobody knew what was coming in these areas, certainly no one at Office Depot which asked for my help to increase awareness of the need for advanced disaster preparedness, particularly among small businesses. This is the third year that we have worked together on the campaign, which, in some ways, is more important than spreading the gospel of continuity planning to large enterprises.
Small and mid-size businesses account for the bulk of the economy and employment in virtually every city and town in this country. While the mainstream press tends to seek out stories about the impact of a hurricane, power outage, or other event on Fortune 500 firms, the smaller firms are typically hit hardest. This reflects, in part, the far-flung operations of large firms, helping to insulate them from some geographical disasters. In addition, large firms confront legal and regulatory requirements that compel them to protect their information assets: think HIPAA in health care or Sarbanes-Oxley and SEC rules in publicly traded companies or numerous FFIEC and Comptroller rules in finance.
Large firms understand the need for business continuity, and most -- about 70 percent in the last survey I read -- take the requirements seriously. This doesn't mean, however, that large companies are actually building continuity capabilities. Most are "reviewing plans" or are "still in the design phase" -- whatever will hold off the auditors for another year. Fewer than 50 percent of large companies actually test their plans, which is about the same as having no plans at all.
In the SMB space, the situation is much worse. According to Office Depot's survey of 5,000 small businesses conducted March 26-April 3, 2008, 4 in 10 said that they had no preparations in place for any sort of disaster. Close to one in five (18 percent) do not back up data at all. Just over half (52 percent) claim to burn important files on a removable media device (e.g. DVD-R, CD-R discs, tapes, removable disk drives, external hard drives, etc.) in order to keep data secure, and only 11 percent keep copies of this data at an off-site location.
Asked why they weren't making plans, small business owners offered explanations ranging from concerns about cost and complexity to a sense of futility. Apparently, CNN's 24x7 wall-to-wall widescreen replays of disaster events have had a chilling impact on planning activity, especially among smaller businesses. Too many business owners have come to the conclusion that regardless of measures they might take to prepare for a disaster, the impact would be so devastating that plans would not work to recover the business.
The statistics showed that there was greater disaster preparedness activity among business owners in the Gulf States and along the Eastern seaboard, where hurricanes are a fact of life. By contrast, small business owners in Southern California, despite their frequent visitation by wildfires and earthquakes, show less interest in pre-planning than their Eastern peers. Just over half (58 percent) of the business owners surveyed in Southern California report being prepared for a disaster, while more than two-thirds of east coasters say they are taking steps.
The truth is that the path to small business resiliency is simple and affordable in most cases. It boils down to two points: protect your people and protect your data. To protect people, businesses need to have predefined evacuation plans and a pre-established plan for staying in touch with employees during an emergency. The latter can consist of a contact list with many (at least five) ways to connect with the employee, both to find out what needs the employee might have and to coordinate his or her reentry into the workplace.
Protecting data is another key ingredient of recovery. There are myriad ways to achieve this goal. In many cases, all of the mission-critical data for a smaller firm will fit neatly on a CD or DVD. Think about it: a one dollar piece of media could be what stands between a disaster and full recovery.
For small businesses with more data, solutions are priced from $50 for an 8GB USB memory stick to $160 for an external USB hard disk (made by Maxtor and others, with a button that can be pressed to copy the contents of an entire server or PC disk drive) to a $300-per-year subscription to an online service that will do your change data copies for you during off hours. All of these approaches share something in common: the data is portable and accessible using commodity hardware wherever and whenever the business reopens its doors.
Some companies may want to consider replacing their desktop systems with more rugged laptops -- in an emergency, you can just unplug the system and go.
Small businesses (and branch offices of larger businesses) tend to use commodity gear, reducing the challenge involved in replacing hardware infrastructure. CDW has a nifty program that allows its customers to store images of their systems and lists of hardware required quick-in-a-hurry if the building burns down. Just call them and ask them to apply the hardware images to the gear on the list and the entire office infrastructure can be drop shipped in 24 hours.
Restoring a network can be a bit more problematic, but most SMBs rely primarily on the Internet and not private line nets leveraged by their larger cousins. This also bodes well for rapid recovery of the smaller business.
I'm not minimizing the effort or challenge involved in recovering a smaller firm from the upheaval that usually accompanies a disaster. Advanced planning, and getting people and data out of harm's way, will usually contribute significantly to the business' ability to recover in a timely way. Without such advance preparation, recovery is likely impossible.
Given that this is an enterprise storage column, discussing the needs of smaller firms may seem to be a tangent. In fact, it isn't. Most large firms depend on the small ones more than they suspect.
During a regional disaster, the large company will quickly discover that the damage to small firms in the neighborhood can dramatically reduce their own recovery. In a regional disaster, everything from the local gas stations to the fast food restaurants to the ATM machines in the convenience store to laundry and dry cleaning services are also impacted. This has consequences for worker productivity, outlook, and hygiene. In a disaster, the little guy is just as important as the big guy.
Why not ask the managers at the stores and shops you frequent what they are doing about data protection? Offering to help them to work out the details of a simple and affordable data protection strategy might get you a free cup of coffee, and ensure that the coffee is still available when you need it if an earthquake, hurricane, or other regional disaster befalls your neighborhood. If you want a few suggestions about possible approaches, feel free to download a guide I helped write at http://www.officedepot.com/getprepared.
You won't find any recommendations in this guide pertaining to virtualization, de-duplication, VTLs, continuous data protection, or any of the other panaceas for data protection that are currently being served up to larger firms. Chances are good that the smaller firm doesn't need anything that complicated. However, you will find many common-sense strategies that, if you are like me, will take you back to your roots -- when computing was fun.
Your comments are welcome: jtoigo@toigopartners.com.