Events like 9/11 and Hurricane Katrina have brought disaster to ITs doorstep. But many companies are still applying old strategies to new disaster scenarios.
Here's a tricky question: Could your company operate during a flu pandemic?
Nearly 3,000 financial services organizations tested their answers to that question with a disaster drill last September. The exercise showed that the financial sector could continue to operate during a pandemic, but it also revealed stress points throughout the industry. For instance, many recovery plans laid the groundwork for employees to telecommute - a smart move in a scenario that could leave thousands homebound - but the existing infrastructure couldn't handle the increased traffic.
"When you have [so many more] people working from home, the Internet is going to slow to a crawl, and that's if it's even recoverable in all parts of the country," says Nick Benvenuto, managing director and global head of business continuity at Protiviti Inc., a risk management consulting firm in Menlo Park, Calif.
That drill highlights the status of many companies vis-a-vis disaster recovery: They have disaster plans, but those plans aren't adequately designed to handle an actual event.
Instead, many business executives, including top IT managers, are relying on old procedures and technologies that might work for small-scale, brief disasters - a regional power outage, for example - but would fall woefully short during a catastrophe like another major hurricane or terrorist attack.
Moreover, many companies can't claim to have real confidence in their disaster recovery plans, either, because they fail to test and update those plans often enough to guarantee that their procedures and technologies are keeping pace with business changes and growth.
In a 2007 report from Cambridge, Mass.-based Forrester Research Inc., only 33% of 124 data center decision-makers surveyed said they believe they're very prepared to recover their data centers in the event of a failure or disaster. Meanwhile, 37% said they were prepared, 27% said they were somewhat prepared, and 3% admitted that they weren't prepared.
However, there are leaders out there. In particular, organizations that have survived recent, massive disasters have internalized their hard-earned lessons in recovery and are now better prepared for what might come next.
Gaining attention
And the news isn't all bad. Experts say that although companies need to work harder on disaster recovery planning and testing, they're still doing better than they have in the past.
"If you went back 10 years, things were far worse. There has been great improvement," says Jonathan Gossels, president and CEO of SystemExperts Corp., an IT compliance and network security consulting firm in Sudbury, Mass. "But not enough companies are doing enough."
Although preparedness varies greatly from industry to industry and from one company to the next, Gossels says there are several factors that contribute to an organization's failures in disaster recovery preparation.
"It's expensive, it falls below the priority line, and it doesn't generate revenue. It's seen as just an ongoing high cost. It's natural for companies to do as little as they can get away with," says Gossels. "It's human nature to expect that we'll see this area underfunded."
In a recent survey conducted by Gartner Inc., more than half the 359 participants from the U.S., Canada and the U.K. said they planned for natural disasters, power outages, fires, IT outages, computer virus attacks, and failures at key service providers. And 50% of the respondents said they planned for terrorist attacks.
But the survey also found that less than half have plans for dealing with labor strikes, civil unrest, denial-of-service attacks or pandemics. And only 45% have plans for long-term facility outages - that is, outages lasting more than a week. |
