FSN:

Good Housekeeping/Having a back-up plan

12th November 2007
Six years on from the tragic events of 9/11 have business attitudes changed within financial institutions as to the way in which data is backed up and stored? Here Mark Dye, FSN's contributing editor, takes a look.

Last week, someone sat down and asked me whether I thought we'd really moved on from the dark days of 9/11 in terms of protecting our assets. It was a strange question really, as people often seem to generalise about this, seeing it as the focal point when businesses began to think long and hard about disaster recovery (DR) and business continuity planning (BCP).

While I do understand this, it's worth remembering that nature has dealt its fair share of cruel blows, too – hurricane Katrina and the recent floods endured by businesses in the UK being two that spring to mind. In the US , weather-related business losses alone came in at US$15bn last year.

Even so, 9/11 still strikes a cord with people the world over and for many acted as the catalyst for them to change the way in which they backed up and stored their data.

But before most of us started focusing on terrorism, let's remember that there has always been a very real need for financial institutions (FIs) to mitigate against downtime and other security-related worries. Let's not forget that back in 2001 many corporates were also already suffering other pressing issues at the hands of the first wave of large-scale malware outbreaks.

It's a rather obvious point, but the importance of sound business continuity planning should not be underestimated at all levels and while there has been a shift here in terms of BCP taking over from disaster recovery and a reactive approach, it appears not all of us have moved with the times.

While a recent study by Datamonitor on behalf of Mitel, which took in 100 Senior IT Directors of 100 Financial Services firms, found that 85 percent of corporate banking firms were confident they have the necessary plans in place to continue to operate in the event of their normal working site being unavailable, things were a little less certain for others. Over a third confessed to not having any sort of plans whatsoever in the event of a major outage, while just under half of those surveyed said they were unsure how they would continue to operate should their usual place of work become unavailable.

It seems strange to hear of some companies in the financial services sector playing such a risky game, but is it surprising? Well, yes and no.

Ron Miller, managing consultant, SunGard Availability Services, believes that organisations are finally beginning to see that there are tangible benefits to having BCP in place as the recent flooding to have hit the UK testifies. "In a world where uncertainties seem to be growing it makes sense for organisations to undertake this sort of planning. A growing number are seeing that it makes sense," he says.

However, some are either sceptical or risk-takers as the results show. And those that are could be in for a rude awakening. The very real statistics show that 80 percent of businesses suffering a major disaster go out of business within three years, while 40 percent of businesses suffering critical IT failure go bust within 12 months.

"What 9/11 did," says Miller, "was bring home to many is that their organisation is its people and without people you are finished."

This meant a greater concentration on dealing with people-related issues, particularly single or near single points of failure amongst staff for BC planners.

"It also made us look again at knowledge management within organisations as well as succession planning and a whole host of other resilience-related issues," adds Miller.

And as for the data, well that needs protecting wherever it is, according to Nick Lowe, director of Northern Europe , Check Point. This means while at rest on servers for example, but also whilst in transmission or on mobile devices - one area some smaller organisations can often forget.

"You have to protect at both levels," he says. "If you don't then those data assets are vulnerable."

Smart companies are realising that this isn't just about protecting a business and individuals, but something that can result in improved business efficiency, too, says Peter Bauer, CEO of Mimecast.

"For example many of our customers who have deployed a web-based email security, archival and continuity solution have ticked the compliance, continuity and security boxes but have also managed to save costs in terms of hardware and software and a maintenance and resourcing standpoint," he adds.

So, does one size fit all? And is there a particular route businesses should be taking with all this?

Miller thinks enterprises need to be looking more closely in terms of the type of data they have and just how quickly this is needed in the aftermath of disruption, both to systems and infrastructure.

"The problem," he says, "is many organisations just don't know what they have, where it sits and when it might be needed and as storage gets cheaper and the requirement for storage gets greater this problem is simply going to get worse."

This means putting long-term strategies in place for data retention and having the appropriate technical infrastructure in place to respond effectively to disruptions wherever and whatever they are.

"As a CIO I'd want to put together a 'pick and mix' approach for data storage, backup and restoration, and if you don't have the expertise to manage that data and bring it all back when you need it, get some help from a DR service provider," says Miller. "Test on a regular basis to ensure you have adequate resilience in your infrastructure, staff and plans."

This doesn't mean spending the earth on new software and hardware being pushed by vendors either. And Miller believes that as long as the problem is approached holistically, a piecemeal approach can still work in terms of technology solutions needed.

"After all its pointless spending money and resources to bring back data and applications within 2 hours if you don't need them for a couple of weeks," he says.

Techniques such as virtualisation can save you money and mean that low priority applications 'piggy-back' on critical ones when recovered here.

"But for smaller organisations, work out what matters first then concentrate on putting the most appropriate recovery solution in place for those critical systems," adds Miller. "You could end up with a range of solutions in place which cover the continuity continuum from high availability to quick-ship servers - the LAN in a van."

Nigel Adcock, a consultant at international risk specialist DNV IT Global Services – which advises across government and large enterprises on risk management - accepts that a piecemeal approach might be favoured by IT directors managing tight budgets but says this route carries significant business risk.

"Disaster recovery planning relies on joined up process; miss a process out or get the interface between consecutive process wrong and the overall solution could be destined to fail," he says.

Not having the correct procedures in place can cost your dearly, both in the financial sense and in terms reputation. And once customers begin to lose confidence in a brand the real problems can also set in as Northern Rock knows all too well right now.

"Business continuity planning has to be approached top-down and in a series of successive 'layers,'" says Adcock. As one moves down through the layers, more and more detail is added – until one reaches the point that there is sufficient detail for staff to understand and follow the plan in the event of an emergency.

"The challenge naturally is having a proactive risk management policy that balances the value of the asset and the associated risk of not protecting it and then puts in place a risk management strategy based on these criteria," says Bauer.

As Mark O'Dell, director of operations and business continuity at Connect, testifies, the trend is moving towards 'live' business continuity and disaster recovery solutions that are provided as a service.

This, he says means that rather than buying redundant equipment, companies are subscribing to a hosted service that takes snapshots of their data or even whole server to a data centre. This means that in the event of a system failure, users can simply connect to the data centre and access data, without the need to source servers and restore from tapes.

"All but the largest organisations are moving away from paying for standby offices, if the data is online then key users can simply go home and connect over the Internet with a secure connection," he adds.

It's clear there is no 'one size fits all' solution for businesses and that from the plethora of options out there this can all seem a bit daunting and somewhat of a minefield at times. However, BCP is to be shirked at your peril. Yes, it may require a heavy commitment of funds and resources upfront at times, but as those who have suffered outages will testify, better to be safe than sorry. In the long run the benefits far outweigh the initial investment made.

About Us