There's never a right time to think about disaster recovery. After all, a disaster is never going to hit your business is it? Wrong.
Disasters come in many forms and can happen at any time. Following the Kobe earthquake in Japan, chip manufacturing almost came to a halt, which in turn was a contributing factor in the rash of chip thefts last year as memory became more valuable than gold. At the time, companies were tearing their hair out as burglars brought their businesses to a temporary halt. In one case, 400 PCs were hit at a bank which had no alarm facilities worth talking about in its offices.
In another case, an Inland Revenue office was similarly hit. And now the thieves' attention has shifted to the laptop. Dave Barrett, head of the computer risk team at loss adjusters Thomas Howell, says: "Computer theft is still a major problem and it often takes a major incident to sharpen the mind. We're still concerned about the lack of understanding surrounding the issues, when the unexpected strikes."
Association of British Insurers spokesman Malcolm Tarling agrees: "We estimate that computer theft alone costs British industry around u1 billion each year, but of that, only u300 million is insured. Our members are very concerned that industry is unaware of the variety of risks. We do what we can but it is an uphill struggle."
Virus attacks are a major threat to computer systems and while the damage they cause is not necessarily disastrous, major disruption is often a significant by-product of a successful attack. Estimates vary, though, as to the financial consequences. The Department of Trade & Industry's 1996 Information Security Breaches Survey, for example, regards virus attacks as the most common form of computer security breach, with the worst case costing around u100,000. According to Steve Bailey, director at Reflex Magnetics: "Latest figures from the DTI survey show costs to the industry averaging u14,460 for external incidents, with the highest cost at u50,000; internal incidents averaged u3,710, the highest cost being u8,000."
Bailey continues: "Virus attacks are not restricted to PC networks; they can be equally devastating in Unix environments. The problem arises because of advances being made in connecting different flavours of Unix."
Anti-virus toolmaker Sophos reckons the Word Concept virus is responsible for 15% of all attacks. Of far greater threat, though, are the new Excel spreadsheet viruses. Spreadsheets are an everyday part of financial planning and budgeting. Imagine the damage if your company's forecasts are wrecked by the highly destructive Wazzu virus. Wazzu randomly changes figures in columns, which could be disastrous in large spreadsheets, especially if you are making strategic decisions based on the results.
Then there's the idiot who sets fire to the waste paper bin with a cigarette butt, only to trigger the entire sprinkler system - yes, we know computers need a clean-up from time to time, but a full shower is not what's required.
Finally, there's the unthinkable - a terrorist bomb attack. Last year's Manchester bombing took out one of Royal Insurance's offices but, fortunately, the firm had a disaster recovery action plan in place which got the office up and running.
When a disaster strikes, thoughts often turn to the hardware and infrastructure, but that is only a fraction of the problem. It seems that many IT professionals don't appreciate the value of the stored information. Ontrack Data Recovery's business development manager Richard Keech says: "We frequently find that IT professionals don't have a clue as to the value of the information they work with, which can run into millions of pounds. On the other hand the finance director will tell you to the penny."
George Dundan, business development manager at Memory Technology, explains this apparent gulf between different professionals' perceptions: "For the most part, the commercial importance of IT is underestimated and undervalued," he says. "IT professionals are often out of the loop in commercial terms.
On the other hand, commercial people don't have responsibility for holding the data and are woefully lacking in training."
Until there's a highly visible incident, no-one cares. Independent anti-virus analyst Martin Overton believes the real question is the extent to which managers are interested in security.
The phenomenal growth in Internet use has highlighted the security issues surrounding the transmission of sensitive data across insecure phone lines, and convincing executives of the benefits of Email is invariably tinged with questions about corporate security.
Valerie Jenkins, senior security specialist at Midland Bank's national data centre, says: "As a major bank we are incredibly security conscious and while we have connections to the Internet, we've disabled the means to download files. We've caught a couple of viruses that came in from another building but fortunately it's a rare occurrence."
What UK plc understands is that while there are potential benefits in using Internet-related technologies, there are significant risks and a perception that data is exposed to a variety of threats. The old adage that "prevention is better than cure" holds especially true when disaster strikes.
Data recovery specialists are naturally coy about the precise methods they employ. However, many operate controlled environments so they can safely open hard disk casings. Hard disks are manufactured in near clinical conditions and exposing the platters to the air carries a significant risk of data loss.
Jacqui Hildreth, business development manager at Authentec, recalls an extraordinary story of a failed hard disk sent in from Finland. In the first instance, the disk was returned to the dealer by a client who couldn't diagnose the fault. In desperation, the dealer took a pair of scissors to the casing. "When we got the disk, we couldn't believe it. The disk looked as though a mouse had been at it. We presume the intention was to try and spin the platters by hand," says Hildreth.
She continues: "After a bit of a struggle, we got all the data back.
There was nothing wrong with the disk, it was a controller that had gone down."
One of the biggest risks comes from water damage, especially when sprinklers kick in after a fire has started. The recovery specialists wouldn't admit it directly but gave the distinct impression that in these circumstances hair dryers become an essential part of the recovery armoury.
Getting a disk back on-line only solves half the problem, though. Disaster recovery companies say that infrastructure damage can be equally problematic.
Barry Watts, European business development manager of computer rental company Livingston, says: "When the balloon goes up, recovery specialists have to get their clients up and running very quickly. The PCs and servers are easy to source, but the longest delays comes from fault-finding on the network. Most of us have sophisticated sniffer products to locate breaks so that in a major crisis we can usually get the core activities up in less than 24 hours."
The research for this article has thrown up a few surprisingly basic yet essential points. By and large, IT doesn't have the resources to manage risk or adequately handle disaster recovery; and commercial management outside IT doesn't appreciate the issues involved, although it does understand the value of data.
Another point to be made is that back up is a waste of time unless restore procedures work properly. Many companies make obvious mistakes when formulating backup policies and operate unworkable end-user security policies. And some firms don't even understand the everyday risks of macro viruses.
IT, as the custodian of corporate data, has both a duty and responsibility to do the following:
Recognise the value of data - if you don't know then find out.
Use plain common sense - it is surprisingly cost-effective.
Formulate a workable security policy that balances the costs and time involved against the value of the data which could be partially or completely lost in any disaster.
Always run back-up tape, checking to ensure it can be read back.
Always keep your back-up tapes off site.
Periodically check tapes to ensure they are tape-drive independent.
Periodically re-calibrate back-up devices.
Determine exactly how fault tolerant your RAID array really is. If you only have two drives and one goes down, the risk is magnified by 100%.
Educate users about the nature and potential destructive capabilities of the various viruses that exist.
Make sure you get management commitment and involvement in your risk management policies.
Disaster stories: could it be you?
The computing world is littered with stories of disasters but it is extraordinarily difficult to get users to go on the record about their problems. This is understandable because no-one wants to admit to error or failure. All the same, we heard a few good ones that are worth recounting:
The finance director of a well-known financial services company was completing the annual financial forecasts on his laptop. It must have been a fairly relaxed affair because at the time he was drifting down the Thames on his boat. For reasons that remain shrouded in mystery, the laptop jumped ship. After the frogmen managed to recover the machine from the murky depths, the FD plugged in the power supply to the still dripping kit and promptly blew it up. The data was totally destroyed and it is understood he suffered a severe career downsizing.
In another case, a laptop was stolen and some three months later fished out of a lake by an angler. Being a good citizen, he handed it into the local constabulary, which was able to identify its rightful owner. The company concerned realised they had a problem, didn't do anything rash and sent it to a data recovery company. Despite the extended bath, all the data was recovered.
Laptops are especially susceptible to damage because the TFT screens are fragile and casings often flimsy. On crowded tube trains, they make tempting seats and it is not unknown for the MD to back his Jag over one.
When this happens, the proverbial really hits the fan because no-one thinks the MD's laptop needs to be backed up. Neither do people think of removing the hard disk as a simple, yet obvious, security measure.
Then there are tales of those who thought they'd got a good security system in place, only to find it was misconceived. Johnstone Paints' IT realised that a paint factory was a potential fire hazard and, after consulting with the local fire brigade, determined that 48-hour fire protection was appropriate. The only way they could achieve this was to put tapes into a small fireproof safe, which in turn was inside a larger safe in the manner of a set of Russian dolls. What they failed to realise was that this arrangement was fundamentally flawed, because in the event of a fire, the safes were likely to fall through the floor and that, in any event, the fire department was unlikely to let them into the building for two weeks after a fire. The simple answer was to keep the tapes off site.
In an act of gross stupidity, the fire brigade gave the order to turn off the sprinkler system at a major fire involving Digital's Basingstoke office. As a result, the building was completely destroyed. Because of its loose clustering infrastructure and off-site backup, Digital was able to limp back to some semblance of operation within a very short period.
But, that didn't prevent its insurers from suing Hampshire County Council for u18.5 million. Digital's MD said: "800 staff were evacuated from our offices, equipment was destroyed and it took over two years for reinstatement." That case is still dragging on through the courts because the council wasn't insured for this kind of loss.
Finally, there's the case of the IT boss who watched nonchalantly as news came over the TV that a bomb had gone off in Docklands, right where his company had its offices. He was about to go on holiday but drew comfort from the fact he had a very secure fireproof safe. Imagine the panic when the phone rang and he was informed that no-one could gain access to the site for several days. He missed his holiday as the company tried in vain to get its data out of the ashes of the site.
Instapaper to 'go dark' in Europe until it can work out GDPR compliance
James Robbins of ArrowXL says that AI is no longer 'tomorrow's technology'
Staff told to beware of "unusual sounds" after an employee reported mystery symptoms
Sophisticated malware comprises code previously used to attack Ukraine