Online Exclusive

Disaster Preparation for the 21st Century Business

Business is all about managing risk, and risk management comes down to making solid business decisions to avoid and mitigate potential threats, including natural disasters. Successful planning to address catastrophic natural disasters almost always ensures successful preparation for more mundane ones. In this respect, natural disasters are a proxy. Chances are that your firm is not going to be swept away by a tsunami, hurricane or any other phenomena likely to attract international media attention. David Smith from Pepperdine University's School of Business and Management estimates that a shared file server is 23 times more likely to fail from hardware failure or some human error such as spilled coffee than a lightning strike or other natural disaster. Smith places the value of information lost this way in the billions for businesses in the United States. Regardless of relative probabilities, preparing to recover from a major natural disaster such as a flood will address many, if not all, of the steps necessary to recover from a more typical burst pipe. The key to mitigating the business impact of data loss is assessment and preparation.

If there is any constant in the world, it's Murphy's Law - if something can go wrong, it will -- and often at the most inopportune time. First, identify and understand where your firm is vulnerable, reduce that exposure as much as possible, and then plan from what you've learned. Preparing today for seemingly ridiculous and unexpected circumstances will equip your business to face the unknown disasters that might come your way tomorrow. Here are several practical steps you should take to protect your firm's data before it's too late.

Location, Location, Location
First, do some research to discover the inherent risks associated with your firm's location.

The perfect Class-A office space that you scouted for your firm is quickly becoming a sought-after business hub in your city. This new location should bring hundreds of clients to your firm, but it's located on a flood plain. Should you start looking elsewhere? Not necessarily. If you've assessed the risk and still think that the overall benefit outweighs the threat, then simply adjust things accordingly and take precautions like elevating your equipment and creating a flood line under which nothing can be placed. In an earthquake-prone region? Secure equipment racks to the walls and ensure that your building is reinforced.

Mother Nature
While these types of preventative measures will help to mitigate known risks, there will always be circumstances that are out of your control. Freak storms, floods and other natural disasters can occur and disappear in the blink of an eye, but can leave untold amounts of damage behind. Surprisingly, David Smith states that Mother Nature accounts for only three percent of all data loss - but the impact can be overwhelming. In his report entitled "Disaster Recovery Planning," Jon Toiga states that in his survey, 93 percent of companies that aren't able to recover their data within ten days of a disaster situation are not likely to survive.

This includes companies that sell tangible inventory to the public. For law firms and other businesses that trade almost exclusively in intellectual property without inventory, the impact of natural disasters can be much greater. That's why it's so important for attorneys to ensure that their valuable information is always accessible, regardless of whatever comes their way - and the best way to ensure that you meet that goal is to practice effective risk management.

Hi-Tech? High Risk
As writing pads give way to e-mail and electronic documents, chances are that you use a computer in your business. If your firm uses computers, you've already accepted a certain level of risk. Hard drive manufacturers sell drives labeled with a Mean Time Between Failures or MTBF, which denotes the average life span of normal usage before that model of hard drive is expected to fail. No matter how much or how little you may have spent on your office system, due to their nature as mechanical devices, the failure rate of every drive is ultimately going to be 100 percent. Plan for it, and the operations of your law firm will not be disrupted.

By connecting your computers to the Internet, you've also accepted the risk of hacking, viruses, identity theft, mal-ware, tracking cookies, spam, and other random acts of computer vandalism. Why, then, would an office willingly subject itself to these daunting threats? Because the Internet has become an essential business tool, and the boost in productivity and profitability is well worth the risk.

When working with a computer that is connected to the Internet, virtual networks (VLAN), firewalls and virus protection are good ways to protect yourself from threats. VLANs are a way of building a small maze for hackers to get through. They don't reduce the risk of hacking, but if you put your confidential data on the back VLAN, then it reduces the risk of someone getting all the way to that data. Firewalls and virus protection are also good solutions to hacking, and there are several proven, affordable software solutions, including a built-in Windows solution, easily available on the market.

Power Protection
Risk avoidance is the most common-sense approach of dealing with technology. You know that computer equipment breaks, often at the worst time. So how do you handle the situation? Always remember that computers are electrical equipment. Providing continuous, conditioned power and protecting your systems from surges is a way of lessening the risk associated with a power failure and loss of data. Power surge protectors are a very low-cost solution and could have huge returns on the investment. Uninterruptible power supply (UPS) systems are also very useful for small, price-sensitive firms. They are not the be-all, end-all solution if your power grid is down for days. Rather, they give you a small window of opportunity to power down your servers safely so that a power failure will not trigger data loss.

Centralize to Reduce Risk
But what do you do if your computer crashes despite all of the preventive measures you've taken? Rather than finding yourself banging your head on the keyboard when it happens, a better option is to prepare for this in advance. When it comes to computer equipment, there are several different, single points of failure that could have caused the whole system to fall apart - the video card, RAM, hard drive, CD drive, or any other single device can contribute to your computer's demise. Choosing to centralize your data storage can help to mitigate this risk by putting all of your information in one place. Operationally, this should increase efficiency and productivity through sharing finished and in-process work. Partners can leverage each other's data, and support staff can easily access prior works. Firms can either purchase a centralized repository or use a hosted solution where storage space is rented on a subscription basis.

Redundancy is Key
Due to the nature of digital data, risk mitigation is sometimes entirely about putting all of your eggs into one basket and then focusing on making sure that the basket is safe. You've now decreased the risk (but not the inevitability) of a computer crashing by transferring that risk to the possibility of your central storage system crashing. What if that system crashes?

The solution to this potential threat is by purchasing a hardware RAID (redundant array of inexpensive disks) system. In its simplest form, RAID is a process that takes your document and copies it to a second disk. By doing this, you're mitigating the risk of one hard disk failure by accepting the unlikely chance that two hard disks will fail within moments of each other. The best specialized storage hardware has several independent layers of redundancy that would have to fail before the whole device goes down. For instance, Sun's A5200 has redundant power supplies, fiber channel connections, and network connections. A whole cluster of failures would have to strike before an A5200 would go down and lose data. EMC, NetApp, IBM, Apple, and Sun all manufacture great (but expensive) hardware equipment designed to protect against typical, predictable failures.

Disperse the Risk
Another way to mitigate your risk can be done through geographic dispersion. Storing data in an offsite data center has helped numerous businesses bounce back relatively quickly from a localized disaster. Data centers are "disaster-hardened" complexes that have their own redundant electrical, communication, and power systems. They are climate-controlled, use Halon fire suppression systems, and are secured using biometric-controlled access and 24-hour security personnel. Although they too are susceptible to the most extreme natural disasters, these companies have helped to save numerous businesses where the damage has only been internal, such as in the case of a fire, power outage or company-wide computer virus, or when the regional damage was more moderate.

If your firm has multiple offices, you have the option of replicating your data back and forth between them. When the World Trade Center towers collapsed on September 11th, two large multinational brokerage firms were located there. One firm routinely avoided the risk of storing its data in one place by replicating its information between its offices in Jersey City and the World Trade Center - the other did not. It took two weeks for the company who had planned for a disaster to resume operations, and four months for the company that did not. Obviously, no one anticipated the human tragedy that occurred. The outcome, however, was proof that preparing for anticipated business-related disasters can prepare a firm for unanticipated ones as well.

Backup or Archive
In technology, disaster preparation is mostly focused on disaster recovery. Backups are a clear example of this. Backups only serve to recover from hardware failure or file deletion, both of which are localized. Backups reduce the damage cause by disk failures, but don't eliminate it. Ways to think about backup schedules are Recovery Time Objective (how fast do you want to resume running) and Recovery Point Objective (how much data can you afford to lose). For instance, if you have an RTO of two days and an RPO of two weeks, your firm will be up and running in two days, having lost the last two weeks of data you created. As always, there are costs associated with different RPOs and RTOs. Perhaps setting a goal of two weeks for recovering data that was lost up until 15 minutes before a disaster struck isn't the most efficient use of your time. Does being out of business for two weeks sound good? Is two days of downtime and one day of lost data more or less expensive for your office than two weeks of downtime and 15 minutes of lost data? Balancing recurring backup costs and possible downtime costs is the key to establishing a successful backup strategy.

You will also need to address data retention policies when reviewing or creating your backup policies. The Rules of Professional Conduct, Sarbanes-Oxley Act, SEC rule 17a-4, and HIPAA, just to name a few of the regulations, define document retention periods of over seven years for some records and lay out very specific guidelines on the qualities of the medium on which this information is stored.

In some industries, where data retention is governed by these types of compliance laws, a small firm might need an entirely different product than a traditional file server. A digital archive is a relatively new product that complies with these types of regulations and is increasingly available to even the smallest business or firm.

In addition to complying with data retention regulations, digital archives also offer digital file authentication and audit trail capabilities. If you're involved in litigation, what steps will you need to take to make sure that your files are authenticated and can be submitted as evidence? Automatic file authentication might be a very important feature to research when choosing a storage system. Planning today to overcome tomorrow's problems can increase the profitability of a business.

Certification = Protection and Credibility
In addition to screening potential employees, businesses have an ethical duty to examine their partners to ensure that their clients' data is kept confidential and secure. A relatively new certification process called WebTrust (more information is available at webtrust.org) offers a CPA-audited report that evaluates the controls and processes of service providers. This type of certification makes screening potential outsource providers very easy. In turn, these providers boost your firm's credibility and ability to offer differentiated services to prospective clients.

Human Element
No matter how well-trained your employees may be, we're all human and make mistakes. While everyone may adore your wonderful assistant of ten years, s/he may inadvertently destroy all of your firm's intellectual property by pressing the wrong button.

You can't avoid the risk that people who have access to your system may cause - but you can mitigate it through training. Motivate your team and pay what it takes to equip them with the technical knowledge that they need, because it will be worth it. I recently did some work at a large company (over $1B in revenue) that rolled out a new system that no one knew how to use. It took them over four months to issue accurate financial statements at the operating unit level. Four months and an awful lot of goodwill. Spending goodwill on something like an upgrade is not part of a successful strategy, but mitigating the risk ahead of time would have been a way to prevent this problem from occurring.

A final piece of advice is to examine the people who are using your equipment. An emerging best practice among employers is a comprehensive background check on each new hire. Resume padding, poor references and hiding criminal offenses are good examples of what background checks uncover. They should be used to disqualify even the most charming of candidates. We can't all be saints, but lying on a job application is a pretty clear indicator of future behavior.

It's possible to know about an impending disaster before it happens, but you can prepare ahead of time so that your law firm will recover quickly. It shouldn't start or stop at a computer closet. You need examine your entire firm's operations - so get a head start on the competition and begin planning ahead today.

This article originally appeared in the June 2008 issue of Security Today.

If you like what you see, get more delivered to your inbox weekly.
Click here to subscribe to our free premium content.

comments powered by Disqus

Digital Edition

  • Environmental Protection
  • Occupational Health & Safety
  • Infrastructure Solutions Group
  • School Planning & Managmenet
  • College Planning & Management
  • Campus Security & Life Safety