Disaster Preparation for the 21st Century Business
- By Richard Daley
- Jun 02, 2008
Business is all about managing risk, and risk management comes down to
making solid business decisions to avoid and mitigate potential threats,
including natural disasters. Successful planning to address
catastrophic natural disasters almost always ensures successful
preparation for more mundane ones. In this respect, natural disasters
are a proxy. Chances are that your firm is not going to be swept away
by a tsunami, hurricane or any other phenomena likely to attract
international media attention. David Smith from Pepperdine University's
School of Business and Management estimates that a shared file server is
23 times more likely to fail from hardware failure or some human error
such as spilled coffee than a lightning strike or other natural
disaster. Smith places the value of information lost this way in the
billions for businesses in the United States. Regardless of relative
probabilities, preparing to recover from a major natural disaster such
as a flood will address many, if not all, of the steps necessary to
recover from a more typical burst pipe. The key to mitigating the
business impact of data loss is assessment and preparation.
If there is any constant in the world, it's Murphy's Law - if something
can go wrong, it will -- and often at the most inopportune time. First,
identify and understand where your firm is vulnerable, reduce that
exposure as much as possible, and then plan from what you've learned.
Preparing today for seemingly ridiculous and unexpected circumstances
will equip your business to face the unknown disasters that might come
your way tomorrow. Here are several practical steps you should take to
protect your firm's data before it's too late.
Location, Location, Location
First, do some research to discover the inherent risks associated with
your firm's location.
The perfect Class-A office space that you scouted for your firm is
quickly becoming a sought-after business hub in your city. This new
location should bring hundreds of clients to your firm, but it's located
on a flood plain. Should you start looking elsewhere? Not necessarily.
If you've assessed the risk and still think that the overall benefit
outweighs the threat, then simply adjust things accordingly and take
precautions like elevating your equipment and creating a flood line
under which nothing can be placed. In an earthquake-prone region?
Secure equipment racks to the walls and ensure that your building is
While these types of preventative measures will help to mitigate known
risks, there will always be circumstances that are out of your control.
Freak storms, floods and other natural disasters can occur and disappear
in the blink of an eye, but can leave untold amounts of damage behind.
Surprisingly, David Smith states that Mother Nature accounts for only
three percent of all data loss - but the impact can be overwhelming. In
his report entitled "Disaster Recovery Planning," Jon Toiga states that
in his survey, 93 percent of companies that aren't able to recover their data
within ten days of a disaster situation are not likely to survive.
This includes companies that sell tangible inventory to the public. For
law firms and other businesses that trade almost exclusively in
intellectual property without inventory, the impact of natural disasters
can be much greater. That's why it's so important for attorneys to
ensure that their valuable information is always accessible, regardless
of whatever comes their way - and the best way to ensure that you meet
that goal is to practice effective risk management.
Hi-Tech? High Risk
As writing pads give way to e-mail and electronic documents, chances are that you use a computer in your business. If your firm uses computers,
you've already accepted a certain level of risk. Hard drive
manufacturers sell drives labeled with a Mean Time Between Failures or
MTBF, which denotes the average life span of normal usage before that
model of hard drive is expected to fail. No matter how much or how
little you may have spent on your office system, due to their nature as
mechanical devices, the failure rate of every drive is ultimately going
to be 100 percent. Plan for it, and the operations of your law firm will not
By connecting your computers to the Internet, you've also accepted the
risk of hacking, viruses, identity theft, mal-ware, tracking cookies,
spam, and other random acts of computer vandalism. Why, then, would an
office willingly subject itself to these daunting threats? Because the
Internet has become an essential business tool, and the boost in
productivity and profitability is well worth the risk.
When working with a computer that is connected to the Internet, virtual
networks (VLAN), firewalls and virus protection are good ways to protect
yourself from threats. VLANs are a way of building a small maze for
hackers to get through. They don't reduce the risk of hacking, but if
you put your confidential data on the back VLAN, then it reduces the
risk of someone getting all the way to that data. Firewalls and virus
protection are also good solutions to hacking, and there are several
proven, affordable software solutions, including a built-in Windows
solution, easily available on the market.
Risk avoidance is the most common-sense approach of dealing with
technology. You know that computer equipment breaks, often at the worst
time. So how do you handle the situation? Always remember that computers
are electrical equipment. Providing continuous, conditioned power and
protecting your systems from surges is a way of lessening the risk
associated with a power failure and loss of data. Power surge
protectors are a very low-cost solution and could have huge returns on
the investment. Uninterruptible power supply (UPS) systems are also
very useful for small, price-sensitive firms. They are not the be-all,
end-all solution if your power grid is down for days. Rather, they give
you a small window of opportunity to power down your servers safely so
that a power failure will not trigger data loss.
Centralize to Reduce Risk
But what do you do if your computer crashes despite all of the
preventive measures you've taken? Rather than finding yourself banging
your head on the keyboard when it happens, a better option is to prepare
for this in advance. When it comes to computer equipment, there are
several different, single points of failure that could have caused the
whole system to fall apart - the video card, RAM, hard drive, CD drive,
or any other single device can contribute to your computer's demise.
Choosing to centralize your data storage can help to mitigate this risk
by putting all of your information in one place. Operationally, this
should increase efficiency and productivity through sharing finished and
in-process work. Partners can leverage each other's data, and support
staff can easily access prior works. Firms can either purchase a
centralized repository or use a hosted solution where storage space is
rented on a subscription basis.
Redundancy is Key
Due to the nature of digital data, risk mitigation is sometimes entirely
about putting all of your eggs into one basket and then focusing on
making sure that the basket is safe. You've now decreased the risk (but
not the inevitability) of a computer crashing by transferring that risk
to the possibility of your central storage system crashing. What if
that system crashes?
The solution to this potential threat is by purchasing a hardware RAID
(redundant array of inexpensive disks) system. In its simplest form,
RAID is a process that takes your document and copies it to a second
disk. By doing this, you're mitigating the risk of one hard disk
failure by accepting the unlikely chance that two hard disks will fail
within moments of each other. The best specialized storage hardware has
several independent layers of redundancy that would have to fail before
the whole device goes down. For instance, Sun's A5200 has redundant
power supplies, fiber channel connections, and network connections. A
whole cluster of failures would have to strike before an A5200 would go
down and lose data. EMC, NetApp, IBM, Apple, and Sun all manufacture
great (but expensive) hardware equipment designed to protect against
typical, predictable failures.
Disperse the Risk
Another way to mitigate your risk can be done through geographic
dispersion. Storing data in an offsite data center has helped numerous
businesses bounce back relatively quickly from a localized disaster.
Data centers are "disaster-hardened" complexes that have their own
redundant electrical, communication, and power systems. They are
climate-controlled, use Halon fire suppression systems, and are secured
using biometric-controlled access and 24-hour security personnel.
Although they too are susceptible to the most extreme natural disasters,
these companies have helped to save numerous businesses where the damage
has only been internal, such as in the case of a fire, power outage or
company-wide computer virus, or when the regional damage was more
If your firm has multiple offices, you have the option of replicating
your data back and forth between them. When the World Trade Center
towers collapsed on September 11th, two large multinational brokerage
firms were located there. One firm routinely avoided the risk of
storing its data in one place by replicating its information between its
offices in Jersey City and the World Trade Center - the other did not.
It took two weeks for the company who had planned for a disaster to
resume operations, and four months for the company that did not.
Obviously, no one anticipated the human tragedy that occurred. The
outcome, however, was proof that preparing for anticipated
business-related disasters can prepare a firm for unanticipated ones as
Backup or Archive
In technology, disaster preparation is mostly focused on disaster
recovery. Backups are a clear example of this. Backups only serve to
recover from hardware failure or file deletion, both of which are
localized. Backups reduce the damage cause by disk failures, but don't
eliminate it. Ways to think about backup schedules are Recovery Time
Objective (how fast do you want to resume running) and Recovery Point
Objective (how much data can you afford to lose). For instance, if you
have an RTO of two days and an RPO of two weeks, your firm will be up
and running in two days, having lost the last two weeks of data you
created. As always, there are costs associated with different RPOs and
RTOs. Perhaps setting a goal of two weeks for recovering data that was
lost up until 15 minutes before a disaster struck isn't the most
efficient use of your time. Does being out of business for two weeks
sound good? Is two days of downtime and one day of lost data more or
less expensive for your office than two weeks of downtime and 15 minutes
of lost data? Balancing recurring backup costs and possible downtime
costs is the key to establishing a successful backup strategy.
You will also need to address data retention policies when reviewing or
creating your backup policies. The Rules of Professional Conduct,
Sarbanes-Oxley Act, SEC rule 17a-4, and HIPAA, just to name a few of the
regulations, define document retention periods of over seven years for
some records and lay out very specific guidelines on the qualities of
the medium on which this information is stored.
In some industries, where data retention is governed by these types of
compliance laws, a small firm might need an entirely different product
than a traditional file server. A digital archive is a relatively new
product that complies with these types of regulations and is
increasingly available to even the smallest business or firm.
In addition to complying with data retention regulations, digital
archives also offer digital file authentication and audit trail
capabilities. If you're involved in litigation, what steps will you
need to take to make sure that your files are authenticated and can be
submitted as evidence? Automatic file authentication might be a very
important feature to research when choosing a storage system. Planning
today to overcome tomorrow's problems can increase the profitability of
Certification = Protection and Credibility
In addition to screening potential employees, businesses have an ethical
duty to examine their partners to ensure that their clients' data is
kept confidential and secure. A relatively new certification process
called WebTrust (more information is available at webtrust.org) offers a
CPA-audited report that evaluates the controls and processes of service
providers. This type of certification makes screening potential
outsource providers very easy. In turn, these providers boost your
firm's credibility and ability to offer differentiated services to
No matter how well-trained your employees may be, we're all human and
make mistakes. While everyone may adore your wonderful assistant of ten
years, s/he may inadvertently destroy all of your firm's intellectual
property by pressing the wrong button.
You can't avoid the risk that people who have access to your system may
cause - but you can mitigate it through training. Motivate your team
and pay what it takes to equip them with the technical knowledge that
they need, because it will be worth it. I recently did some work at a
large company (over $1B in revenue) that rolled out a new system that no
one knew how to use. It took them over four months to issue accurate
financial statements at the operating unit level. Four months and an
awful lot of goodwill. Spending goodwill on something like an upgrade
is not part of a successful strategy, but mitigating the risk ahead of
time would have been a way to prevent this problem from occurring.
A final piece of advice is to examine the people who are using your
equipment. An emerging best practice among employers is a comprehensive
background check on each new hire. Resume padding, poor references and
hiding criminal offenses are good examples of what background checks
uncover. They should be used to disqualify even the most charming of
candidates. We can't all be saints, but lying on a job application is a
pretty clear indicator of future behavior.
It's possible to know about an impending disaster before it happens, but
you can prepare ahead of time so that your law firm will recover
quickly. It shouldn't start or stop at a computer closet. You need
examine your entire firm's operations - so get a head start on the
competition and begin planning ahead today.
This article originally appeared in the June 2008 issue of Security Today.