Hurricanes. Floods. Tornados. Fires. Earthquakes. Explosions. Extended power outages. Disgruntled employees. Hackers. And, most recently, terrorist attacks.
Those are just 10 examples of circumstances that could disable your company by damaging your computer systems and destroying your valuable data. They're also 10 good arguments for having a comprehensive, constantly updated disaster-recovery plan.
Need a few more reasons? Blizzards. Forced evacuation due to toxic contamination (remember the anthrax scare in 2001?). Vandalism or theft. Civil unrest. Computer viruses. And the list goes on.
Naturally, nobody can plan for all those eventualities. But too many small to midsized companies don't plan for any of them. The Small Business Pipeline, a technology-related Web site and newsletter, found that nearly three-quarters of the 237 SMBs it surveyed in April 2004 had no written disaster-response strategies.
And the penalties for being unprepared can be mighty steep: The American Red Cross, among others, estimates that as many as 40% of SMBs simply never reopen after a disaster such as a flood, tornado, or earthquake. In many of those cases, of course, insurance covers replacement of physical assets. But if companies haven't protected their digital assets, such as critical financial and customer information, they may be out of luck -- and out of business.
Most entrepreneurs now understand the importance of network security. But shielding your systems won't do much good if, in the worst-case scenario, they no longer exist. And if you back up information but store the duplicated materials onsite or in an adjacent building, as some downtown Manhattan businesses did before the terrorist attacks of September 2001, you won't be any better off in a disaster that affects an entire region.
For those reasons, the cornerstone of any successful disaster-recovery -- or, in more positive parlance, business-continuity -- plan is at least one offsite data center anywhere from a few miles to a few states away. At the very least, the distant site should contain complete, constantly updated copies of all company information; preferably, it's more than a repository -- it's a mirror image of your main system, set up to let you easily access, search, and retrieve data from afar. Ideally, it should be a "fail-over" set-up, meaning that, when disaster strikes, your systems switch to the remote site, allowing you to run your company from there.
Technologies that can help ensure business continuity during a catastrophe include:
Tapes. You can rely on the old standby of duplicating data onto tapes, then transporting them to an offsite facility -- either your own or a service provider's. (At many small companies, somebody often just takes the tapes home -- certainly not the best way to safeguard information in the event of widespread disaster. Better to rely on a storage site that's at least 50 to 75 miles away.
Disks. A newer option, offered by companies such as IntraDyn Inc. of Edina, Minn., lets companies to back up data onto disks, which, they say, are easier to search, cheaper to transport and store, and more durable than tapes.
The Internet. Thanks to increased bandwidth, you can also do ever-larger backups online, either sending data to your own remote site or to that of a service provider. In either case, your budget will determine whether you've got a "cold" or "warm" backup -- which cost less but can take days to fully restore operations -- or a more expensive "hot" one, which should put you back in business within minutes or a few hours.
Meanwhile, companies like Connected Corp. of Framingham, Mass., offer software or services that automatically back up small companies' individual PCs. That's a particularly useful option for smaller-scale problems, such as a single hard-drive failure or a power failure affecting just a few users. (My next column will take an in-depth look at storage options.)
But before making any technology choices, it's important to craft an information disaster-recovery plan -- a formal written policy that's part of a comprehensive company-wide business-continuity strategy.
To start, appoint an information crisis-response team. Assign each member specific responsibilities, but allow for overlap: At least two people should be assigned to every major task. Provide all members with multiple ways to contact each other in a disaster. Install a voice mailbox on a remote system in case your own telecommunications system is down. Designate an outside gathering place in case you can't access your building.
Then, take inventory of your company's information assets, recommends Elaine S. Price, CEO and president of CYA Technologies Inc., which makes business-continuity and collaboration software. Go beyond the network: Remember to account for data stored in e-mail, on individual desktop and laptop hard drives, on intranets and extranets, or in remote offices.
Rank each component according to its current relevance and importance to business processes, Price recommends. For instance, ask "Could my company function without access to this particular data?" Obviously, if the answer is no, that information gets the highest rating. Critical financial documents, competitive data, and confidential customer records should also receive top-priority status, as should anything you're required to keep by law. In contrast, promotional materials, historical sales data, and materials from past projects and initiatives probably deserve lower ratings.
Focus on the top-ranked data first. Back it up constantly -- preferably several times daily in at least two locations -- and choose storage methods that let you quickly find and retrieve what you need in a crisis.
Calculate the costs of recreating critical information -- and, if applicable, the potential damage from data that's permanently lost. The Federal Emergency Management Agency recommends examining both temporary and permanent replacement costs. The numbers may be frightening, but they provide a good gauge for determining the potential ROI on your storage and data-recovery solutions.
Choose a remote site that's far enough from your primary location that it's unlikely to be affected by the same disaster, but close enough so you can get there in a hurry. For instance, one Inc. 500 CEO set up a disaster-recovery center in an outbuilding near his vacation home, about 45 miles from the high-tech company's headquarters; he already knows how to reach that site by either the main highway or the back roads. Tip: For the best chance of quick recovery, select sites or providers beyond your company's own power grid.
Update the plan constantly to account for personnel changes, process improvements, increasing amounts of data, emerging technologies, and, sadly, any new threats.
Following are some resources for learning more about business continuity and disaster recovery:
VENDOR WHITE PAPERS
Avoiding Disaster: How to Keep Your Business Going When Catastrophe Strikes, by John Laye (John Wiley & Sons, 2002).
The Backup Book: Disaster Recovery from Data Center to Desktop, edited by Dorian Cougias, E.L. Heiberger, and Karstan Koop (Schaser-Vartan Books, 2003)
Contingency Planning and Disaster Recovery: A Small Business Guide, by Donna R. Childs and Stefan Dietrich (John Wiley & Sons, 2002)