Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.
Insight and analysis on the data center space from industry thought leaders.
IT Lessons Learned from Hurricanes
Disasters can hit hard - stats show that about 43 percent of businesses that close following a natural disaster never reopen and about 29 percent close down within two years. Disaster planning can be bare bones, but effective. This column lays out the crucial items to include in any plan.
Industry Perspectives
August 25, 2011
4 Min Read
.svg?width=1280&auto=webp&quality=95&format=jpg&disable=upscale "DataCenterKnowledge")
Yehuda Cagen is the Director of Client Services of Houston IT consulting firm Xvand Technology Corporation. Many Houston-area companies were affected by Hurricane Ike in September 2008.
Yehuda Cagen
YEHUDA CAGENXvand Technology
It’s astounding to see how many organizations do not plan for disaster, or even feel the need for a disaster plan.
According to the Gulf Coast Back to Business Act (2007), Congress finds that 43 percent of businesses that close following a natural disaster never reopen. An additional 29 percent of businesses close down permanently within two years (Library of Congress 2009). A popular oversight when weighing the risks and probability of disaster is that natural disasters are infrequent. Along the Gulf Coast, it may be a hurricane. Or an earthquake for Californians. In truth, the most common source of data loss is internal theft (rogue employees) and lost laptops and thumb drives.
Many executives delay establishing a comprehensive disaster plan due to the misconception that it requires significant time and resources. A disaster plan should be a working, breathing document that requires regular augmentation and improvement.
Here’s a disaster plan outline your organization can employ today:
Take Inventory of IT Equipment
Complete an inventory of all computers, equipment, supplies and receipts/verification of ownership to show your insurance provider post-disaster. Individual departments and employees should be encouraged to do the same.
Take “before” photographs for documented evidence
Have copies of maintenance agreements and break/fix providers readily accessible
Capture serial numbers of equipment
Make sure back-up power supply is intact
Risk Assessment & Management
For small and mid-sized organizations, creating a contingency plan for every component and process can be costly – and overwhelming. Therefore, it’s critical to identify and categorize the risk an IT disaster may have on the organization.
What to consider when assessing risk:
Impact on revenue
Impact on clients/reputation
IT systems assessment (create a spreadsheet that uses weighted values assigned to various systems, functionality and dependencies. See Table 1 below)
Which data can the organization afford to lose (if any)?
How long can data be inaccessible? (For example, for most organizations email is critical, while an application like Photoshop may not be as important to day-to-day operations.)
Table 1. Sample Risk Assessment Spreadsheet
risk-assessment-tn
Click graphic to enlarge.
On the Road - Mobile Device Security
Most disaster plans have contingencies in place to send employees to an alternate workplace when an impending disaster threatens. When sending employees off-site, remind them to not rely on backing up critical company data on mobile devices. (According to Dell, 49% of data breaches were due to lost or stolen laptops or devices such USB flash drives.)
Use these best practices for securing wireless devices:
Change Default Passwords
Turn on Encryption
Change Default SSID
Enable MAC Address Filtering
Disable SSID Broadcast
Beware Open Wi-Fi Networks
Assign Static IP Addresses
Enable Firewalls on each Device
Position Access Point Safely
Turn Off When Not in Use
Protect against lost laptops and remote devices with these suggestions:
Laptop tracking and remote data deletion capabilities are a safe and economical way to protect company assets and data. Many of today’s devices have built-in capabilities to remotely erase data.
Record all serial and model numbers of all equipment.
Contact local law enforcement and your organization's data recovery department as soon as a laptop goes lost or missing.
When sensitive data contained on laptop hard drives needs to be destroyed: ensure your organization is in compliance appropriate data destruction policies and request a certificate for data removal from the vendor
Test your Disaster Recovery Plan in Advance
According to Microsoft, nearly 75 percent of organization that test their tape backups found backup failures, so it’s critical to test the following on a QUARTERLY basis:
Data access – move data to systems that will allow browser access
Data backup, is your offsite storage facility in the hurricane path
Data restoration - how do your vendors define “recovery” and how long is the recovery interval – have you timed it? Where will restore occur? Are the backups up-to-date and good? Will the data be in sync? How LONG will it take? Will the equipment be compatible?
Data security – cyber thieves love natural disasters, best time to strike
System uptime – your recovery interval is twelve hours and your battery back up is good for four hours
Data accessibility (before, during, after a disaster)
Five Questions to Ask a Prospective Disaster Recovery Vendor
Should you decide to outsource data backup and protection to a third-party vendor, here are a five critical questions to ask a prospective disaster recovery vendor:
What’s the recovery interval?
Who’s responsible for restoring data?
Do you document your backup procedures?
How often do you test your data backup plan?
What are your staffing levels in an emergency?
Any vendor that fails to provide comprehensive answers and references should be taken off your list.
About the Author
You May Also Like
