By Gail Bailfour

A SYSTEMS OUTAGE CAN SHUT DOWN YOUR COMPANY, AND MOST PEOPLE ARE SIMPLY NOT PREPARED.

Like most New Yorkers, Dona Childs remembers Sept. 11, 2001, as if it were yesterday. Then again, she was actually inside the World Trade Center when the first plane hit.

That morning, Childs had just stopped in at the ground floor pharmacy on her way to work when she heard - and felt - the crushing impact of the terrorist attack. In the chaos that followed, she found herself evacuated and shuttled to New Jersey on a police boat. It was more than a week before she could return to her nearby business and, because of the extensive damage to surrounding areas, she was unable to return to her Manhattan home for almost three months.

This level of downtime would have ended many companies, but Childs, president and CEO of economic development firm Childs Capital, fared remarkably well through the crisis.

Her secret? A solid background in the insurance industry, and the foresight to have a strong contingency plan. She ended up lending a helping hand to companies who weren’t so fortunate, and later co-wrote the book Contingency Planning and Disaster Recovery: A Small Business Guide.

Childs was one of the panellists at a recent business protection event in New York hosted by HP to coincide with its launch of a new suite of business continuity products targeted at the SMB market.

“I use technology like I use a toothbrush. I am comfortable with it. So if, God forbid, you have a disaster, you don’t have to think about [the technology],” Childs said. “Unfortunately, complacency can set in.”

She quoted 2002 research published in Accounting Technology magazine which stated that, of the companies surveyed, a whopping 90 per cent whose networks went down for more than five consecutive days went out of business less than a year later.

“It’s not that plane crashing into a building, it’s not a tsunami-it’s that kid hacking into your system to see what he can get away with.” -Stefan Osthaus, Symantec EMEA

No small matter

The fact is, small companies often have a false sense of security because they don’t feel targeted. But disasters don’t have to be on a grand scale. A simple computer virus or coffee spill on your main computer can spell irretrievable data loss.

Stefan Osthaus, senior marketing director for consumer and small business with Symantec EMEA in Ratingen, Germany, and a panellist at HP’s event, said about 1,400 new computer vulnerabilities arise every month and companies typically receive 13.6 attacks per day. More and more security risks will be embedded in audio and video files in the future - “those funny things we all get and laugh at,” Osthaus said.

“It’s not that plane crashing into a building, it’s not a tsunami - it’s that kid hacking into your system to see what he can get away with.”

Despite these threats, SMBs are usually not willing to invest in security, he said.

Michael Hyjek, senior analyst for SMB at IDC Canada in Toronto, agreed. “ SMBs tend to be pretty reactive to what’s going on - they aren’t proactively going out and looking for reasons to spend money on IT,” Hyjek said. “A lot of smaller companies are content with throwing up a firewall and calling it a day.”

Still, spending in this area is increasing. According to IDC Canada, SMBs in Canada will purchase about $53.8 million worth of security software in 2005. That number is expected to experience a compound annual growth rate of 9.5 per cent through 2009.

“A lot of smaller companies are content with throwing up a firewall and calling it a day.”

-Michael Hyjek, IDC Canada

Part of the reason more companies are now investing in business continuity is that the perceived risk is greater than a few years ago, said panellist William Raisch, executive director of the International Center for Enterprise Preparedness (InterCEP) at New York University.

“We all get religion after a disaster,” he said.

Raisch added that it’s important to figure out how far-reaching the impact would be if your IT department went down, and to look beyond technology to the collateral damage that may occur.

“For a small business, it may be something relatively minor (that happens) - it won’t make the news, but it won’t be minor to you.”

At what cost?

Industry experts say the upfront cost of investing in business continuity technology is small compared to the potential cost of data loss or system downtime. To assess this, compnies should calculate how network downtime will ultimately affect their business.

Graeme Jannaway, managing director of Toronto-based Jannaway & Associates, teaches disaster recovery around the world.

He said the first thing a company needs to do is to figure out its core function. It’s remarkable how many firms can’t define their central business, he said, or how to prioritize what needs to be recovered first.

“’How important is your job?’ is not a polite question to ask, and not the right question anyway,” he said. “The quickest question to ask is: ‘Is anybody going to die?’ I have clients who run 911 (call centres) and the answer is yes, someone will die if the network’s not working.

“There are all kinds of things that are really important to the day-to-day running of a company, but they are not time-critical.”

Once priority is established, you then need to figure out what information is critical to the business, and how to go about retrieving it. This doesn’t always mean a computer file, he said.

“In a lot of cases, if you sit and think for a bit, you realize there is already a copy (of crucial documents) offsite - what I call ‘natural backup.’ For every contract there are two sides - both sides have a copy. And probably there are copies with their lawyers as well. So as long as your lawyer isn’t in the same building you are in, you can probably get a copy of what you need.”

Interestingly enough, it is frequently the lowest-paid workers in a company whose systems should be restored first in the event of a network failure, Jannaway said, because they are often the ones who deal directly with the files that impact the day-to-day running of the business.

So it comes down to understanding what you are storing and its value to the business. Then, you figure out what you are going to do about it, said David Freund, practice leader, information architecture with Illuminata Inc. in Nashua, N.H.

Where’s your info?

“But even more important, the top of the IT stack...is still people. It’s what they are doing, what information they’re gathering, and what information they need to do their job.”

For example, companies will often invest heavily in proprietary software or technology only to discover later the employees aren’t actually using it. “(Instead), maybe they are running something out of Excel spreadsheets on their laptops.”

There are several problems with that scenario, he said. “Senior management doesn’t know about it, they can’t leverage (the information) across the organization and it’s not protected.”

Suddenly you are in a situation where a valuable corporate asset is uniquely stored on one laptop which is not even being backed up. And what if that machine gets stolen?

“We all get religion after a disaster.”

-William Raisch, International Center for Enterprise Preparedness

You can’t even measure the cost when the privacy and confidentiality of a client is compromised due to a technology failure or a security breach, said Trevor Anderson, manager of IT with Thompson Dorfman Sweatman, a Winnipeg, Man.-based law firm.

“What’s the client’s feeling going to be? Is that client going to feel as confident in that firm in the future?”

The most important thing is to not allow the core business to be affected. Doing backups is obviously important - but make sure you do them in a way that is useful, he advised.

“A lot of people, Monday to Friday, will back up onto five tapes. The next Monday they throw in the same five tapes and overwrite them,” he said.

“Where is the redundancy in that? Where is the long-term archiving? Nobody thinks their data is going to be subpoenaed (for example). And in a law firm, especially, we have to be prepared for that.”

Bernard Savoie, manager of computer operations and telecommunication with Co-op Atlantic, a wholesaler of agricultural, food, general merchandise and petroleum products based in Moncton, N.B., found out the hard way how backups can fail. The main database for the company was stored on a RAID system.

“Normally when one (disk) fails, a second one takes over. But in this case we had one disk fail, then the second one failed shortly after. The redundancy component then was thrown out the window.”

Luckily, customers’ orders were not lost, but it took 18 hours to recover from the failure and be able to process the orders for the 135 retail enterprises it serves. Savoie has since upgraded to an HP system where the backup disks are monitored regularly to see if they are working properly.

Save the important

So where do you start? In what Raisch describes as “informational triage,” business owners must ask themselves: if you only had five minutes to collect the most important things at your company, what would you walk out with?

The answer should provide you with the first priority of which elements you should be protecting.

“Our goal isn’t to scare anybody,” he said, “it’s the opposite.”

But make no mistake - people are afraid, especially of data loss. Just ask Freund. “Oh boy. You go and have conversations with CIOs...and then you ask an uncomfortable question like: ‘So, if all your information were wiped out on your primary storage, how much of it could you get back?’ It’s a really basic question - not even a technology question,” he said.

“And you almost always get that deer-in-the-headlights look first. Then, after some thought they say, ‘Well, maybe I could get about 80 per cent back.’ But they have that nervous look in their eye, and you know they’re not going to sleep well that night.”