Gartner estimates that two out of five enterprises that experience a disaster will go out of business in five years. Enterprises can improve those odds -- but only if they take the necessary measures before and after the disaster.
Table of Contents
The terrorist attacks on the United States on 11 September 2001 are focusing the attention of enterprise decision makers on the urgent need to prepare for disaster recovery — i.e., the steps an enterprise takes when it cannot operate normally because of a natural or manmade disaster. Before 11 September 2001, most enterprises may have thought of a disaster in terms of a snowstorm that hampers operations because key operating personnel cannot reach their positions. Recent events make it clear that the word "disaster" can mean something far more catastrophic — events from which it may take months or even years to recover. This special edition of the Security and Privacy Spotlight examines the issues of disaster recovery, business continuity planning (see "Aftermath: Business Continuity Planning," AV-14-5138 ), and the tools and services required for both (see "Aftermath: Technology Tools and Services," AV-14-5338 ).
The reality is that many enterprises that experience a disaster never recover. Gartner estimates that two out of five enterprises that experience a disaster go out of business within five years. In some cases, the disruption of normal business operations causes customers to lose confidence in the enterprise's viability. In other cases, the cost of recovery is simply too great. Sometimes the failure is caused by the loss of key personnel — a problem that is likely to be critical for many of the enterprises affected by the destruction of New York's World Trade Center. Some of the financial services providers located in that complex are believed to have lost one-third or more of their personnel, including many senior executives, and many of these enterprises may find it impossible to recover.
An enterprise may declare a disaster for a number of reasons, both routine and dramatic:
Extreme weather conditions (e.g., Hurricane Floyd, which brought the eastern United States to a standstill in September 1999)
Prolonged power or communications failure (e.g., the difficulties faced by enterprises and individuals in New York after the World Trade Center attack)
Robbery or other criminal activity (e.g., the theft of credit card numbers from CDNOW and other e-commerce sites)
Civil unrest (e.g., the disturbances at the World Trade Organization conference in Seattle in 2000 and the Group of Eight summit in Genoa in 2001)
Recent Gartner Dataquest research on application downtime shows that an average of 40 percent of downtime is caused by application failures (e.g., performance issues or "bugs"), 40 percent by operator error, and approximately 20 percent by system or environmental failures. The majority of the failures in the "system or environmental" segment — 60 percent — is caused by hardware problems. Overall, less than 5 percent of application downtime is attributable to disasters.
The disaster recovery section of this special edition of Security Matters! examines the steps that enterprises must take to recover from a disaster. These steps are usually detailed in a business continuity plan — but many enterprises have never prepared such a plan. The research included in this section outlines management's primary responsibility — protecting the health and safety of personnel — and the actions to be taken to ensure that business resumes as soon as possible. Planning is critical to these efforts: Gartner research shows that enterprises that have prepared business continuity plans are significantly more likely to survive than those that have not.
The damage a disaster causes to an enterprise may not necessarily be physical, as the troubling increase in systems- and operations-disrupting "cyberattacks" shows. These activities are certain to increase in response to any reprisals, including military action, that the United States takes in response to the 11 September 2001 attacks, and enterprises must immediately take precautionary measures. Communications — the lifeline of modern business, indeed of modern society — often fail during disasters. Landline telephone service may be lost, wireless networks and data lines may be damaged, broadcast radio and television may be knocked off the air. The events of 11 September 2001 show, however, that other technologies — including e-mail, two-way paging and instant messaging — can enable individuals and enterprises to communicate under even the most difficult circumstances.
This section discusses a number of other key disaster-related issues, including: the impact of a disaster even on enterprises far removed from the disaster site; the importance of software change management methodologies; the available data replication technologies; and the importance of government action in ensuring business recovery.
A common thread runs through these research pieces: the urgent need to prepare for disasters that can threaten the very existence of an enterprise. Gartner's research makes it clear that comprehensive, proactive action can significantly improve enterprises' chances of survival — particularly if they begin preparing now.
"What Is Crisis Management?" ( TU-14-5246 ). Defining management's roles and responsibilities during and after a crisis. By Roberta Witty
"Jump-Start the Business Continuity Plan: A Checklist” ( TG-14-5245 ). Disaster recovery steps to take before, during and after a crisis. By Roberta Witty
"Cyberattacks: Prepare Your Enterprise Now" ( TG-14-5482 ). Preparing for and preventing cyberterrorism. By Rich Mogull
"Getting Through: Using E-Mail and IM in a Disaster" ( TG-14-5359 ). Alternative modes of communication. By Joyce Graff
"Disaster Management Plan for Remote Access" ( TG-14-5458 ). How to use telecommuting and remote access to keep the enterprise functioning during a crisis. By John Girard
"The Ripple Effect: Disaster's Indirect Impact" ( TG-14-5298 ). How to prepare for a disaster's indirect consequences. By Donna Scott
"Software Change Management: Disaster Recovery Lessons" ( COM-14-5101 ). Lessons learned from the Australian Stock Exchange failure of 2000. By Victor Wheatman and Chris Morris
"Disaster Recovery: Weighing Data Replication Alternatives" ( T-13-6012 ). Disaster recovery tools and technologies. By Donna Scott, Jon Rubin and Josh Krischer
"Disaster Recovery: What Governments Should Do Now" ( COM-14-5258 ). How governments can recover from a disaster, and help enterprises do the same. By Gregg Kreizman, Bill Keller and Christopher Baum