IT Lessons Learned from Hurricanes
Yehuda Cagen is the Director of Client Services of Houston IT consulting firm Xvand Technology Corporation. Many Houston-area companies were affected by Hurricane Ike in September 2008.
It’s astounding to see how many organizations do not plan for disaster, or even feel the need for a disaster plan.
According to the Gulf Coast Back to Business Act (2007), Congress finds that 43 percent of businesses that close following a natural disaster never reopen. An additional 29 percent of businesses close down permanently within two years (Library of Congress 2009). A popular oversight when weighing the risks and probability of disaster is that natural disasters are infrequent. Along the Gulf Coast, it may be a hurricane. Or an earthquake for Californians. In truth, the most common source of data loss is internal theft (rogue employees) and lost laptops and thumb drives.
Many executives delay establishing a comprehensive disaster plan due to the misconception that it requires significant time and resources. A disaster plan should be a working, breathing document that requires regular augmentation and improvement.
Here’s a disaster plan outline your organization can employ today:
Take Inventory of IT Equipment
Complete an inventory of all computers, equipment, supplies and receipts/verification of ownership to show your insurance provider post-disaster. Individual departments and employees should be encouraged to do the same.
- Take “before” photographs for documented evidence
- Have copies of maintenance agreements and break/fix providers readily accessible
- Capture serial numbers of equipment
- Make sure back-up power supply is intact
Risk Assessment & Management
For small and mid-sized organizations, creating a contingency plan for every component and process can be costly – and overwhelming. Therefore, it’s critical to identify and categorize the risk an IT disaster may have on the organization.
What to consider when assessing risk:
- Impact on revenue
- Impact on clients/reputation
- IT systems assessment (create a spreadsheet that uses weighted values assigned to various systems, functionality and dependencies. See Table 1 below)
- Which data can the organization afford to lose (if any)?
- How long can data be inaccessible? (For example, for most organizations email is critical, while an application like Photoshop may not be as important to day-to-day operations.)
On the Road – Mobile Device Security
Most disaster plans have contingencies in place to send employees to an alternate workplace when an impending disaster threatens. When sending employees off-site, remind them to not rely on backing up critical company data on mobile devices. (According to Dell, 49% of data breaches were due to lost or stolen laptops or devices such USB flash drives.)
Use these best practices for securing wireless devices:
- Change Default Passwords
- Turn on Encryption
- Change Default SSID
- Enable MAC Address Filtering
- Disable SSID Broadcast
- Beware Open Wi-Fi Networks
- Assign Static IP Addresses
- Enable Firewalls on each Device
- Position Access Point Safely
- Turn Off When Not in Use
Protect against lost laptops and remote devices with these suggestions:
- Laptop tracking and remote data deletion capabilities are a safe and economical way to protect company assets and data. Many of today’s devices have built-in capabilities to remotely erase data.
- Record all serial and model numbers of all equipment.
- Contact local law enforcement and your organization’s data recovery department as soon as a laptop goes lost or missing.
- When sensitive data contained on laptop hard drives needs to be destroyed: ensure your organization is in compliance appropriate data destruction policies and request a certificate for data removal from the vendor
Test your Disaster Recovery Plan in Advance
According to Microsoft, nearly 75 percent of organization that test their tape backups found backup failures, so it’s critical to test the following on a QUARTERLY basis:
- Data access – move data to systems that will allow browser access
- Data backup, is your offsite storage facility in the hurricane path
- Data restoration – how do your vendors define “recovery” and how long is the recovery interval – have you timed it? Where will restore occur? Are the backups up-to-date and good? Will the data be in sync? How LONG will it take? Will the equipment be compatible?
- Data security – cyber thieves love natural disasters, best time to strike
- System uptime – your recovery interval is twelve hours and your battery back up is good for four hours
- Data accessibility (before, during, after a disaster)
Five Questions to Ask a Prospective Disaster Recovery Vendor
Should you decide to outsource data backup and protection to a third-party vendor, here are a five critical questions to ask a prospective disaster recovery vendor:
- What’s the recovery interval?
- Who’s responsible for restoring data?
- Do you document your backup procedures?
- How often do you test your data backup plan?
- What are your staffing levels in an emergency?
Any vendor that fails to provide comprehensive answers and references should be taken off your list.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.