BOSTON - "The world has changed," said Laurie Bailey, consulting manager at SunGard Planning Solutions, addressing the audience at the National Investment Company Service Association's panel on business continuity and recovery planning at its East Coast regional meeting in Boston earlier this month.
While it is simply stated, it couldn't be more accurate for the world of corporate disaster recovery. Everything has changed, and a large number of companies are not prepared for it.
As illustrated by the after-effects of Sept. 11, many companies were not prepared for such unimaginable events then, and nearly a year and a half later, many are still not fully prepared, at least that was the consensus among the approximately 250 in attendance at the conference.
Repeatedly, the panelists asked the audience, by a show of hands, if their companies had certain disaster recovery procedures or equipment in place, and most of the attendees sat on their hands. A mere two individuals in a fully packed conference hall responded affirmatively to most of the queries.
"There are a lot of companies that are still struggling with this issue," Bailey later said in an interview for Mutual Fund Market News.
"It's very complicated and it's costly. They really need to find that balance between cost versus risk." One pitfall, Bailey said, is that many companies currently have their energies focused elsewhere, such as dealing with drastic staff reductions and the sluggish economy.
When many companies are prioritizing, she said, continuity and disaster recovery planning sometimes get lost in the shuffle. "It's [considered] an optional expense instead of being integrated into their process," she said.
And if the possible terror scenarios aren't enough of a wake-up call, the panel presented some scary numbers that illustrate just how vulnerable the U.S. financial industry is. Eighty-one percent of U.S. CEOs acknowledge that their existing crisis-management plans were inadequate to handle the number of issues stemming from the attacks in 2001, according to a 2002 CSI/FBI computer crimes and security survey that Bailey cited.
Although 63% have readdressed their plans since that time, the consensus at the meeting is that many are still unprepared.
Scarier still is the fact that 85% of critical infrastructure in the U.S. is in private hands, Bailey said, citing a FBI InfraGard Chapter Presentation at Philadelphia, Drexel University last December. And further still, 86% of computer crimes originate inside the network, according to a 2000 CSI/FBI computer crimes and security survey. "One attack can affect thousands of computers," Bailey said. "It's very debilitating and costs a great deal of money to recreate data."
"Its no longer okay for us to plan for events you or your co-workers have experienced," said Susan Lilly, assistant vice president, business management group, CDC IXIS Asset Management Services, speaking at the conference. Prior to 9/11, the major crises consisted of weather-related or natural-disaster incidents, power outages, fire, PBX failures and local exchange carrier outages.
Now the realization is that terrorism, sabotage, city or region-wide incidents or even carrier bankruptcy are all factors that have to be considered.
"People need to think outside of the box when it comes to business continuity planning. It's not your traditional planning what if my data center goes down?' It's looking at other potential risks," Bailey said. "There are things outside of just infrastructure and firewalls."
"You can't just plan on your own disaster," said James Hillman of The Bank of New York, one of the two audience members who said his company's plans are up to snuff. Hillman also said companies need to think of every aspect of moving its staff to a backup site, even temporarily. He said that the BONY incurred a bill of around $34,000 just for food for the staff in the first week of a relocation to a backup site.
"It's really being sensitive to where you are and who your neighbors are," said Bailey, noting that if a company is housed in the same building as certain government agencies or potential targets, the risk factor goes way up. She said it's about identifying potential economic targets, key infrastructure to the country, American icons - and steering clear of them in order to minimize risk.
Deborah Rothe, vice president, Business Recovery Services and Telecommunications BISYS Fund Services, said that companies located abroad are not any better prepared than those here and they have a host of other factors to consider, too. "Most European operations are in the same shape as the companies over here," she said. "Do they have contingency plans? Kinda, sorta."
Planning for disaster recovery and alternate sites and backup locations is even more complicated when a company is located abroad. Some countries will not allow companies, even in a crisis, to move their operations temporarily out of the country. Rothe noted Dublin as one such place where moving a server off the island, even in the gravest of circumstances, is very difficult.
Escape from New York
While many companies have vacated Manhattan in the wake of the terrorist attacks here, other that have stayed are moving their backup centers off the island. "It's a tip of an island," Bailey said of the financial district in lower Manhattan. Due to the sheer location, it makes more sense to have backups elsewhere, such as across the river in New Jersey.
"Logistically, if you're in Philadelphia, it's a little different. You have many more access points. Lower Manhattan seems to be much more vulnerable. If you're in a metro area you're talking about power grids," she said.
Bailey said that a lot of companies already have their primary data centers in different areas. The move out of metropolitan areas is not solely predicated on the threat of terrorism, a large portion of it has to do with costs. Bailey also said the threat of rolling brown-outs and other things that arise specific to urban areas make non-metro locations more appealing.
However, regardless of the location, it seems many companies are not sure where to start with their planning. "It's surprising how many companies have no idea, not a clue, what to do. There are more companies that are not fully prepared, but I don't know if all of them can truly recover if something happens," Bailey said.