Business continuity: Can you afford to risk it?

The old adage that, when the going gets tough, the tough get going, applies as much to an organisation's IT resources as to its people.

But, despite more than a decade of IT managers being told to plan to protect their IT resources by a growing number of vendors and systems integrators in the business continuity space, many companies remain unprepared for when disaster strikes.

But even for those organisations that have planned ahead in case the worst happens to their IT systems, all is not well. In many companies, for example, wide area network (WAN) throughput is the limiting factor.

In a survey carried out amongst 170 IT managers in enterprise environments earlier this year, on behalf of NetEx, the Storage Technology Corporation spin-off, researchers discovered that business continuity and disaster recovery initiatives are being hindered by WAN throughput.

Throwing more bandwidth at the problem, researchers found, did not solve the problem.

The 45-day survey asked IT managers about their problems with WAN-based business continuity and disaster recovery solutions.

Soliciting the opinions of end users with a cross-section of network attached storage (NAS), array, server, appliance and intelligent switch-based approaches, the survey focused on topics relating to throughput, transport mechanisms and implementation payback periods.

65 per cent of respondents said that business continuity and disaster recovery WAN throughput requirements are not always being met, whilst 62 per cent said that enhancing the available bandwidth did not fix the throughput issues they were experiencing.

Researchers also found more than 60 per cent of respondents saying that their business continuity and disaster recovery requirements are increasing faster than their organisation's bandwidth can keep up.

A staggering 78 per cent of respondents also said that business continuity and disaster recovery WANs should be able to piggyback on the primary TCP/IP backbone.

The threats you face

Before we look at how to implement effective business continuity in a typical mid-sized company, let's look at some of the disasters that need planning for:

  • Denial-of-service attacks: This is a common problem that has affected Internet-connected companies since 1988, when the first Internet worm was discovered. The problem facing IT managers is that these types of attacks are easy to mount, but their consequences are severe, resulting in denials of service on network connections sharing a company's Internet gateway.
  • Hacker blackmail: An unknown third party claims to be able to disrupt or destroy an organisation's internal IT systems and demand to be paid off. Although difficult due to the problems in proving or disproving vague claims, this type of blackmail is becoming more common, and is thought to occur more frequently than is reported in the media.
  • Industrial espionage: A direct competitor could obtain details of your business plans and take advantage of that knowledge to out-compete your organisation in the marketplace. This problem is difficult to plan for and defend against, as it usually requires collusion by a company's internal staff.
  • Financial or reputation damage: The frequency of attacks that hurt companies financially or tarnish their reputation is increasing. Well-documented cases include the widely publicised Citibank hack in 1995 and the loss of customer data by a number of e-tailers and their transaction processors.

Non-geographic numbering

One area that is often overlooked when it comes to business continuity and disaster recovery planning is that of telecoms.

Fortunately for even the smallest business, these days, thanks to the continuing evolution of the telecoms industry, non-geographic numbers can now be cost-effectively used as part of an organisation's disaster plan.

Non-geographic numbers, when used as a means of routing inbound calls to an organisation, can be quickly and efficiently re-routed in the event that disaster strikes and a new call centre or switchboard brought online.

Although modest up-front and subscription costs are incurred for the use of local rate (0845) and national rate (0870) non-geographic numbers, there are usually no costs associated with the resultant call traffic.

A key advantage of non-geographic numbers is that the actual call route can be changed instantly using a Web-based interface.

In the event that disaster strikes, callers continue to dial the same non-geographic number - only the behind-the-scenes call routing is changed.

Non-geographic numbers can be used to the advantage of even the smallest organisation, but for large organisations, their usefulness really comes into its own, as the numbers can be employed on a more integrated basis.

For example, Computershare Investor Services, the world's largest share registrar group and a major customer of Telewest, recently took the step of moving its inbound telecoms services to non-geographic numbers.

Thanks to the use of 0800 (freephone) and 0870 (national rate) numbers, the company can now re-route its inbound phone calls to a wide range of pre-agreed numbers.

As well as giving the firm greater flexibility in terms of call centre resources to handle its inbound calls, the company can handle just about any IT or similar disaster at a flick of a few switches.

According to Computershare, this flexibility also extends to its international call centres, which can take over the company's UK call centre traffic as and when the need arises.

One of the main reasons that companies are starting to integrate non-geographic numbering into their business continuity plan is the Basel II code on risk management, which comes into force in 2007.

Amongst many IT security-relevant requirements, the code will require financial organisations to comply with stated levels of diligence in the way they assess and manage the risks they face, including disaster recovery.

According to Matt McCloskey, a senior product manager with Telewest Business, following publicity surrounding the imminent Basel II accord, disaster recovery and more effective handling of customer calls have risen to the top of the agenda for many financial organisations.

The insurance imperative

Although many organisations in the UK have been partially or completely ignoring the problem of business continuity for more than a decade, there's now a new imperative forcing IT managers to look seriously at the issue: their insurers.

According to a survey carried out in March of this year by the Chartered Management Institute (www.managers.org.uk), almost a quarter of British firms that have business continuity plans in place cite their insurers as having influenced the decision to implement the plans.

Drawing on responses from 461 managers at UK firms, the survey found that 22 per cent of the companies that reported having business continuity plans were prompted to introduce those programs, at least in part, by their insurers.

John Sharp, the institute's chief executive, said that many managers are now recognising that having business continuity plans can help lower their insurance premiums.

According to Sharp, adopting business continuity management programs can help a company to better predict its maximum possible losses, which can help underwriters to more accurately price the risk

Sharp also noted that some insurers are beginning to give more favourable rates to companies that have adopted a business continuity standard such as Publicly Available Standard 56 (PAS56).

"And there are some products on the way that link PAS56 to insurance premiums," he said, adding that other key drivers of companies' business continuity plans included existing customers - cited by 30 per cent of respondents - and corporate governance, cited by 24 per cent of respondents.

The institute's research found that 47 per cent of surveyed organisations said they have business continuity plans in place, compared with 46 per cent in 2003 and 45 per cent in 2002.

Of those that have plans in place, 57 per cent said they rehearse the plans at least once a year, which is the minimum number of rehearsals recommended by the BCI, said Sharp.

Interestingly, however, 24 per cent of respondents with plans in place said they do not rehearse their plans at all, while five per cent do so every three months, 12 per cent every six months, seven per cent every two years and three per cent every three years, according to the survey.

Respondents also were asked whether the rehearsals had revealed any shortcomings in their plans. Of those that conduct rehearsals, 79 per cent said the exercises had revealed shortcomings that were later addressed, while 11 per cent said rehearsals revealed shortcomings that had not yet been addressed.

One area of "grave concern," said Sharp, is the lack of business continuity planning on the part of companies' outsourcing partners.

While 53 per cent of survey respondents reported that they outsource some areas of their business, just 14 per cent of those said they require outsourcing partners to have business continuity plans.

At the Infosecurity Europe show held in London in late April, Siemens Communications' specialist security business unit, Insight Consulting, was busy showing its portfolio of business continuity offerings for mid-sized organisations and upwards.

According to Ian Glover, Insight Consulting's managing director, threats to voice and data networks are becoming increasingly sophisticated, so the need for expertise and proven technology to combat threats to business continuity has never been greater.

Glover says that there are number of key issues on the business continuity front that, without careful planning, can leave organisations vulnerable to attack.

These issues are: managing employee access rights; telecoms threats; education, training and awareness; and intrusion prevention.

Educate your staff

Insight Consulting claims that the third issue, that of education, training and awareness, is often overlooked in many organisations when it comes to IT security.

Insight's solution is its Community Policy Centre, an Intranet based application that provides a database for IT security best practice and a platform for increasing staff awareness through e-learning.

For an organisation to become truly resilient, Insight says that it must ensure that all staff are familiar with IT security best practice. Having this information to hand at all times therefore helps to ensure that all members of staff are appropriately trained.

Whilst vendors such as Telewest and Siemens can provide information on how best to effectively implement a business continuity plan within an organisation, the DTI also offers an array of information on its web site.

Telewest Business, meanwhile, offers a free audit - via its web site on the state of readiness of your organisation for a disruptive event or disaster.

The integrated state of many organisations' IT resources means that there are no hard and fast rules for all organisations when it comes to business continuity.

What is important to realise is that, as with most other organisational procedures, the implementation of a successful business continuity plan revolves around careful planning, the taking of good advice, and a healthy application of business common sense.

Organisations that follow this approach, and closely tailor their plans to their true needs, will be in pole position in the event that disaster strikes.

From his base in Sheffield, England, Steve Gold has been an IT journalist specialising in communications and security for 22 years, 18 of them full-time.