Disaster Recovery Plans and Systems Are Essential

Two out of five enterprises that experience a disaster — such as the World Trade Center attack — go out of business within five years. Business continuity plans and disaster recovery services ensure continuing viability.

On 11 September 2001, a series of attacks destroyed the World Trade Center in New York City, seriously damaged the Pentagon in Washington, D.C. and destroyed four commercial airliners. The secondary effects of these attacks included serious disruptions in the communications and business operations of many enterprises.

Enterprises everywhere struggle to deal with the enormity of the human toll taken in the recent terrorist attacks and will rightly be preoccupied for several days with ensuring that their employees and their families are safe and cared-for. After these necessary first steps have been taken, however, enterprises must make practical decisions to ensure the continuity and viability of their business operations. Gartner estimates that two out of five enterprises that experience a disaster go out of business within five years.

The events of 11 September 2001 — and the previous terrorist attack on the World Trade Center — show that enterprises that do not have a business continuity plan, and one that is tested regularly, will be drastically hampered in their ability to recover from a disaster of this magnitude.

The experience of one of the leading vendors, Comdisco, underscores the mission-critical nature of these steps. Comdisco reports 35 of its customers (including retail, investment and foreign banks, insurance providers, a media company and a major trading exchange) have declared disasters requiring the invocation of their disaster recovery plans. The company is engaged in recovering the following platforms: Sun Microsystems, HP 9000, Tandem, Compaq/Digital, RS/6000, AS/400, Intel server and mainframe. It is also recovering 2,500 seats at its workspace recovery facilities in New York City and Carlstadt, N.J., which are near capacity (overall, Comdisco is at 30 percent capacity.

These Comdisco customers declared almost 70 schedules covering platforms and workspace, the greatest number of simultaneous recoveries in Comdisco's history — up from 26 during Hurricane Floyd in 1999.

The disaster declarations accelerated rapidly on 11 September:

• 9:02 a.m. Eastern time: First declaration
• 10:00 a.m. Eastern time: 21 declarations
• 11:00 a.m. Eastern time: 40 declarations

As of 12 September, 30 Comdisco customers were in the process of recovery, and Comdisco anticipated that all 35 would be in recovery by the end of the day. (The delay was caused primarily by restrictions on transportation leaving New York City.) Comdisco reported that it had already recovered 45 terabytes of data as of 1:00 p.m.

Comdisco anticipates some additional capacity requests over the next few days but does not anticipate many new disaster declarations. The company has had to relocate some customers to alternate Comdisco recovery sites, due to heavy demand in the New York City area. The company reports that its affected clients have well-established electronic storage of vital records, have implemented business continuity/disaster recovery programs and perform regular testing. This is particularly important for enterprises that had facilities at the World Trade Center because — unlike the earlier bombing of the center, in February 1993 — the latest attack destroyed the buildings, and therefore all records and systems contained in them.

Enterprises must begin preparing for the possibility — indeed, the strong probability — of further such attacks. If these enterprises do not immediately begin developing and testing business continuity plans and seeking disaster recovery services, they risk complete loss of their business viability when — not if — a future attack comes.

Analytical Sources: Roberta Witty and Donna Scott, Information Security Strategies