Most companies lack plans for surviving a major IT disaster, such as hacker attack or server theft. But, reports Christine Seib, a few sensible precautions will save your business from missing a beat.
Eternal optimists run UK businesses. More than 90% of them were hit by the fuel crisis last year, according to research by the Business Continuity Institute. More than 60% felt the pinch of rail problems and flooding. But are they worried about it happening again? Seems not, as only 45% have taken action to reduce the impact of another fuel crisis and 16% and 23% respectively have prepared for further rail and flood difficulties.
Similarly, experts report there is a distinct lack of contingency planning by UK businesses for IT crashes. Even worse, the insurance industry is a particularly chronic offender.
One business continuity and disaster recovery expert says some big insurers tend to be in denial. "Because of the nature of their industry, they know major incidents are very rare," he says. "Unfortunately, it doesn't work like that. If you're the unlucky one in 1,000 that gets hit, it's too late."
However, the Turnbull report, which came into effect last year, made this kind of attitude unfeasible. It specified that all public companies must have a risk management strategy, including a disaster recovery plan. Non-compliance must be disclosed in a company's annual report and is likely to attract customer, shareholder and press criticism.
Of course, given the things that can go wrong with an IT system, failing to plan for a disaster is foolish as well.
Roger Butler, a director responsible for computer and technology risks at loss adjusters GAB Robins, says business system failure is very common and small accidents cause just as much damage as fires, bombs and floods.
"One simple thing that causes major losses is having an air-conditioning plant above the computer room," he says.
Butler also warns firms that their computer systems could be highly desirable to thieves. "The current trend is for Sun Microsystems servers, which are very sought-after by the criminal fraternity. They take armed gangs in and hold up the night watchman, so they can export them to countries with trade embargoes against them," he says.
If that isn't enough, there is also the danger of hackers, says e-security expert John Leach of Global Integrity.
"When your business is online, you need to be open for business 24 hours a day. If you get a security attack... the impact starts to be felt from the moment the attack starts and the more important the internet is to your business, the more critical it is to get back in control and online quickly," he says.
However, a few common-sense steps can ensure a company's recovery from an IT disaster is much speedier.
Business Continuity Institute (BCI) chief executive officer John Sharp says the most important thing a business can do is to decide which parts of its IT system are key, and how long it could survive without them. The BCI has published the Business Guide to Continuity Management to help businesses answer these questions. It has been supported by the Association of British Insurers, the Institute of Risk Management, the Chartered Insurance Institute and Zurich Insurance, among others.
After deciding which parts of its IT network are vital, a business must decide if it wants a hot, warm or cold back-up site.
Butler says a hot site, the most expensive option, is usually a mirrored system on a completely separate site, administered for the business by a disaster recovery company. "You get your staff in a mini-bus, go over to the other site and carry on," he says.
A warm site, which companies usually share, comprises alternative premises and some computers, so data that has been backed-up on the main site can be installed and work can continue. A cold site is an alternative office that is wired to take phones and computers, but the firm must hire new equipment before installing its back-up and continuing.
After this, it is time to start thinking about the data back-up itself. Is it kept off site? Is it done daily or weekly and tested regularly? Is the transfer of the data to the back-up system rehearsed regularly? Do you have the staff to maintain and operate the new system?
Continuity Systems director Ian Charters says it is also important to consider designing a software system that allows manual processing, so work can continue even if the new system is not up and running immediately. He also warns against overspending on inappropriate technology. "There's no point in spending huge amounts on the latest equipment if you can survive without the system for a week," he says.
Finally, don't forget the basics, such as listing the phone numbers of the people who will make the decision on what to do in a disaster.
This may sound self-evident, but there is a cautionary tale to be told. A big City firm was hit by fire, but had fantastic back-up data and premises. Unfortunately, no one told the receptionist, who told callers the business wouldn't be back up and running for months.
Word spread quickly and the calls soon stopped coming in. It was one big business brought down by one small omission.