We have all watched with great concern over the past several years as an increasing number of natural disasters continue to strike our fragile environment. These disasters have caused significant damage and loss of life. They include flood, earthquake, tornado, lightening and even the death/disability of key staff. Of course there are many non-natural disasters as well. These can include fire, terrorism, viruses, hackers, human error, intentional (disgruntled staff), electrical surges and hardware failures.
We have come to rely on our computer systems and the precious data they contain to the extent that if any of these events occurred in our area our livelihoods could be prematurely terminated. For example, consider the operation of a hard disk drive. The ‘heads’ that read digital data from the spinning platters actually float above the platters like an air hockey puck on an air hockey table. The constant operation of the hard disk drive can provide for failures termed a ‘crash’. This can certainly be a disaster if the critical data contained on the crashed drive cannot be easily recovered. Consider these stunning statistics:
- Only 6% of companies suffering catastrophic data loss survive, while 43% never reopen and 51% close within two years – Source: University of Texas
- Roughly 70% of all successful attacks on computer networks were carried out by employees and insiders – Source: IDC Market Research
- 42% of attempted recoveries from tape backups in the past year have failed – Source: Microsoft Research
- Over 34% of companies do not test their backups and of those that tested, 77% found their tape backups failed to restore – Source: Storage Magazine
- 71% of all tape restores fail – Source: Gartner Group
Disasters are unpredictable by definition. They are also self-multiplying – like rabbits. One disaster frequently leads to another and so on. The natural types are certainly more prevalent. According to the World Almanac and Book of Facts, there were twice as many earthquakes in the 80’s and 90’s as the two proceeding decades. And, the 2004 hurricane season was the 4th worst in recorded history according to the University of Missouri-Columbia Climatologist. I suspect the 2005 season will easily be the worst. The trends in all reported events have more than doubled again just since the year 2000 according to the Centre for Research on the Epidemiology of Disasters. This is not to mention non-natural disasters which are not tracked but can be just as devastating. At the heart of these types of disasters are people. Whether intentional or not, lapses in judgment or just plain human error can create significant stress when data has been destroyed or compromised especially if that data cannot be restored.
In recent years, I have been personally notified on two occasions by organizations I would place a high degree of trust in that my personal information had been compromised. One incident was the loss of a hard disk in transit by a well-known shipping company and the other by theft of hard disk media. I can tell you from personal experience the feelings of vulnerability that accompany correspondence like that. Worse, I would hate to have to send such a letter to my clients.
Another well-known example happened in 2006 as a Providence health care systems analyst left a computer bag in a locked car which was stolen. The bag contained 10 computer disks and eventually it was discovered that those disks contained more than 365,000 patient records. That lapse in judgment was costly – in the millions of dollars for Providence health.
The widely publicized Conficker virus is estimated to have infected over 10 million of the world’s computers. This particular piece of malware allows the hacker to literally view your keystrokes/inputs – go to your bank online and enter your username and password, your keystrokes are mirrored on the hacker’s screen. The goal of these individuals is to steal your money. It is estimated that the average income for some of these perpetrators is $30,000 monthly. Many are celebrated by their communities as shrewd business people who have successfully stolen money from greedy Americans. And, many write their malware from information published by Microsoft and other software vendors in the form of security bulletins intended to warn and provide correction for discovered security holes in their software.
Recently, news reports have highlighted the problem with hard disks inside of multifunction copy/scan/fax machines that are retired. With little effort, images of documents stored during the machines use are pulled from these hard disks. Used machines sell for a few hundred dollars with the real value contained on the internal hard disk.
Of course the best way to plan for a disaster is to avoid it altogether. You’ve most likely already implemented some processes to avoid potential disasters. For example, security systems and fire alarms on office buildings, security policies on critical data and backup processes to quickly recover from equipment failure. In addition, most of the computer hardware prevalent today have facilities for redundancy of critical components like hard disk drives and power supplies.
Hosted vs. Managed
There are two options for accounting firm networks. Either they can manage all their data processing i.e. purchase and maintain servers or related network equipment/software or they can have these facilities hosted – the so-called application service provider or ASP model. Many firms are opting for the latter, the advantage being outsourcing of data protection and backup. The disadvantage to the ASP model is the provider may not offer all the applications the firm needs or may be unwilling or unable to configure the applications they are hosting to the firm’s requirements.
Preparing for potential disaster is often procrastinated. This is a natural human tendency. It’s one of the important but not urgent activities. However, failure to prepare guarantees confusion and chaos if a disaster actually hits.
Consider the cost of un-productive staff for a period of say four days. Let’s say the firm has 21 staff billing at an average of $100 per hour and realizing 50% of that time. (I realize I’m being conservative in my assumptions). So 32 hours of downtime multiplied by $1,050 per hour (21 times $100 times 50%) equals $33,600. The value of that downtime can provide significant prevention resources. Think of how much you’ve paid insurance companies over the years – it’s the same principle. Perhaps you should afford more prevention than you think.
At a very minimum, you should evaluate your processes internally or have an outside security consultant perform an audit on an annual basis. You should also consider how the following techniques are being employed in your firm:
- Encryption – this is the process of scrambling the digital ‘bits’ of data such that they are unreadable by any device that does not have the associated decryption ‘key’. In the Providence example, had those 10 disks that were stolen been encrypted the notification to affected patients would have contained a huge mitigating statement of comfort that the data could not be read because the disks were encrypted.
- Backup – tape which has historically been the backup medium of choice has outlived it usefulness. Your current system should include a disk based backup device which greatly improves reliability and speed. In addition, modern disk based backup systems provide for encrypted backup images or snapshots, the ability to virtualize a backed up server from the image, perform ‘bare metal restores’ to dissimilar hardware and the capability to transfer encrypted backup data to offsite data centers. This removes the human error component of taking data offsite to protect against a facility and/or geo disaster.
- Data destruction – whenever a device is retired, all digital data its hard disks may contain should be systematically wiped by utilities designed to render it unrecoverable.
To begin your preparation for disaster, designate individuals in the firm to represent the rest by evaluating the extent of the exposure and designing a remediation plan. Think about the types of natural and non-natural disasters that you are subject to and plan for each one in detail. Take notes as you discuss what your response would be in each disaster scenario and then build your response plan based upon this brainstorming. Then plan to test your plan with other co-workers. Remember, a written response plan isn’t really effective unless it’s been tested and kept updated. In your plan, assign priorities to functions as follows:
- Critical – Full recovery required within 24 hours (example: email communications)
- Urgent – Full recovery required within 72 hours (example: file and WIP/billing access)
- Important – Full recovery required within 30 days (example: employee records)
- Other – Recovery not required or recovery beyond 30 days (example: client files more than 7 years old)
For additional resources, see the following web sites:
Federal Emergency Management Agency – www.fema.gov
US Department of Homeland Security – www.ready.gov
American Red Cross – http://www.redcross.org/portal/site/en/menuitem.d8aaecf214c576bf971e4cfe43181aa0/?vgnextoid=a7c51a53f1c37110VgnVCM1000003481a10aRCRD&vgnextfmt=default
Small Business Administration – http://www.sba.gov/services/disasterassistance/index.html