5 foolproof Security Steps

Feb 01, 2003 10:30 PM  By

How much do you care about your company? You may reflexively search for the most diplomatic answer to that question. But when security issues are involved, truth is more important than tact. The ability of a company to respond to a disaster directly reflects on how much management cares, and has cared, about the organization. When a business experiences serious adversity, management clearly demonstrates its real agenda. Those companies with clear priorities and solid plans will survive the disaster much better than those that are unprepared or uncaring.

Often, disaster recovery (DR) — or business continuity planning (BCP), as it is sometimes known — is confined to the tactical backup and recovery of plant, equipment, and information. Although these steps are important, it is imperative that tactical DR/BCP be put in perspective. Your top three priorities when planning for disaster need to be:

  • taking care of your employees and their families;

  • addressing the unique needs and concerns of your customers and investors; and

  • reestablishing normal operations as quickly as possible.

Inevitably, how well you handle the first two determines how well you can handle the third. Your preparedness on all three will determine your company’s chances of survival.

1 Leadership Role

PROFESSIONAL SERVICES firm Marsh & McLennan Co. recently exemplified both caring and preparedness in its recovery from the terrorist attack on the World Trade Center on Sept. 11, 2001. How the company responded to this disaster, in which it lost nearly 300 employees, is eloquently described by CEO Jeff Greenberg in the October 2002 issue of Harvard Business Review. Marsh & McLennan faced this unimaginable catastrophe head-on. Armed with great leadership, great people, supportive customers and investors, and good plans, the company addressed the needs of the business in a balanced and sensitive way.

Another example is a manufacturing client of ours whose 200,000-sq.-ft. facility literally burned to the ground. This firm was a multi-generational family business, and the owners faced many very difficult decisions. The first thing they did was to ensure that every employee was OK — physically, emotionally, and within their capabilities, financially.

After taking a deep breath, the owners decided to rebuild. Buoyed by local government, clients, and key employees, they were able to reopen a state-of-the-art facility within a year. The best news: They rehired 98% of their original employees!

Certainly, there are many other great examples of recovery, some good and some not so good. The point is that you must first instill a strong corporate culture, one that supports your people and stakeholders, if you are going to have any chance at all at getting through the physical recovery.

A statistic from one research firm suggests that 93% of businesses that lose their data center will file for bankruptcy within one year. That is a startling number. But the question that must be asked is if these companies were as inattentive to their employees and customers as they were to their information plants (and there is likely a correlation), how much at risk were they anyway, disaster or not?

So, in addition to a strong culture, what are the attributes of the great companies of tomorrow? And what does this have to do with disaster recovery? Generally, tomorrow’s great companies will have a high number of knowledgeable people, working in a technologically interconnected way with strategic trading partners (customers and suppliers alike).

2 What You Know

TO SIMPLIFY and realize its vision, your company will depend increasingly on people and technologies that you do not control. This both broadens your exposure to disasters (their disasters become your disasters) and makes recovery from them even more complicated. Let’s take a closer look at this scenario.

One key ingredient of a great company is the knowledge of its employees. For years, businesses have used technology to replace clerical labor and move more and more people to empowered, knowledge-based skills. As this trend continues, it becomes more important to know what everyone knows, and to know how your clients value each person’s knowledge.

It is also important for you to identify those people outside your company that you depend on — suppliers, outside consultants, and advisors. As we outsource more specialty skills, these people become part of your “virtual company” and are as important to your success as your own people. Knowing who they are and what they contribute is essential.

Consider investing in knowledge management software, an emerging technology that aims to keep up with your company’s intelligence. KM systems have the potential to become an invaluable inventory tool for a key intangible asset: knowledge. If the unthinkable happens, and you lose one or many vital employees or outsiders, the ability of your company to recover is greatly enhanced if you know what you lost.

3 Make the Connection

THE OTHER KEY INGREDIENT of a great company is how well it integrates its information with data from its strategic trading partners. Leading economists cite “connected businesses” as the largest beneficiaries of the next and most influential wave of productivity gains over the next decade. Today’s preeminent vehicle for connecting businesses is, of course, the Internet.

Currently, there are four primary ways in which we use the Internet to connect with other companies. Your use of each will vary by trading partner (customer or supplier), with one extreme being informative but not critical, and the other extreme being strategically critical.

E-mail is sometimes a casual exchange of information (e.g., order status), and sometimes it is critical (details of the order). As we become more and more dependent on e-mail, fail-safe systems to carry our electronic messages become more essential.

B2B transactions take place when your computer “talks” with the computer of your trading partner. Also known as EDI (an older standard), B2B transactions are reaching new levels of efficiency and effectiveness. One of the greatest benefits derived from the dot-com experience is the availability of extraordinary tools to handle large volumes of transactions over the Internet. If you are not yet sending or receiving B2B transactions, you soon will be.

Extranets are separate Web sites intended to connect strategic trading partners to share information. One company we know, a multimodal logistics service provider, set up an extranet to capture shipping details from various carriers and provide its customers with up-to-the-minute shipping information. This site is expanding to integrate with its customers’ ERP systems, and even with the receiving systems of its customers’ customers.

Web services are Internet-based applications that enable you to operate more efficiently and stay up-to-date. Examples are parcel carriers’ shipment tracking systems and credit card verification services. These systems provide immediate information at a very low cost. It is likely that you already are dependent on several of these and aren’t even aware of it.

Simple Math for Disaster Prevention
Total Exposure $160,000
Probability of loss 10%
Exposure $16,000
Prevention factor 1:16
Prevention Investment $1,000

Here’s the rub. Using the facilities described above, businesses will increasingly integrate with each other by expanding their use of the Internet. But couple this increased dependency with the likelihood of the Internet becoming the target of a disruptive terrorist attack, and, well, you get the point.

4 The Five P’s

THE PRODUCTIVITY GAINS required to be competitive (knowledge workers and the Internet) entail a greater risk of exposure, and this exposure means racing head-first into a world with more, and more diverse, threats. So just how do you respond to this world? You start by getting your DR/BCP house in order.

What constitutes a cost-effective, yet comprehensive disaster recovery plan? It should not be much different from any other part of your company’s operational plan. A DR/BCP plan incorporates the traditional elements of risk assessment, cost evaluation, preventive measures, and tactical planning.

A simple formula for DR/BCP is to address each of these five P’s:

  • Plan
  • Protect
  • Prevent
  • Prepare
  • Practice

The elaborations that follow will focus on your information plant, but these steps are equally applicable to planning for your people and your facility.

Plan for a big problem

Disaster planning is a business decision, not a technology decision. Non-technical managers must work along side IT managers to craft effective and affordable IT plans.

One client of ours in WTC Tower 7 did what I consider a great job of planning, but realized mixed results. First, the firm gave careful consideration to all of the relative risks and costs. For its front-office operation, it invested a considerable amount in an emergency off-site disaster facility. However, for its back office, the company “invested” only in storing backup tapes in an off-site safe, nothing more.

When 9/11 hit, the company’s front office was able to resume operations without missing a beat. The back office needed to locate office space, computers, and everything else. The backup data? Well, the safe they used was in the basement of Tower 2! Who would have thought…? Still, the company’s basic plan was an effective one, and the situation was resolved.

Take protective measures

While this may seem obvious, simple protective steps can save enormous amounts of time and money. Installing a firewall and reputable virus detection software, and ensuring that there are no holes, will keep your information reasonably safe. But you have to keep everything up-to-date — don’t ignore the programs after you put them in.

We had a client that put in an elaborate firewall. Months later, a need arose to gain outside access to some specific data, and the firewall was compromised. The risk/reward balance was clearly misaligned, and the company was at great risk until it implemented a more thoughtful approach. Many cost-effective alternatives are available today. Don’t neglect to consider them.

Also, keep in mind that virus protection software is good only if it is current. Be sure to implement policies to keep every server current and require everyone to update their workstation; and then check periodically to make sure everyone complies. However, even all this doesn’t guarantee safety. One of our clients, an application service provider that operates servers for business customers, provides a first-rate facility, packed with emergency power, regular backups, redundant servers, and so forth. The ASP was well shielded and vigilant about virus protection. Still, it got hit, and spent the better part of a day recovering.

Prevent mishaps

Disasters come in many forms. Some you can prevent, some you can’t. A preventable disaster is losing a critical server (even for a day or so) because of hardware failure. Today’s computers are configured with redundant everything. Make sure your critical servers are robust.

But what if you lose power or your building is compromised? An off-site server that you can switch to immediately is a good solution. One approach that works well is to have two duplicate servers, one at your site, and one at an off-site facility. You can perform standard incremental backups each night (over the Internet), and do a full synchronization from tape each weekend. If your local server ever fails, you simply switch to the other one.

Be prepared

Once you have a tenable plan, you need to implement the new systems and processes that go with it. Certainly, this may include acquiring and installing new hardware and software. But it also includes documenting and educating everyone about the most critical points of business exposure.

New emergency procedures need to be written and communicated. Keep in mind that an emergency may not be just physical, it may be informational.

Practice to get it right

When we were kids, we practiced fire drills. Believe me, they are still important. A simple, but true, story illustrates the point.

One of our clients recognized the need to back up company information, and installed a new tape backup system and procedures. Every night the backup ran, and every morning the tape was safely stored. When we conducted a recovery exercise, we found the backup tape was blank. A change had been made to the database that caused an error on the backup, and no one knew. Have a fire drill — frequently.

5 The Big P

BY FOLLOWING THE FORMULA of the five P’s, you can attain the one big P: peace of mind. While there is no bulletproof guarantee of safety, you will have at least done your requisite homework and be in a much better position to pass the disaster test, should your company be faced with that challenge. It is during our most trying times that we, as individuals, come face to face with our personal priorities. The same is true for companies, except that the company’s priorities reflect the consensus of management. Given the world as it is today, and how it will function in the near future, managers have an inherent responsibility to understand their company’s exposure to threats and to ensure their ability to survive. Employees’ livelihoods, if not their lives, depend on it. Now, more than ever, keep in mind the famous line from “Hill Street Blues” — be careful out there!

Joe Lewis is president and CEO of Westport, CT-based NorthStar Technology, which specializes in aligning technological plans with operational strategies. He can be reached at (203) 226-7548.