New Technology, New Risk: Business Continuity Not Keeping Pace in Distributed Systems
- Published on October 26, 2007
Disaster Recovery Program
Specifically, the Vulnerability Index for LANs and data centers has remained stable over the last two years, since Comdisco's last survey. However, the Index for enterprise vulnerability, measuring vulnerability of enterprise-wide computing systems typically linked by wide area networks, points to extreme exposure. The average enterprise Vulnerability Index score (0 being the least vulnerable/100 being completely vulnerable) was 74, compared to an average Index of 60 for LANs and 43 for data centers (see figure 1).
At the same time, there continues to be a decline in the use of centralized computing for mission-critical applications. With the migration of computing away from centralized data centers to other platforms, enterprises are increasingly vulnerable. In fact, the proportion of companies using data centers has declined from 70 percent in 1993 to 61 percent in 1997, while the number of organizations using local area networks has increased from 78 percent to 91 percent. And, multi-location distributed systems are currently in use by more than one-half of the largest computer users. This is an area of expected continued growth and ' based upon the Index findings' vulnerability.
Types of Computer Systems Used
Lack of Planning and Procedures
The average annual revenues of companies participating in the Index study was $2.8 billion. Yet, despite their size and the likelihood that they have invested heavily in information technology to support their operations, fewer than half (45%) of companies surveyed have a formal program in place for business continuity for any of their information technology.
As might be expected, data centers are most likely to be included in business continuity programs, with 95 percent of those with formal programs including these systems. Eighty-five percent include their local area networks. However, only about two in three include either their wide area networks or multi-location distributed systems.
Systems Included in Disaster Recovery Programs
Among those with a plan in place
While the statistics are alarming, one of the reasons for the lack of business continuity planning at the enterprise level may be that it appears to be an overwhelming task. Many business continuity professionals will attest that ensuring recovery at the data center level continues to be a challenge, let alone attempting to secure outlying offices. However, despite the size of the challenge, the need will continue to increase.
As a result, business continuity professionals should investigate broad-based coverage solutions to limit exposure for these locations as they undertake the assessments necessary to ensure recoverability at the enterprise level. While business continuity budgets in many organizations are limited (as findings discussed later indicate) and the scope of recovery broader, recovery at the enterprise level should not be ignored. Rather, organizations should examine which activities would best improve their return on business continuity investments. For example the trade off between investing to reduce their data center recovery time by five or 10 percent versus allocating that investment to providing at least a base-level recovery for the company's remote offices.
The absence of even these basic recovery procedures is evident from the survey findings. Two of the most crucial steps in ensuring recoverability are alternate sites and testing procedures. However, in the enterprise-wide computing environment, only one-third of organizations with distributed systems have a written set of procedures for designation of alternative sites or procedures for testing and evaluating their recovery plan for these systems.
Critical Procedures of Disaster Recovery Planning
Plans Lead to Measurably Shorter
Companies with disaster recovery plans appear just as likely as those without a plan to experience a disruption to their computer systems. However, companies with formal disaster recovery programs typically experience significantly shorter disruptions to their computer systems.
Overall, one in two respondents indicate their organizations have experienced a disruption in their computer systems of more than one hour, with 11 percent reporting disruptions of more than 24 hours.
Those companies with plans in place, however, typically had shorter disruptions. For companies with a disaster recovery plan in place, the median length of disruptions was six hours. In contrast, 10 hours was the median length of disruptions for companies without a recovery plan. Just calculating the cost savings of reducing an outage by 40 percent should provide justification enough to begin pulling together a plan to help recover distributed sites.
Data Backup Throughout the Enterprise
While most companies have established backup procedures to protect data in the glass house, procedures for data backup on distributed systems is far more lax. Nearly 90 percent of respondents with data centers indicated that they use automated electronic backups in their data centers. Even with local area networks, 80 percent of companies follow similar backup procedures. However, only two-thirds of companies with multi-location distributed systems have taken similar precautions.
Use of Automated Electronic
Among companies with each type of system
And, even though respondents indicate that nearly all data stored on network servers is protected by standard backup procedures, this proportion only reflects a fraction of all data actually stored in the enterprise. Not only are high volumes of data stored on local and central servers, but an unquantifiable amount of data is kept solely on the hard drives of workstations. By best estimates, only 35 percent of this data is covered by standard backup procedures.
Companies need to take several steps to ensure that their distributed data is backed up, including implementing more stringent guidelines and communicating the importance of business continuity steps, like hard drive backups, to individual users. Fortunately, more sophisticated automated tools are emerging in the market to help companies with the former. Software tools designed to educate end users on business continuity also are emerging. However, in order for any tools to help support the business continuity effort, organizations must first set up programs and procedures under which to implement the tools.
Investments In and Returns On Business Continuity
Vulnerability also can be attributed to a lack of substantial resources and an inability to adequately measure the return on business continuity investments.
The median amount of funds dedicated to business continuity is approximately two percent of an organization's overall IT budget. However, one in five companies allocate nothing for business continuity. In addition to limited financial resources, human resources appear to be limited as well. More than three-fourths (78%) of organizations report they handle disaster recovery planning in-house. The average number of full-time staff dedicated to this function is 1.8. However, 61 percent of organizations do not have any professionals who are fully responsible for business continuity.
Disaster Recovery Budget
As percent of total IT budget
When it comes to return on investment, there is no clear consensus on measurements to demonstrate the effectiveness of disaster recovery programs. Forty-two percent of companies use documented results and similar proportion (41%) use compliance with regulatory requirements as a key means of communicating the results of their recovery programs. Meeting recovery time objectives is used by 35 percent of companies, and year-to-year cost versus risk comparisons are used by one in four companies. Only 19 percent look to similar firms to provide a benchmark for their performance. Moreover, one in three companies use none of these measures or are uncertain what measures are used, if any, to communicate the results of their organizations' disaster recovery programs.
Measurement Used to Communicate Results of DR Programs
It's likely that business continuity professionals will continue to face an uphill battle in ensuring that they have the resources required to reduce the vulnerability of their organizations. At a time when distributed systems are putting organizations at greater risk, the ability to proficiently use metrics and show ROI for business continuity will become increasingly important.
While traditional metrics, like recovery point objective and recovery time objective, will remain important, other measurement tools are emerging that can provide additional insights. These include measurements on a company's risk tolerance, the operational impact of disaster and total cost of recovery. Armed with this information, companies can help make certain they strategically invest their recovery budgets to shore up areas of vulnerability. Ultimately, the better a company manages and measures its business continuity program, the better the return on the investment.
The Net Next Wave
Just as the use of distributed systems has increased exponentially, the use of the Internet and intranets is following suit. Nearly two-thirds of companies (64%) either use or plan to use the Internet or intranets as part of their day-to-day operations, with 37 percent indicating that they currently use these technologies for mission-critical applications. And, nearly one-half of respondents (49%) believe they will eventually use the Internet as a vehicle for conducting electronic commerce.
However, few Internet or intranet users have made any significant preparations for disaster recovery in the event of a disruption to these systems. Most of the steps that have been taken focus on near-term concerns. Specifically, procedures for managing short-term outages and on-going systems to prevent single points of failure. Still, only about one-half of Internet or intranet users have implemented either of these procedures. Moreover, only one-third (34%) have developed alternative network capabilities, and only one in four have testing and evaluation programs for network disaster recovery or have detailed written recovery plans - two of the most critical aspects of any disaster recovery program.
Internet/Intranet Disaster Recovery Procedures Followed
As the Vulnerability Index reveals, the management practices that once supported the data center have been left behind as mission-critical computing systems continue to move out into the enterprise. Standard practices and procedures for business continuity are clearly absent in these new environments.
Businesses that fail to react with swift and significant preparations to ensure business continuity at the enterprise level, are exposing themselves to serious loss.
Diane Laux is manager of corporate communications for Comdisco, Inc., Rosemont, IL. Comdisco, a technology services company, is one of the world's leading providers of solutions that help organizations reduce technology cost and risk.