DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 31, Issue 4

Full Contents Now Available!

The drive to maintain a 24x7 IT facility coupled with zero tolerance for disruption in customer service has put data security at the top of every CEO's agenda. For a select few of the biggest corporations, who have the resources to build multiple redundant sites, this problem is manageable. For the vast majority of companies, however, the drive to ensure business continuity in the face of disaster still remains illusive. The "priority one" level of attention that the Y2K countdown has been receiving is, in part, largely due to our awareness of the precarious nature of our dependency on IT functions.

Companies� primary attempts to stave off the effects of disaster predominately focus on technical and logical failures, leaving themselves vulnerable to a wide array of physical threats. Consider the findings of a recent survey of Chief Information Officers by Ernst & Young LLP/Information Week. It reported that 52% of companies surveyed experienced information losses due to security failures and disaster in the past two years and the majority of those were caused by malicious acts by insiders and/or natural disasters. Technical security techniques include uninterrupted power sources (UPS), temperature and humidity controls, redundancy, redundant synchronistic site mirroring, etc. Logical security, where companies continually strive to protect the integrity and security of their business functions, incorporates significant back up procedures, encryption and anti-virus "firewalls", and recently, software programs that manage to proactively "trap" hackers.

What is Security?

Without a complete security plan that includes physical security, companies remain extremely vulnerable to disastrous environmental and human factors. These forces include fire, water, smoke, heat, humidity, acrid gases, dust, radio frequency (RF), electro-magnetic impulses (EMI/EMP), vandalism, theft/burglary, and unauthorized access.

 To fully appreciate the exposure to physical threats and the expense of reclaiming a business, one must examine a multitude of factors. Reconstruction of IT facility and systems that have been customized to particular business functions requires substantial time and expense, even if the equipment needed to replace lost hardware is readily available. More likely, with the almost immediate obsolescence of hardware and software, the process of reconstructing a "like" or "just as efficient" IT facility to the one that was lost can take a minimum of several months. During that time companies must depend on what was their redundant site to now serve as their primary site ' leaving them unprotected for an extended period. And even with redundancy, if the technology employed at the redundant site has not been kept current with the technological upgrades at what was the primary site, the old redundant, now primary site runs with dramatic inefficiencies. The situation is, of course, even worse if the company relies solely on a data back up system without redundancy for its contingency planning. In such cases, companies face the risk of being out of business until a physical system can be procured or a contingency site becomes available. For companies that have plans to use a contingency site one further word of caution: relying on a contingency site is an objective that may be shared by other companies in your area. When a disaster strikes, such facilities only accommodate those in need on a "first come, first serve" basis. Thus, another company, or companies may already occupy the contingency site you were depending on, and you will have no where to go in the event of a broad based, regional disaster such as a hurricane or a flood.

Of equal importance is the risk management issue of how quickly companies can re-engage the productivity of their hardware, data and personnel after a disaster hits. In fact, statistics by Price Waterhouse Coopers reveal that 90% of all companies that experience a computer "disaster" with no pre-existing survival plan go out of business within 18 months.

Insurance coverage, unfortunately, does not begin to account for the hard and soft costs associated with a disaster, and claims are not normally settled until long after the funds are needed. Further, coverage cannot recover against such things as goodwill, market share, and damage to a company's reputation. Nor does insurance account for the loss of productivity and IT employee time that is consumed in rebuilding rather than updating or beginning new projects. Insurance calculations estimate the cost of reproducing lost data at approximately $1200 per mega byte. This is magnified even more by the fact that businesses are running on Terabyte capacities. Even at these levels companies are still only backing up on a weekly basis, rather than daily. The severity of the financial risk involved between back ups can be staggering. One only needs to multiply the amount of megabytes generated in six days and twenty-three hours to calculate the cost if the disaster should hit.

What many security measures fail to take into account is the need to take precautions that will eliminate the threat of disastrous events in contiguous space. A fire or other events in the floor above, or next door could be just as serious as in ones' own office. For example, according to the Fire Analysis and Research Division of the National Fire Protection Association, more than a thousand structure fires a year are reported to US Fire Departments as originating in electronic equipment rooms or areas. While an F90-rated wall theoretically prevents the spreading of flames, it does not protect against the other consequences generated by fire, such as smoke, acrid gas, fire fighting water from sprinkler heads and hoses, or heat ' all of which can contaminate and destroy IT equipment. According to industry standards the performance of any manufacturer's hardware will become invalidated once the temperature around the equipment exceeds 158 degrees. At hotter temperatures plastics, a major component of most computers will melt, releasing dangerous hydrochloric acid into the air and through the equipment.

Companies wisely want to fully protect the investments they have made in the availability, continuity and performance of mission-critical IT systems. The first step in the process is to conduct a risk assessment that consists of determining what needs to be secured; the sources of risk, the probability of occurrences and the costs of remedies. In most cases, physical security can be accomplished at a fraction of the cost of building and maintaining redundant sites. In fact, it is a nominal investment when it is integrated with the construction of a new facility.

Security is Physical.

In an attempt to accommodate the growing concern about physical security, the construction industry has responded by manipulating the resources that have been traditionally made available and by augmenting the conventional application of these building materials with extra layers of sheet rock and humidity barriers installed between fire rated walls. Though certainly a step in the right direction, these materials can lead key executives into a false sense of security because, in reality, these measures are inadequate. Yes, an F90 rated wall will protect one room from flame spread. But only if the sheet rock is fully installed from floor to ceiling, slab to slab, between rooms. But sheet rock does not protect technology from the reaches of heat, or smoke, or acrid gas. The methodologies employed for the construction of a company's general office space, conference rooms, kitchens, boardrooms, are insufficient when applied to building a data or communications specific facility. To properly integrate the disciplines needed to construct a fully secured IT environment something more than the simple manipulation of conventional building materials is required. What is needed is a specific IT infrastructure that completely protects the integrity of a facility against the very real threats posed by environmental hazards and human ill will.

Instead of relying on traditional construction, companies throughout Europe are turning to "Modular IT Environments" to specifically contain their IT systems. Such Environments maintain the integrity of an IT facility by creating a hardened spatial envelope that surrounds technology and strictly manages all of the penetrations that must occur in every data environment. These facilities are not static areas that simply house technology. Instead they are interactive environments that are equipped with an intelligence interface monitoring all of the activities that go on both in and around the Modular Environment. The modular design of these Environments provides the flexibility to accommodate any size facility ranging from 100's of square feet to 1000's of square feet large. The goal is a cohesive system of interdependent components that collectively function to surround and contain sensitive technology, preventing the failure of this technology due to any influence, human or environmental, that would otherwise cause the system to crash and vital data to be lost.

A functionally efficient IT plan consists of all three pillars of security: technical, logical, and physical. Private companies as well as public ones have a fiduciary responsibility ' if not to their investors then to their customers ' to see that their information technology, data and communications receive the maximum amount of physical protection available.


Jerry Lyons is the President and CEO of US Operations for Lampertz, the worldwide maker of the Modular IT Environment, a premier security product which protects a company's communications, data and IT systems. Headquartered in Germany, Lampertz's IT physical security products are well known throughout Europe, South America, and Asia.

This article Printed in Volume 13, Issue 1