A catastrophe occurs, data destroyed! Are you next?

Hurricane Sandy, Black Forrest Fire, 6.0 Earthquake Hits Napa Valley: Major disasters hit large population centers, businesses are damaged and even destroyed. Even after these big events, many of which make international headlines, many companies have all of their corporate data in the same building and, in many cases, in the same room.

No matter what the business goal or high-level requirements, organizations need to take action — smart action — to protect critical data. While this may sound like common sense, it’s surprising how often companies fail to perform even the most basic protection.

Almost all companies have a policy to cover disaster recovery, a general phrase to cover the need to restore data in the event of problems. In reality, disaster recovery is part of a larger concept that includes high availability and business continuity. All of these concepts revolve around two basic ideas: recovery point objective (RPO) and recovery time objective (RTO).

There is a trade-off between the possibility of data loss, the recovery time, and the cost. Certain businesses require high availability, the idea of ​​almost zero data loss, and almost zero downtime. Examples include financial industries, healthcare, and most organizations that use transactional actions in data processing. In other words, any time one has a need to track an action from start to finish, there must be a way to have near zero data loss and, more often than not, no downtime.

Business continuity is a step down in both RPO and RTO from high availability. The idea here isn’t about instant recovery, it’s about making sure the business can continue to function after a catastrophe strikes. VMware and similar technologies that use redundant infrastructure do an excellent job of providing business continuity; the key, how this environment is set up and over what distance, if any.

Disaster recovery covers both high availability and business continuity. Disaster recovery can also simply include a copy of data that is on tape or a storage area network. The key here, where does that data reside? Having a copy of the information in the same location as the source data will not protect against almost all major catastrophes. This “old school mentality” really only protects a company from power outages, data corruption or system related outages. Does your company implement this simple disaster recovery method?

Hurricane Sandy devastated the East Coast in 2013 and several hospitals were directly affected. One facility, a customer at the time, closed its doors after the storm due to massive damage. I remember their data center was in the basement and the water went up to the fifth floor; everything in the data center was destroyed. Without off-site data storage, this hospital would not only be out of business, they would have no way of depleting their accounts receivable to get paid for services provided.

While working with a global storage provider that was a couple of miles from the most devastating fire in Colorado history, I discovered that they have no data protection outside of their server room. If the building caught fire, like so many others during this catastrophe, this company would have gone bankrupt. Data is key, protecting it is essential.

The recent 6.0 earthquake in Napa Valley shows the need not only for private industry to understand and implement realistic and feasible disaster recovery, government must do the same. When certain disasters strike, they can affect our infrastructure, including gas, electricity, and transportation. Computer systems run large numbers of critical systems including transportation signals, lighting, and gas and electric power for the population. Without proper disaster recovery with the required RPO and RTO, a community can be severely impacted. Not only can the government consider physical infrastructure when preparing for a disaster, it must also understand the impact of information technology.

A major impetus in the creation of this article revolves around the discrepancy between what a company believe have in place versus what truly exists. Many organizations, often up to and including board requirements, create extensive disaster recovery plans. Unfortunately, there is often a significant variance between what the company says it wants and what actually exists. Third party audits are critical to help close this gap. However, before that audit can occur, leadership must be aware of and acknowledge the gap. Education is key; Know there is a problem and take action!