Transcript: Disaster Recovery

This transcript is from a PodTech.net podcast at:
http://www.podtech.net/home/technology/1886/disaster-recovery

Guest: Laurel Burton - Qwest
Guest: Stephanie Balarous - Forrester Research
Host: Paul Lancour - PodTech

Paul Lancour - PodTech
Welcome to the Qwest Podcast. I'm Paul Lancour. Today, we talk about disaster recovery, what you need to know and do to be prepared. We will be checking in with the Qwest Senior Product Manager Laurel Burton, but first I spoke with Stephanie Balarous, Senior Analyst in the Computer Systems Research group at Forrester Research. I asked her why Risk Management and a Business Continuity Plan should be a top priority for an organization today.

Stephanie Balarous - Forrester Research
There are several reasons and in fact there are many reasons. The first reason is in some cases you have to sitting here in North America, there's a number of government regulations from (Inaudible) to HIPAA, which is Health Insurance Portability and Accountability Act and some of these regulations explicitly state that you actually must have a business continuity or disaster recovery plan in place or some of them eludes the fact that you need to be able to insure the integrity and the authenticity of the data. The second reason is, it's increasingly becoming a requirement to business with other partners. Partners could be your suppliers, they could be your service providers, they could be financiers, other individuals, any kind of external third party that you interface with, to conduct business.

So, those partners are actually increasingly requiring proof of business continuity plan readiness from any one that they want to do business with. So, those two reasons are some of the external forces that are making people put a business continuity plan in place, whether they want to make the investment or not. The next reason is more -- if we kind of like look at the news, there is definitely sense of heightened risk out there. There's always reports about hurricanes and tornados and earthquakes.

So, there is just generally a perception that the risk from natural disaster is increased or even like man-made events such as terrorist events or even intentional man-made events like chemical spills, et cetera. So, much more risk than there ever was in the past. We operate in a business environment where there's a lot more accountability than we ever had in the past.

So, if you do share a responsibility to your shareholders, your customers, your employees for business continuity plan readiness. Failure to have a plan in place is actually considered pretty poor management practice today. There's competition so, increasing measure downtime in terms of lost revenue, but it's more than just like lost revenue, it's also lost customers who damage your reputation etcetera so, especially in this age where you're operating 24x7, downtime isn't as acceptable or you really don't have as much time to recover from the disaster, as you would have had in the past. So, those are kind of the key things that are driving people to really put a plan in place.

Paul Lancour - PodTech
So, what elements should an organization be taking into consideration when formulating its Business Continuity Plan?

Stephanie Balarous - Forrester Research
So, there is actually an industry accepted method to Business Continuity Plan. There are three phases. Usually you do a business impact analysis where you actually identify your critical business processes that need to be projected and all the dependencies that they rely on from IT assets to people. Then you need to figure out what are you at risk of? Is it natural disasters, man-made disasters, could be things like civil unrest, there is a whole host of things that you could be at risk at and often it's the things you haven't thought of that usually cause the downtime, things like power outages, network outages, etcetera. Then the last thing is to actually develop the plan itself and there's definitely 'n' number of key elements that need to be in the plan.

So, the first thing is your communication plan, so in the event of a disaster how are you going to communicate with employees, to tell them where to go, to find out their status and on an ongoing basis to relay information to them about the status of the company. There are things about your strategy for a Local site hardening, that I mentioned like power outages and network outages, most common causes of downtime can actually be avoided. So, there is a number of preventative steps that you can take to avoid the most common causes of downtime, like having backup generators, having redundancy in your network. Reinforcing the physical integrity of the building itself, so you can survive with minor earthquakes. Then you need to make a decision about the technology itself.

So -- and also site selection, so site selection do you even have a secondary site or do you potentially need to turn to a service provider, who can essentially host a secondary site for you. Then the technology selection, given the criticality of business processes which are sensitivity to downtime which are sensitivity in data loss and then based on that, you need to work with technology providers and your service providers to select the replication technologies, that'll support those objectives. Then the next thing, is actually document the plan, that's one thing that lot of people don't do is actually document the plan, then communicate the plan to key executives, to key line of business owners, obtaining the plan, especially like as you make configuration changes to your environment or in the business changes. It's something that you don't want to just like put down on paper and then put on a shelf to kind of forget about.

Paul Lancour - PodTech
This should be an ongoing process.

Stephanie Balarous - Forrester Research
Yeah, it's ongoing. Most enterprises, large enterprises anyways actually have a formal Business Continuity Plan or that might actually have a small team that often reports into a CIO or CTO kind of group. They're responsible for developing the plan and keeping it updated on an ongoing basis and the last thing is testing.

So, I would actually say right now Forrester estimates that 50% of the enterprises have a plan and 50% don't and even if the one's that have a plan -- they don't often actually test the plan. If you're not testing your actual ability to recover from a disaster on a regular basis, then you're probably not in good shape. In some surveys that I've run, like most people rated themselves pretty low on the ability to actually recover from a disaster, even the ones that have a plan in place and I think that has to do with the fact that people don't test it on a regular basis. So, it's usually not until the disaster actually occurs, that they actually find out whether the plan that they put into place is actually ...

Paul Lancour - PodTech
That is the ultimate test of their plan, I suppose?

Stephanie Balarous - Forrester Research
Right, but the testing should be quarterly, I would say most people do it annually. A lot of firms don't do it at all.

Paul Lancour - PodTech
So, if someone who are interested in getting more information about this -- what kind of resources could you direct them to?

Stephanie Balarous - Forrester Research
Yeah, there are actually a number of free resources. There's a lot of industry, journals and industry websites like Disaster Recovery International, which is drii.org, the Disaster Recovery Journal, which is drj.com. A lot of those sites can provide just essential information about Business Continuity Planning basics. Some of them even provide templates for Business Continuity Planning. Some of them when it comes to actual technology selection will actually give you RSP examples. So, those are definitely some free resources that are available. When it comes to Business Continuity Planning, there's actually software, if you don't want to try to maintain it yourself like using basic Microsoft office tools.

So, there is also software out there, there is consulting services from management consulting firms like as large as Deloitte and Accenture to the actual technology and service providers themselves, that can also provide services. When it comes to the local thread assesment, if you're tying to get historical information about your potential risk for certain hazards like a hurricane, for example, you try going to a FEMA Website, there's a lot of government resources that have that historical data, that'll help you do that local threat assessment yourself.

So, FEMA has a lot of information, the US transportation department has a lot of information about concentration of rail and trucking and aviation as well as documentation on things like chemical spills. So, you're between those two things you can get a sense of natural disasters as well as man-made disasters for your area.

Paul Lancour - PodTech
Great, that's a lot of valuable information. Thanks a lot Stephanie.

Stephanie Balarous - Forrester Research
Thank you.

Paul Lancour - PodTech
Stephanie Balarous is Senior Analyst in Forrester's Computing Systems Research group. Now we turn to Laurel Burton, Senior Product Manager for Qwest. She says that often it's the thing you haven't thought of, that ends up being disastrous for your organization.

Laurel Burton - Qwest
As much as, we all what having it's usually the items that you haven't planned for, that are the ones that you do experience from a disaster scenario. It's just the way it is, In fact, I got some interesting statistics in terms of what really do become the most common disasters scenarios. Interesting statistics from Business Interruption Insurance that came out late in 2005 and the stats remain throughout even today. The number one reason that an organization experiences in the disaster event is due to power.

That's over 70% of the time its this power related issue, power is followed by computer hardware problems, followed by telecom failures, software, human error rounds that at about 35% of the time, lightning storms, floods, fire explosions and in dead last would be hurricane at less than 10%. So, as you can imagine, it's the ones that you don't think that are actually the real culprits. Some of the examples of types of disaster events that you probably don't think of are items such as fires, flooding, (Inaudible) events, hailstorms, power outages that we've touched before, human operator error, technology failures, application failures, loss of a data processing resource or even loss of access to a processing resource.

Some of them are unique ones we've run across in the few last years. Number one has to be rodent, we wouldn't have put rodents on a typical list of disaster event types. However, we do have an example of a squirrel that came into an attic, ate throughout power line and wound up taking out an entire data centre.

Paul Lancour - PodTech
Where did that take place?

Laurel Burton - Qwest
It took place in the North West, actually. Squirrel died and the company didn't fare much better, to be honest right here. Another example would be toilet overflow, I mean who would have thought that would make a list of disaster events, but if you are in a multi tenant building -- perhaps a high rise, for example, you need to make sure you understand who your tenants are above you and below you. In this particular example, one particular company had their data centre and it just happened to be that that data centre was directly underneath the tenant above them, who had restrooms right there. So, the tenant above experienced the flood because of a toilet overflow and it did in fact flood the data centre directly underneath.

Paul Lancour - PodTech
Well, given this list of possible events, given the fact that it is the event that you don't think of that is likely to become a disaster for you, given that rodents and overflowing toilets could be a problem. I think when devising a disaster recovery plan, it can be really overwhelming. It's the way to aggregate all of this information and organize it in a way that can make it a little bit more approachable.

Laurel Burton - Qwest
Well, absolutely and you heard from Stephanie, the typical flow of disaster planning and that's what I would recommend is that first and foremost have a plan. We find a majority of customers still today do not have a business plan. It's certainly one that's effective enough to actually help them survive a disaster event. So, number one, get the plan, you can get that by hiring a DR consulting firm or by trying to do it yourself or by trying to take advantage of various software choices, but you have to have the plan first, from the plan, then you can stem in to solutions in terms of your IT organization, your network the Wide Area Network and Local Area Network, the data, the data flow and an archival of that data, phone systems, call centers etcetera.

Paul Lancour - PodTech
So, if I'm in a business that is preparing its disaster plan and I come to Qwest, what is it that Qwest offers me?

Laurel Burton - Qwest
Well, we try to educate our customers and ourselves frankly in six key areas that we feel you want to make sure you're protected on. I'll list out for you these six key areas and then I will provide you a list of the services that we provide. To compliment that in other words, to address those six areas. Number one: build a plan. Build your BC/DR plan, number two: every customer needs to makes sure they're protecting their IT environment, number three: we want customers to make sure that their data is protected, number four: offering protection of your network whether it's the Wide Area Network or your Local Area Network, number five: be sure to protect phone systems and call centers and number six: protect your work place.

Now, those are those six points of life so to speak, key areas customers want to protect themselves and correspondingly, our business protection services portfolio, offers numerous services to address those six areas. So, if I can just list those out real quickly. First one is consulting. Qwest does offer its own BC/DR Consulting Practice to help you build your plan, additionally from an IT perspective Qwest offers a full service hosting company with 14 centers nationwide, restoration and recovery services everything from cold to hot services and its full portfolio of security.

In terms of protecting data, we can offer storage, utility storage, utility tape, data replication and archiving. From a network perspective, we certainly can offer you all sorts of network diversity options then serve as a primary that are known as backup network provider. From a phone systems perspective, we can offer voice over IP, hosted voice over IP, call routing and call center solutions and from a workplace perspective, we can offer all sorts of remote access options and mobile recovery units are placed to locate your personnel in the event of disaster.

Paul Lancour - PodTech
If our listeners want additional information, where would you suggest they go?

Laurel Burton - Qwest
Well, you have a couple of options, number one feel free to contact your local Qwest Sales Representative, here, she would be happy to pull in our hosting and disaster recovery expert to assist you further. Your other option is to visit us online at www.Qwest.com and once you enter into the site, go to the business site whether you are enterprise business, large business or small business. You can enter in and search for hosting and business protection services, both of those items will be listed and we'll be thrilled to tell you more about our products.

Paul Lancour - PodTech
Great, thank you very much Laurel.

Laurel Burton - Qwest
Thank you.

Paul Lancour - PodTech
Laurel Burton, Senior Product Manager with Qwest. That does it for this Podcast on disaster recovery, remember that the Qwest services described here in may not be available in all areas, other restrictions apply. Go to Qwest.com for more details and thanks for listening.