Think before pink: Cut IT now … and pay later

Downturn, slowdown, meltdown: Call it what you will, but the current economic crisis is placing almost unprecedented pressure on companies to cut costs. One key area in which resources are becoming stretched is IT—the consequences of which might only become apparent when disaster strikes.
By Mark Roberts, Lawyers Weekly December 8, 2008

Downturn, slowdown, meltdown: Call it what you will, but the current economic crisis is placing almost unprecedented pressure on companies to cut costs. One key area in which resources are becoming stretched is IT—the consequences of which might only become apparent when disaster strikes.

With the outlook for the world economy continuing to look bleak, many organisations are predictably taking a hard look at their IT expenditures to identify projects that can be cut or deferred. The reality, however, is that business needs for available data and regulatory compliance obligations do not decline in step with an economic downturn.

“Focused on short-term pressures to make budget cuts, it often escapes companies that disaster preparedness needs may actually be greater during times of economic duress,” says William DiMartini, senior vice president of consulting services at U.S.-based SunGard Availability Services .

“For example, many organisations are reducing costs by consolidating equipment, but because of compliance and a plethora of other requirements, data must still be retained—even with a cap on spending.”

The bottom-line consequences of failing to maintain an effective business continuity plan are indicated in a study undertaken by Suncorp in the U.K., which found that just a third of small- to medium-size enterprises (SME) are now taking active steps to ensure their business will continue to operate normally in the event of a disruption.

From those surveyed, 40 percent said a computer hardware failure or malicious attack on their systems would be detrimental to their business, while only 10 percent said they would be able to function as normal.

In the U.S., an annual study on business continuity and disaster preparedness by AT&T found that in 2008 one in five businesses do not have a business continuity plan in place. Arguably of even greater concern is that for the third year in a row the study found that nearly 30 percent of U.S. businesses do not consider business continuity planning a priority.

AT&T canvassed the views of IT executives from companies throughout the U.S. that have at least (US) $25 million ($39 million) in annual revenue, and found that two-thirds predict hacking will be the biggest threat in the next five years. The next most frequently cited threats are internal: accidents (56 percent); sabotage (47 percent); and remote workers (44 percent). Further, while six out of 10 companies have made some type of business change in the past year, only 28 percent updated their business continuity plans.

The risks they run are acute, and graphically highlighted in the 2007 Best’s Underwriting Guide by AM Best , which revealed that only 6 percent of companies that suffer catastrophic data loss survive, while 43 percent never reopen and 51 percent close within two years of the disaster.

According to DiMartini, a veteran of more than 20 years in disaster planning and recovery, when reviewing corporate IT programs, there are three core issues integral to optimal preparedness:

1) What are the risks?

2) Which programs must be maintained and how can they be most effectively maintained?

3)

Make risk assessments a priority

“As organisations are challenged to scrutinise how to spend their dollars, conducting availability risk assessments to identify vulnerabilities can provide excellent guides on how to determine budget priorities,” DiMartini says.

However, he says it is essential to measure and assess three major areas: information security—covering policy, procedure and regulatory response; information management—examining program controls, flow of information and continuity of services—and information architecture— looking at network and facility design, environmental infrastructure and system design.

Keep essential programs going

Typically, during an economic downturn, internal IT resources become stretched. This leads to companies looking for outside support to fill gaps to get essential work done and still save money. One key area in which third party providers can have positive input is maintaining and testing disaster recovery plans.

Importantly, disaster recovery plans need to be viewed as ongoing programs—not projects that can be put on a shelf for a year.

Another area that often faces cutbacks in tight budgetary times is recovery environments. However, when companies are pressured to scale back an IT recovery site it often leads to the recovery installation not matching the current production environment.

The result is that critical applications can no longer be supported at recovery sites. To address the issue, companies can leverage third party-managed services that host secondary applications at a third party site and protect data with disaster recovery solutions.

Keep abreast of changing technology
As is well known, many organisations are now moving to virtualisation technologies to generate IT cost savings by consolidating servers and storage.

But moving to such environments with untested plans to recover data should an unplanned outage occur can turn a problem into a disaster that impacts on an entire company.

“Data managed by virtualised systems still needs to be accessible,” DiMartini warns. “Business continuity plans need to be updated to account for virtual environments to assure information availability.”