Disasters only happen to other companies - or so many businesses without disaster recovery plans appear to believe. Yet computer viruses as well as floods, fires and bombs can all too easily spell the end for the unprepared.
Fires, bombs, floods and explosions are the stuff of any manager's nightmares. Perhaps that is why most prefer to spend their waking hours thinking about more everyday issues such as sales, profits and product development. Yet disasters do happen, and they can have devastating consequences for business. Almost half the companies affected by the World Trade Center bomb in 1993, for example, subsequently collapsed.
Even if a company is not immediately destroyed, a disruption often takes its toll later. Following the San Francisco earthquake, for instance, some 75% of the businesses which stopped trading and then got back on their feet, subsequently went out of business during the following 18 months. Of these, 80% were small companies.
Of course, far less dramatic events than bombings can cause serious business disruption, especially if computers are involved - a fire in the computer room, a virus on the network or even a software programming error. At best, these erode productivity and customer service, at worst they may make it impossible to take orders, provide the service or product, process invoices and make payments, effectively closing down an organisation.
A recent study by Safetynet, the UK-based disaster recovery company, shows that only 8% of companies survive a major computer incident if they have taken no precautions.
Large corporations have been swift to recognise the dangers. A survey by IBM shows that the number of big organisations with a minimum IT budget of £100,000 for a business recovery plan has risen from 57% in 1993, to 88% in 1996.
But the underlying picture is less favourable, IBM says. Four out of 10 recovery plans are based on manual procedures. Only 5% of companies have contingency plans for their PC networks, and, although 91% of companies claim to take the issue seriously, only 63% include it on their boardroom agendas.
The situation is even more worrying among smaller companies which, because of their size, are more vulnerable. Many have not yet woken up to the risks, preferring to think it won't happen to them. 'Some organisations see disaster recovery as an overhead which contributes nothing to the bottom line,' says Allen Johnson, Safetynet's managing consultant for business continuity plans. As an example of corporate ambivalence, Johnson tells how one manager claimed that his building had never been hit in 25 years, unaware that the previous week there had been severe flooding on the second and third floors. Because he was on the fifth floor and used the lift, he didn't know anything about it.
Other risks are increasing. Take stealing, for example. The proportion of companies reporting computer thefts has doubled since 1994 according to the latest survey by the National Computing Centre (NCC). But at least with theft, the loss is usually immediately apparent.
One of the most pernicious sources of damage today is computer viruses: segments of software that hide in programs and data where they can corrupt or destroy information. Research by the US-based National Computer Security Association (NCSA) gives some idea of just how destructive viruses can be: 81% cause loss of productivity, 71% lock out PCs, and 59% corrupt files. And the scale of the problem is vast: for every 10 PCs in the US, companies experienced 4.6 virus infections a year. In the UK, the NCC report also identifies viruses as a major problem. Some 80% of the organisations it polled had experienced a significant breach in security during the past two years. More than one-third reported one or more virus incidents.
The average cost per incident it put at close to £10,000, with a total cost to the UK of £1.2 billion - a large proportion of which was spent on reconstructing data.
Traditionally, viruses were spread manually. People took disks home in the evenings to work on spreadsheets or word-processing documents. The same home PCs were used by children to run borrowed or free games disks which might have been infected with a virus. Once the infected disk returned to the office, the virus was transferred onto corporate networks.
During the past couple of years, however, the explosion in online communications, e-mail and use of the Internet, has put companies far more at risk. Nick Davies, software brand manager at IBM UK, says: 'Now that people are getting online, infection is much faster.' Moreover, the virus authors are using the Internet to share tips worldwide and are becoming more sophisticated.
Research by IBM shows that between three and five new viruses are unleashed onto the Internet every day.
The latest strain is so-called macro-viruses which are able to hide behind the scenes, for example in the template section of a word-processing document, so their existence is not immediately apparent. Many mutate, in a similar manner to their biological counterparts, and take on a different form with each infection. One of the most rampant macro-viruses, Concept, affected more than a million machines in one month last year.
The havoc that can be wreaked by viruses is well known to the US bank, National City Corporation. Last year, the bank ended up spending more than $1million (over £650,000) recovering from an infection that crippled its business within hours of first appearing. Thanks to rapid action by an anti-virus team at IBM, an antidote for the previously unseen virus was found within hours. But reconstructing the systems and getting back to normal operation took five days. Every hour of downtime typically takes five hours to overcome, says Safetynet.
Physical barriers and procedures can minimise the exposure to such threats.
Norwich Union, for example, protects against viruses by requiring anyone bringing disks into their buildings to test them on one of the barrier machines sited in the foyers. This measure helped detect around half the 130 viruses that found their way into Norwich Union during 1996. The other half, which came in electronically, for example, via e-mails, were detected using anti-virus software. The software deploys advanced techniques to spot new strains of a virus not seen before. Security specialist Richard Burrows is confident that most anti-virus products will cope with 99% of the currently active strains but is cautious about the future. 'At the moment I don't see anything really frightening out there, although of course that could change tomorrow,' he says.
Other precautions are largely a matter of common sense. At the Savoy Group, IT director Clive Taylor sees water flooding as one of the biggest risks. So it makes sense to avoid siting taps above or adjacent to computer rooms. On the other hand, at Airdrie-based whisky distiller Inver House, a sprinkler system was installed after the new computer room was engulfed in flames, with fire doors completing the protection.
It is also essential to take regular back-up copies of data. Larger companies and financial institutions often transmit their data to a remote secure vault or even run parallel systems linked by high-speed private networks so they can recover from a crisis without losing data or time. The Savoy, for one, sends daily and weekly updates to other hotels in the group which includes Claridges, the Berkeley and the Connaught.
Smaller companies, however, have an alarming tendency to neglect back-up. 'Failure to take back-ups is probably the single biggest cause of problems among small businesses,' says Roderick Jones, co-founder of The Trust Group, an IT consultancy co-operative.
Of course, you cannot anticipate every eventuality. One company found its PCs devastated by flooding caused by a disaffected employee who set off the sprinkler system before leaving. A stray paper-clip caused all the trains in southern Finland to be halted for an hour when it fell into the keyboard of the back-up traffic-control computer - once the back-up failed, the main computer ordered all the trains to stop.
When such a random disaster strikes and your computers are out of action, you may need temporary access to a replacement system. Enter the fast-growing disaster recovery industry, which offers clients duplicate computer systems on separate sites or mobile units which can take over in times of crisis. Safetynet, which specialises in medium-scale IBM computers used by clients such as The Savoy, has several locations throughout the UK ready and waiting to run should one of its clients hit problems. If disaster were to strike at The Savoy, for instance, Taylor would be able to take his back-up data tapes from one of the other hotels, load them onto the Safetynet computers, and continue to run core business applications such as payments, reservations and invoicing systems. The sites offer desks, phones, office equipment and even kitchen facilities so that administrative or accounts staff could move in if necessary while the hotel's system was being restored.
Such services can rescue you from the worst, but they don't come cheap.
Costs vary from several hundred to several thousand pounds a month or more. Laura Ashley paid Safetynet almost £500,000 to provide full back-up for its critical retail, manufacturing, warehousing, distribution and general business systems. BZW, the global investment banking arm of the Barclays group, stumped up a similar sum for consulting services to 14 of its sites in the Asia-Pacific region. The contract includes devising plans to withstand dangers ranging from major technology failure to volcanic eruptions and tidal waves.
Costs vary hugely, depending on the level of cover provided. As with everything, it is worth shopping around, but the one way to decide what to spend is to work out what would be the consequences of a disaster in terms of lost revenue and inability to provide customer service.
This was the method adopted by Taylor at The Savoy. 'Unlike some businesses where people go home for the weekend, we have guests arriving at all times of the day, 365 days a year,' he says. 'Our computers are never switched off - if they aren't up and running, we can't provide the service our guests require.' Activities such as taking reservations, checking guests in and out and paying suppliers are all critical. The attraction of a company such as Safetynet, says Taylor, is that 'in addition to having all the hardware, it also has knowledge and expertise which should help bring back our system as soon as possible'.
A final world of warning for the better prepared corporates. Don't rely on too formalised a plan of action: this is rather like thinking that if you've read The Highway Code, you can drive a car. The trouble with a detailed plan is that people tend not to read it, says Michael Bland, a crisis management expert, or they stick it on a shelf and forget what it says. 'Besides, in a crisis things are different from what you expect, they don't go according to plan.'
Bland instead advocates training people to behave more like a rugby team where each individual can pick up the ball and run with it, and people are flexible so they can stand in for each other. Your worst nightmare could still come true, of course, but at least in real life, unlike in dreams, you can be prepared.