The business disruptions the Sept. 11 terrorist attacks against the U.S. caused have highlighted the need for companies to have plans to recover from disasters and continue operating, a panel of Gartner Inc. analysts said Monday.
These disaster recovery and business continuity plans must not only be drafted once, but reviewed, tested and updated periodically, the analysts said.
While having these plans in place and backing them up with the necessary products and personnel will cost money, being caught unprepared during a crisis is a risky and unacceptable choice that could lead a company towards ruin, they said. Being prepared for a disaster is bound to yield an improvement in overall efficiency, they said.
And once a company ramps up its security policies and establishes sound recovery plans, it has to keep its guard up.
"Make this heightened state of security the norm. Don't go back to a state of complacency," said analyst Donna Scott.
Clearly, the worst effect of the Sept. 11 attacks was the tremendous loss of life they caused. It is estimated that about 6,000 died.
The effects on business were also significant. Global telecommunication was seriously affected, including Internet communications, due to a sudden increase in traffic and to the destruction of equipment. Companies with offices in the World Trade Center lost computer equipment, and with it, any data that hadn't been backed up elsewhere. They also had to relocate workers and shift operations to other offices.
The aftermath of the attacks showed that many companies affected by them didn't have multiple-scenario plans -- the ability to deal with several disruptions at the same time -- said analyst Roberta Witty. The spread of the Nimda virus followed the attacks and some companies didn't have the capability to deal with that problem while handling the effects of the earlier crisis, she said.
As evidenced by the mad scramble to get in touch with those possibly affected, the Sept. 11 attacks also proved that companies must have procedures in place to contact and account for employees in a time of crisis, Witty said. Companies should also include in their recovery plans information about how local, state and national government agencies respond to disaster situations, she added.
A situation that paralyzes air travel also shows that companies should have back-up and recovery sites far enough from their main sites for safety but close enough to be reached by car or train -- between 20 and 50 miles, Witty said. On a related note, companies should strive to have a decentralized staff, so that if one site is affected, others will be able to continue operating.
With further terrorist attacks against the U.S. a likely possibility, companies must be very vigilant and careful about the employees they hire, said analyst Richard Hunter. The biggest threat of an attack against a company's computer systems comes not from an outside hacker but from malicious employees intent on harming their company, Hunter said. Thus, companies must do thorough background checks on potential employees, especially if those employees are going to have access to critical data and systems, he said.
Ultimately, the process of recovering from a disaster and getting back to business must be a shared one. Thus companies must collaborate with their suppliers and partners to make sure they will all respond effectively in a crisis. A company can be fully prepared to deal with a disaster, but it will not be able to get back on its feet if one of its key suppliers is unprepared, the analysts said.
The Gartner Symposium ITxpo ends on Friday. More information can be found at: http://symposium.gartner.com/news/index.html.