Ensuring employee safety by rapidly disseminating the right information, and keeping communication lines open in a time of crisis are both priorities for businesses. Traditional solutions for this have relied on the manual ‘call tree’ or ‘phone tree’. Key employees are contacted first to inform them of whatever situation or crisis has arisen, with remaining staff to be contacted as soon as possible afterwards. However, even for smaller organisations of 100 people for example, the manual call tree rapidly demonstrates its limitations. For larger enterprises, there is no doubt – a better solution is required.
If you’ve already experienced a distributed denial of service attack, you may have simply seen it as an attempt to cripple a company or organisation by blocking connections to its servers. Indeed, that’s what DDoS is designed to do. Hackers use a multitude of computers, some without the real computer owner’s knowledge, to generate more traffic than a server can cope with. Legitimate users are unable to connect to the server or experience very poor performance (slow connections). However, DDoS often indicates more than one stand-alone cyber aggression. Organisations experiencing this kind of attack should be on the lookout for other risks too.
No news is good news, or so the saying goes. But when equipment malfunctions and services are interrupted, no news can mean intense frustration for customers and end-users. In today’s quality and satisfaction-oriented business world, you might think that major corporations had understood the importance of good crisis communication. And to be fair, many now make efforts to keep customers informed of the causes of business interruption, the solutions being put in place, and the estimated time when normal service will be resumed. That’s what makes behaviour around a recent outage by one of the top IT and cloud service vendors so hard to fathom.
Business continuity problems often carry their own penalty in the form of lost revenue, customer churn and reputational damage. In some cases, outages also mean stiff fines that go beyond the penalties that are part of any service level agreement. Thus, SingTel, the Singaporean telecommunications company, received a 6 million dollar fine (about 4.81 million USD) from the ICT regulator in Singapore for a breakdown in service in October 2013. The disruption affected government agencies and financial institutions and had an impact on 270,000 subscribers. But what is really behind fining a company whose business continuity fails like this?
Could it happen? With the growing popularity of cloud computing services and the increasing dependence of companies and operations on them, it’s clear that online services need at least a minimum of safeguarding and protection. But aren’t cloud services supposed to be distributed, redundant and robust enough to protect themselves? After all, that’s what many enterprises rely on when they choose the cloud for data storage, backup, applications and databases. The number of high-profile outages suggests that assumption may not be as valid as either vendors or customers would like. A case in point was the recent unavailability of the Adobe CS cloud service and the resulting paralysis of a major media activity in the UK.
Considered by some to be obsolescent, obsolete or virtually flat-lining, tape backup is still around. Even new hard drive technology and solid state storage cannot match the price point per terabyte stored. Now IBM and Fujifilm have pushed the envelope even further with new tape cartridge that can hold 154 terabytes of data. By comparison, the last time market leader Seagate discussed progress on hard drives in 2012, its objective was for a 6 terabyte 3.5-inch desktop drive, with ‘eventually’ a 60 terabyte version. Does this mean tape is once again snatching itself from the jaws of death – or could it be (gasp) that tape is simply better for volume storage?
When hospitals moved from film-based hardcopy systems to electronic images, they began to generate large amounts of data held on PACS – Picture Archiving and Communications Systems. Hospitals use various ‘modalities’ to scan patients, including Computer Tomography, Magnetic Resonance Imaging and Ultrasound systems. These modalities must regularly (and frequently) upload the scanned images to the PACS, where they can be stored, sequenced for retrieval and made available for remote diagnosis. However, a PACS is often a potential single point of failure with inevitable downtime – which is where the DR lessons start.
For some organisations, it’s an explicit legal requirement. For others, it’s the consequence of prevailing laws and regulatory structures. The mandatory requirement defined by the Australian Government for its agencies sets the tone: “Agencies must establish a business continuity management (BCM) program to provide for the continued availability of critical services and assets, and of other services and assets when warranted by a threat and risk assessment.” And for the rest? There’s a strong argument to be made that business continuity management is no longer a choice for any enterprise – and that an obligation for BCM is a good thing anyway.
Server virtualisation, that sophisticated solution for stacking several virtual servers on one physical machine, may mean some sticky times for certain organisations. The underlying idea is attractive: with virtualisation, you can increase operational resilience and efficiency. The bottlenecks arrive when virtualisation either gets out of hand, putting a strain on I/O capability, or when IT staff bump up against a conceptual barrier that blocks additional deployment.
Governance has been a business buzz-word for a while now. In particular, accountability and risk management are two elements regularly in the news. The UK Corporate Governance Code makes the board of a company responsible for determining the nature and scope of any major risks to be taken in order to achieve key objectives. It also recommends ‘sound risk management and internal control systems’. Likewise, the Australian Securities Exchange suggests a ‘system of risk oversight and management and internal control’. So, calling all business continuity managers… does that remind you of anything?
If you look through the literature on disaster recovery, you’ll probably see that practical ideas, recommendations and methods abound – but that theory is in rather shorter supply. This makes sense in that all those IT systems and networks are running now – so if they break, you’ll want some good ‘cookbooks’ or ‘how-to’s’ for mending them rapidly. However with DR management comes DR planning, which is the chance to step back and better understand the key principles that govern effective DR. The CAP theorem for distributed IT systems is one example. Better still, it’s simple to grasp and has immediate practical application.
Business continuity often inspires a feeling of ‘disaster averted’. In other words, the perception is that spending money on business continuity is really an insurance policy, and as such brings no positive benefit, but helps to avoid negative outcomes. It’s true that this is an essential role. As its name suggests, the avoidance of business discontinuity or interruption is inherent in the pursuit of business continuity. However, business continuity can and should have a net positive effect as well.
As business shifts more and more to the Internet, enterprises find themselves increasingly driven to provide better access to their IT systems. Webpages with dynamically generated content were a first step, allowing users to retrieve specific information they wanted using their browsers. But now business partners may want more, meaning automated extraction of information from your enterprise databases. Business continuity says to be wary of giving outsiders access to your systems. But business continuity also says that without retaining strategic business partners, your company may not survive.
Risk management software identifies the risk associated with different assets. It then communicates this information to the enterprise concerned, for example through business dashboards displayed on screens. While risk is a factor for every organisation, some are bound by regulations to practice and demonstrate good risk management. Banks are a case in point: they must have enough cash in reserve to cover expenses if issues such as IT failure or fraud affect them. Consequently, many software vendors have produced risk management software or integrated it into their product lines. But does that mean that enterprises are obliged to use such software?