Computers & Security, 9 (1990) 309-311

Vulnerability Awareness Improves Contingency Planning Charlotte Klopp

C alifornia earthquakes, South Carolina hurricanes and

fires on Wall Street have all added up to a year of disaster for U.S. businesses and a booming market for those administering data center disaster recovery services.

Players in this growing market agree that it takes such crises to shake company executives into the realization that losing access to their computers will make them vulnerable to an even

greater disaster-loss of profits. A disaster recovery service is insurance, and information and security managers don’t want to pay for it, try not to think about it and hope they’ll never have to use it. But the service could save a firm from goin out of business if ever put into p P ay.

Fire is the leading cause of

individual disasters that have

destroyed a company’s computer system, followed by natural disasters and computer sabotage including viruses.

Even when the risks are under- stood, disaster recovery is usually an unbudgeted expense that corporate executives would like to avoid and so are willing to take the gamble. The cost of a back-up plan can reach as high as U.S.$30 000 per month for users of high-end IBM mainframes. A midrange system averaged U.S.$2000 to U.S.$6000 per

month.

John Knight, a security systems engineer for Lockwood Greene Inc. of Spartanburg, SC, whose business has doubled in the last two years, said the variety of disasters, from viruses to hurri- canes is increasing company

awareness of its vulnerability. “Having a disaster recovery plan in place is immeasurable in its benefits, and the pay-off begins immediately. If you have a body guard, how many times have you had to use him,” he said, saying that a program is both prcventa- tive and reactionary because it deters some types of disasters such as disgruntled employee offenses.

Knight’s “threat and vulncr- ability analysis” evaluates a firm’s most crucial areas of business that might include material processing, research papers, products and personnel. His con- sulting company then explores disaster recovery options that may include the elaborate ser- vices of a professional firm, or more creative and cost-saving options. One such option allowed for a data processing

0167-4048/90/$3.50 0 1990, Elsevier Science Publishers Ltd. 309

C. Kloppl Vulnerability A wareness

center to use the facilities of a college “down the road” which had a similar operating center, Knight said.

Even with the potential threats to data centers, to have a disaster recovery plan in place is low on the priority list of many corpora- tions until a disaster hits, said Dan Bowers, president of Randallstown, Maryland

consulting firm Bowers Engi- neering. “More often, we get phone calls after an incident has occurred,” he said. “Few companies can fully recover if their data centers are hit by floods, fire or explosions,” he said, yet a large majority of firms still have no plan in place. “It takes money to have a back-up plan and in most cases, a plan is never needed,” he said. But when a disaster causes the loss of computer access, some com- panies can’t even open for busi- ness.

Reaping the benefits of a grow- ing awareness over the last couple of years is LDI Disaster Recovery Corporation, one of the most rapidly growing firms in this industry. LDI Disaster Recovery Corporation experi- enced a 30% revenue jump last quarter compared with the same quarter in the previous year. The U.S.$30 million subsidiary of LDI (Leasing Dynamics Inc.), provides hot site and cold site capabilities at its Solon, OH, center.

Disaster recover): is only about 15% of LDI’s busmess, regional

sales manager Derrick Robinson said. But analysts have said they consider the small subsidiary-in business since 198 1 -one of the hottest growth areas of the 1990s. Because it is an expensive business to be in, LDI has con- solidatcd its efforts with the pur- chase of Corporate Con- tingency Services, another disaster recovery firm, in March of 1989. “You have to have deep pockets in this business, and be able to offer multiple locations,” Robinson said. “It’s easier to buy an existing account with an existing account base.”

Officials at Comdisco, the U.S.$340 million disaster recovery giant agree that having multiple recovery centers is important in attracting new customers. The Rosemont, Illinois-based firm has reinvested over U.S.$220 million into rccovcry facilities in the last 10

years, and a cool U.S.$84 million will go back into the company’s business recovery facilities this year alone.

Comdisco had eight of its 1500 customers “ring the bell” of disaster in the last year alone, marketing manager Scott Rumer said. He attributed successful recovery measures to the firm’s wide pool of recovery sites-25 nationwide-and said, “We handled the companies just fine, and could have handled a whole bunch more.”

Officials of Corndisco’s biggest competitor, Sunguard Data

Systems Inc., disagree that multiple locations make for a successful organization. Vice president of product develop- ment Bruce Battjer said the Wayne, Pennsylvania-based firm has made a conscious decision to limit itself to four recovery centers in order to provide a quality operation. The U.S.$2O million Sunguard reinvested into the 12-year-old company last year did not go into new recovery centers but toward new technology and equipment of its current centers. “There is no riced to have a hot site in every city,” Battjer said. “We concen- trate our rcsourccs so in each center we can handle any problem coming down,” he said.

One of the newest trends in disaster recovery services is to provide networking capabilities within recovery centers so users can use any center and still link- up to appropriate systems. Now only the nightmare of wide- spread disaster haunts the disaster rccovcry executive. For this reason some services limit the number of customers in a given location.

LDI has a limited capacity for the “disaster latent areas” of the country, Robinson said. “If an earthquake hits, WC could have 20 clients call us, and thcrc’s no way we could service them all.” LDI has limited its customer total to eight in Northern California and eight in Southern California because of the state’s high probability of earthquakes.

Computers and Security, Vol. 9, No. 4

Sunguard guards against over- capacity by limiting the number of customer contracts to one per business building.

El Camino Resources, a Northridge, California-based third-party ieasor of IBM and DEC new and used hardware attaches a disaster recovery guarantee along with all of its leasing agreements. The firm’s disaster recovery manager Michael Nemiroff said the U.S.$175 million disaster recovery services firm is the only one to offer hot and cold sites along with guaranteed equip- ment replacement within five working days.

This equipment replacement guarantee is similar to arrange- ments LBM and DEC have made to their customers. Nemiroff said DEC’s contracted recovery plan for computer replaccmcnt following a disaster situation is comparable with El Camino’s

pricing, but only replaces its own equipment, and does not guaran- tee the equipment in five work- ing days. A midrange agreement with El Camino costs from U.S.$2000 to U.S.$5000 per month. High-end systems start at U.S.$5000 for monthly subscrip- tions.

DEC and IBM maintain that the advantage to using the in-house disaster recovery services of the two computer giants is that

customers receive specialized customer service and repair of equipment. “We can offer solu- tions for software and network- ing problems that require DEC’s expertise,” said DEC recovery services manager Robyn McHugh.

Some firms are looking to bypass some of the costly expense of disaster recovery by leaning on each other rather than profcs- sional disaster rccovcry profcs- sionals. Under a plan cntitlcd the Mutual Assistance Pact, or MAP, four financial firms in Minneapolis, have set aside competitive instincts to help each other out. The plan ensures that if a member’s switch fails, one of the other three will act as a host to provide 300 live telephone lines within eight hours.

One legal glitch the firms had to address early in the process was the Glass-Steagall Act, which prohibits firms from co-owning common equipment. After almost two years of working through the problem, group members worked out a lease for access with vendor Collins Communications Systems Inc., which maintains, tests and houses the equipment off-site.

The group shared an initial cost of U.S.$150 000, which splits monthly consultant, vendor and

maintenance fees. Officials of the firms said MAP’s SUCCESS is its low fees. One cxecutivc said instead of paying thousands of dollars per month for a disaster recovery plan, the firm is paying hundreds of dollars. A frrc that destroyed a bank in downtown Minneapolis in 1982 sparked the idea for the pact. The tclc- communications managers realized they wcrc not prcparcd to offer users back-up tclcphonc scrviccs in the event of a similar catastrophe.

Sccurc Data Network, Inc. of Los Angeles, CA, offers a low-end security solution via file back-up. After a mcrgc with Arcus this week (February 26) the on-lint back-up and rctricval firm is expanding services to include hot and cold sites. President John Golfis said rcccntly the firm assisted a company that expcri- cnced a virus intrusion, which hc said can shut down an entire database. “Within a couple of hours WC had the firm’s data back in place.”

Because the company opcratcs through standard phone lines to compress files automatically and encrypt them using Defcnsc- Dcpartmcnt-approved data encryption standard lcvcl security, Secure Data Network rcccntly added cellular modems and RF modems. This will ensure data can transmit if phone lines go down during a disaster.

311