Smaller Companies are Preparing for Disaster Too, Study Shows
Published: June 13, 2006
by Alex Woodie
A recent study of companies' disaster preparedness by SteelEye Technology found that smaller companies are implementing business continuity plans complete with remote hot sites almost at the same rate as larger companies. The software vendor's study also found that terrorism barely registers as a concern among North American companies, which are much more concerned with power outages. European companies, on the other hand, consider terrorism a greater threat.
SteelEye Technology is a Palo Alto, California, developer of data replication and clustering solutions for Linux and Windows servers. The vendor and a high availability-related Web site, Continuity Central, teamed up late last year and in early 2006 to ask 184 executives and IT technicians about their companies' business continuity (BC) plans and their views on the potential disasters most likely to strike.
The survey included a mix of big and small companies from a variety of industries in all parts of the world. About half of them are based in North America; about half of them are in the finance, technology, government, insurance, or healthcare field; and more than half had less than 1,000 employees, although about 13 percent of the respondents worked for organizations with more than 25,000 employees.
The study found that disaster recovery (DR) hot sites may be more common than you thought they were. In Europe and North America, 87 percent of respondents said they had a hot site. However, the results suggest that the European hot sites were closer to their operators' main data center than the American hot sites--they are in the same city 40 percent of the time for the Europeans--which raises the question of whether these organizations are prepared for a wide-scale disaster.
Somewhat more surprisingly, according to SteelEye and Continuity Central, is the effort smaller businesses have put into preparing a disaster recovery hot site. According to the survey, 75 percent of the companies with less than 500 employees and a business continuity (BC) plan have a remote disaster recovery site, "a significant achievement on generally much tighter budgets," the survey states. "This group is all the more impressive because nearly 40 percent of these disaster recovery sites are genuinely remote: beyond the same city, county, or state, but within the same country."
Bob Williamson, vice president of product management with SteelEye, says the survey shows that small businesses are getting the message. "It didn't seem to matter that much how big the organization was," he says. "It wasn't the case that bigger companies were spending more" on BC and DR plans, as a percentage of their revenue.
Cost was the most common reason for not implementing a BC plan, Williamson says. "When we asked how much they spend on their business continuity plans, 40 percent said they were spending less than $100,000," he says. About 10 percent of the companies surveyed are spending more than $1 million per year. "Companies think it has to cost a lot of money, but they don't understand" that it doesn't have to cost a lot. The basics of a business continuity plan--including a server, a network link, and replication software--"certainly can be done for under $50,000." (This is also becoming true for iSeries DR strategies.)
The survey also highlighted the most important applications that companies want to have working during a disaster. "They made it very clear that services that they need to communicate with customer--e-mail, customer support, Web sites, phone systems--were the most important," Williamson says. "It was very clear that companies prioritize serving their customers above keeping their company running. Manufacturing products is a very low priority" during an emergency, he says.
When asked if they had invoked their business continuity plans, 45 percent said yes and 52 percent said no (about three percent didn't know). The survey found a correlation between those that invoked their plan and those that tested it. "Companies that had to invoke the plans tested it much more frequently," he said. "Forty-seven percent test only once a year. We feel that's not often enough."
The survey also shed light on what companies fear will cause downtime. The top of the list included software maintenance, network maintenance, network outages, application failures, hardware maintenance, and hardware failures. Interestingly, these are all things that IT shops can control, to some degree.
It's worth mentioning that about 79 percent of these shops ran Windows systems, with about 40 percent running Linux. So-called "legacy" systems, including Solaris, AIX, and HP-UX all were in use in more than 20 percent of the companies surveyed, while a mish-mash of z/OS, VMS, OS/400, and other vestiges accounted for another 20 percent in the "other" category.
Causes of downtime outside any companies' control--including natural disasters, power failures, and terrorism--ranked at or near the bottom of what companies fear. Some of these figures caught Williamson's eye. "I was surprised to find that power failures was such a large percentage. I always assume most companies have backup generators so if power goes out, they still have electricity. But now I'm not sure that's the case," he says.
When these fears were sliced by region, some other interesting tidbits popped up. For example, companies in North America fear natural disasters more than their counterparts across the pond. Meanwhile, the Europeans accounted more downtime to terrorism than natural disasters. The surveyors chalked up these findings to the fact that the United States has been terrorist attack-free since 9/11, while it has suffered severe natural disasters of late. The Madrid and London Al-Qaeda bombings, meanwhile, are still fresh in the European conscience.
This was the first time SteelEye has surveyed companies' BC and DR plans. The company plans to do another survey next year.