Disasters bring to mind the raw force of nature - lashing winds, lightning strikes, fire and destruction.
In a world increasingly dependent on e-commerce, where 24x7 system availability has become the expected norm rather than the exception, the definition of a disaster is becoming more and more broad. A few minutes of downtime can translate potentially to millions of dollars lost to a business while the pervasiveness of the Internet means both small and large corporations are vulnerable to the vagaries of availability disruptions, from freak hail storms to denial-of-service attacks.
"Surprisingly, natural disasters account for less than eight per cent of all the downtime companies face," said Nick Blozan, distribution manager for Veritas. "The two biggest causes of downtime are failure in hardware and software. Add human error and you have the lion's share of the problem."
In the past, the solution for most businesses was storage. Yet in a crisis, it becomes clear storage plays only a small part in the disaster recovery equation, however important. IT managers now have to be able to anticipate issues such as security and connectivity, weighing the cost of redundant infrastructure against the cost of dealing with a disaster.
"Disaster recovery is a hugely misunderstood subject," said Rick Greengrass managing director of systems and e-business integrator Syntegra Australia. "In a sense, business recovery is an insurance policy. The value has to be estimated and the metric is the cost of failure."
Greengrass stresses the need for consulting within the channel to ensure end users understand the economics and ramifications of disaster recovery.
"The major question you have to ask is what is the cost of having system availability? If you don't need to switch over systems instantly you can then look at warm, tepid or cold options."
The trouble is, the Internet has fundamentally changed the way both small and large organisations view uptime.
"Disaster recovery used to be very internally focused," explained national sales manager with Tivoli Systems, Andew Belger. "Plans centred on what to do if an internal application became unavailable. What has happened with e-business take-up is availability has become so much more critical, not only from the perspective of productivity but also in terms of brand equity."
Across all sectors, end users are becoming aware they must take an enterprise approach to disaster recovery; one that incorporates all elements of the business rather than just storage.
"So many people have become so caught up in the importance of storage they forget solving storage problems doesn't necessary solve the disaster recovery problem," Belger said. "We don't discount the importance of a product in a solution, but it is also about performance and procedure."
This factor is opening doors for resellers, who often have a good understanding of the myriad of components involved in disaster recovery, to move into consultation.
"Resellers are definitely already in the storage space," said Veritas' Blozan who is is currently on the road in Australia and New Zealand encouraging resellers to take advantage of the opportunities, disaster recovery plans present.
"Resellers feel disaster recovery is a growing market, but when a problem does happen, the situation can become very emotionally charged. One of their fears is resellers want to make sure they are partnering with vendors they can depend on in a disaster situation. They have to feel a certain level of confidence."
The insidious threat
As the dependence on e-business increases, denial-of-service attacks are taking their place alongside bombings, earthquakes and fires in the disaster event stakes. According to a recent study by researchers from the University of California, denial-of-service attacks are launched against commercial Web sites, Internet infrastructure, small countries and home PCs at a rate of nearly 4,000 per week.
While denial-of-service constantly makes headlines, thousands of small incursions go undetected and unreported, according to managing director of virtual distribution outfit Janteknology Glenn Miller.
"These days disasters come in many forms and the Big Bang events are the easy ones, because they are the obvious ones," he said. "A disaster is no longer confined to an event. It is a process, one that is relatively new to an industry which is used to talking about a disaster event in terms of a physical calamity."
Miller cites the recently exposed vulnerabilities in Microsoft's Internet information server (ISS) software and the skyrocketing number of Web site defacements in recent times as cause for concern. Defacement may be as simple as changing a single word. Yet left undetected it can have disastrous results on a company's bottom line.
"An attack on an online price list, for example, can be so subtle that no one detects it for weeks," Miller said. "As the Web grows as an operational arm of business, one Web site defacement could put your company out for a week. A fire is going to be less damaging in the general context than a single Web site defacement."
The subtle nature of such attacks makes them dangerous to both small and large businesses. Combined with the untested legal ramifications of having systems hacked and used in denial-of-service attacks, the concept of security in the disaster recovery process becomes of paramount importance.
"Security is now a big part of the disaster recovery subset," affirmed Tivoli's Belger. "You have to provide consistent enforcement of security rules across systems and applications, as well as being able to tell when a product is modified and the depth of any intrusion."
Balancing the cost
With so many facets to the recovery process, it is becoming difficult to balance the expense of integrating redundant systems with the piece-of-mind of data availability.
"Banks spend multi-millions of dollars a year in the hope they never have to use their disaster infrastructure," said BMC Software's David Tighe. "Small and medium businesses don't have the luxury of that kind of money. So we have to look at simple procedures - what is the minimum needed to be able to pick up and work from another building."
A new breed of Internet traffic and network management products means businesses can transform redundant infrastructure into active day-to-day systems. Similarly, companies can now divide their bandwidth between multiple service providers.
"Why have a huge building full of redundant infrastructure there in case the worst happens?" asks Radware general manager Tony Burke. "Why not utilise that investment?
"Businesses need to optimise the technology that many people have but are not using to its maximum potential. The thing is, companies are reliant not only on their own network, but on their service provider. If that goes down, all the back end infrastructure in the world becomes nought."
It's a lot for an organisation to implement and the biggest issue is planning. Selling a host of disaster recovery tools to an end user is of no use unless they can be used by people who aren't necessarily skilled in IT administration.
"Make sure you document the procedure," Tighe warned. "Because if the worst happens, don't expect the administrators to be there. If [disaster recovery tools] are never tested, they are not going to give you what you want when the crunch comes because everyone is different."
Syntegra's Greengrass agrees. "Often the one size fits all approach ends up being one size fits no one."