Choose Your Disasters and Prepare

Opinion: You can't plan for every possible disaster, but you should prepare for the most likely threats to your locale.

Have IT departments lost their sense of emergency as it relates to computer crime? Thats what a new study, prepared by my colleagues at CIO Insight says. IT managers arent as willing to invest in security as they were immediately post-9/11. Sadly, battle fatigue seems to have set in, despite some pretty serious wins by the bad guys.

I wont quote the study here; you can read excerpts at CIO Insight. My hope is that in the time between when the study was completed (pre-Katrina) and appeared (post-Katrina) that maybe some of this complacency was shaken off. And while crime is still a major problem, business continuity in the wake of natural or man-made disaster may finally be getting its share of attention.

Is your company ready to continue business if your downtown were filled to the brim with flood water? While very few cities face such a threat, every city faces something. Every location faces a reasonably likely natural or man-made emergency capable of shuttering businesses for weeks. Are you ready?

As the federal government has been criticized of late for concentrating too much on fighting terrorism and not enough on natural disasters, maybe IT departments should reassess their priorities as well.

I am not saying you should lower your guard against computer crime. You should work hard on this all the time. However, Hurricane Katrina is a Cat 4 reminder that its not just criminals that threaten your company.

I was talking the other night with a friend who is IT boss at a medium-sized petroleum products distributor. Were both ham operators so talk had turned to the communications problems in Katrinas aftermath.

I asked my friend if his company had a business continuity plan. He said it does, after a fashion, with servers located in several cities and a near-hot backup for a key accounting application. Lots of backups, though not stored as well as they might be.

To shake my friend up, I ran through a bunch of disaster-geek scenarios his company might face. Everything from a fire to a mass power outage of the type California seems set up to experience. We talked about hazardous materials spills, hostage takings, flooding, of course, and under what circumstances employees might or might not return to the office.

The interesting thing is that preparing for one of these disasters often takes care of at least some aspects of the others. My friend is going to start adding some business continuity spending into his budget, probably by adding standby gear to support the computing functions from multiple locations.

Hell do other things, of course, like make sure there are some cellular telephones that the offices themselves could use in the event of a landline outage. Having the numbers published internally will help people remain in touch.

/zimages/7/28571.gifElectronic health data is helping some of Katrinas victims. Click here to read more.

None of this is dramatic stuff, its not like the Los Angeles company who already has a Palm Springs hotel wired and gear stored to turn its ballrooms into a post-earthquake operations center. Complete with a very nice swimming pool and golf course, I should add.

In a small but important way, my friend is changing the "bets" his company is making as they related to security and business continuity. Lately, the bet had been that criminals or human error were the most likely causes for alarm. Thats probably still true, but my friend is now wisely placing some bets preparing for natural disasters as well.

One of the lessons of Katrina is that betting wrong eventually catches up with you. I dont want to second-guess, as I am sure money that wasnt spent on preparing for the big storm was needed elsewhere. Louisiana is not a rich state. But when something awful happens, whats remembered isnt where the money went, but where is should have gone.

Hindsight is 20/20, and foresight is difficult. But, while its still top-of-mind, ask yourself whether your company has made the rights bets as to the threats you face. Then figure in the amount of damage thats possible if you bet wrong. The worst case really does occur sometimes.

I dont believe there really is a "win" in this equation, unless you have unlimited resources and, even then, are exceptionally wise in their application. In the real world, some of your bets on more serious, if less likely, catastrophes will impact your preparedness for threats more likely to become real. When that happens, be prepared to explain your overall plan.

All you can do is place your bets, take your chances, and look for investments that protect your enterprise from the broadest range of threats, which includes not just criminals but also Mother Nature herself.

Contributing editor David Coursey has spent two decades writing about hardware, software and communications for business customers. He can be reached at

/zimages/7/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.