Most organisations tend to focus time and money on preparing for natural disasters and physical disasters, but fewer think about preparing for an Internet disaster. While not quite as extensive, an Internet disaster is often much more likely.
In the weeks since Hurricanes Katrina and Rita, there has been much talk about disaster preparation as well as discussions on how society can avoid such a tragedy the next time. And that's not surprising: Such large-scale situations, including Hurricane Katrina, September 11, and even the Blackout of 2003 in the northeastern United States, always highlight the importance of strong disaster recovery plans.
In the aftermath, organisations tend to focus more time and money on preparing for natural disasters (such as hurricanes and earthquakes) and physical disasters (such as fires and floods). However, what companies often fail to realise is that disasters also pose a significant threat to electronic assets -- particularly in our ability to communicate and in the value of information itself.
An Internet disaster -- whether accidental or intentional -- could damage or destroy the ability of a company to communicate with the outside world and seriously impact business. For example, a company that's the target of a denial of service (DoS) attack or that has lost its Internet connectivity due to a cut fibre-optic cable is often helpless.
Knowing what to do in these cases can be confusing, but companies should seriously consider the cost of lost productivity due to Internet problems. It can be extremely difficult to plan for or recover from an electronic disaster due to the complexity of the Internet.
Planning for a physical threat to a building (such as a fire) and to the employees who work in that building requires sprinklers, fire alarms, and fire escapes. Similarly, strict access controls and expensive fire-suppression equipment typically protect a corporate data centre because serious problems could cause a significant loss of business. (This planning occurs not only for the safety of the occupants, but also because of fire codes and insurance requirements.) In addition, most companies plan for power problems by using battery-backed power supplies or installing backup generators.
Some companies plan for internal computer system disasters on key assets by using clustering and highly available server systems and by using a disaster recovery vendor. They put the time and money into all of this disaster planning because these assets are essential tools of business. Yet, in my experience, even though many companies consider the Internet an essential tool to conduct business, few plan for Internet problems -- until, of course, the systems stop working.
When there's a problem (such as a mass-mailing worm) that disables a company's e-mail server, this shuts off e-mail. A crashed virus-scanning system or firewall also paralyses e-mail. A DoS attack on a gateway router can shut off a company from the Internet completely. By the same token, a fibre cut in one state can shut off a company in another.
That's why I advise companies to prepare for Internet disasters in the same manner they do for physical disasters. Being prepared for Internet disasters requires planning and redundancy on key Internet systems, similarly to how some companies implement highly available systems for internal business needs. This means that companies that depend on the Internet as a communication tool should consider these essential components: multiple Internet gateways, redundant firewall systems, e-mail servers, and virus-scanning systems.
Companies should plan for virtual disasters in the same manner as physical disasters by developing and implementing disaster planning procedures for Internet equipment. If your company is Internet-dependent, make sure you're prepared in the unfortunate event that a disaster occurs.
