While the human tragedy of 9/11 instantly dwarfs any material cost, it's not crass to recount the lessons learned by survivors returning normality to their lives, and it's not easy for us to gauge the chances of another big event soon. That said, some of the connections of risk exposure and the checklists offered based on 9/11 will be tenuous to compare to daily reality in a practical way.
In a world where data and technology support so many daily working and consumption processes, the scale of the 9/11 disaster can quickly overwhelm the conversation. But in a more pedestrian way, if not as widespread, the loss of information from a laptop or home PC can be as devastating to a business as a flood in a data center.
There are information risks of all sizes and likelihood inside and outside individual control. Some affect day-to-day continuity and call for first-responder attention. Other types of risk associated with data loss will have delayed or lasting effect. We may not be able to assure uninterrupted Internet service, but like traffic accidents, the greatest threats to data integrity, especially the self-inflicted ones, usually occur close to home.
Disaster Preparedness at the Top
The large-scale data infrastructure world understands the cost of unforced data errors very well. By way of example, a finding of the 9/11 Commission noted the questionable location of the lower Manhattan Emergency Operations Center next to a known terrorist target, with no backup site.
By contrast, most private and rentable industry-supporting data centers are thinly publicized innocuous buildings that aren’t recognized immediately from the outside. For decades, data managers have also mirrored their databases in at least two geographically separated sites.
When you visit or read about a modern commercial data center operation, it's quickly apparent that the operators don’t need to be reminded to cool or keep their gear dry. Facilities are high, weathertight and surrounded by security staffs who employ some of the tightest protocols in the world.
Quality of service is built into the service-level agreements demanded by businesses when colocating equipment or signing up for managed data center services. Direct city power feeds, massive cooling systems, diesel generators and rooms with thousands of batteries are all parts of the cost of entry paid by operators.
But one layer below the commercial data center, risk increases and takes on different profiles, whether the facility is located in Manhattan, New York or Manhattan, Kansas. Primary among these are captive but decentralized data facilities and ongoing dependence on small or desktop databases. Even more data exposure arises non-digitally in paper records, especially in distributed operational industries such as health care.
In June of this year, a deadly EF-5 tornado laid waste to whole sections of Joplin, Missouri, including the St. John’s Regional Medical Center and its adjacent data center. Once emergency facilities were erected and survivors were cared for, attention was turned to medical records and documents critical to ongoing operations.
In a stunning bit of good timing, St. Johns had migrated the majority of its patient data, hospital records keeping, registration, scheduling and pharmacy applications to a shared hospital data center mirrored in St. Louis and Washington, Missouri only weeks before.
The onsite data center that was destroyed contained a few dozen legacy servers and older patient information sources that were not mission critical and had not yet been migrated to the larger, shared hospital system.
Hospital technicians in Joplin were left trying to piece together historical data from backup tapes and drives left in the rubble, and older microfilm and microfiche backup files of data from 2005 and before were still waiting examination.
If the older records were less important than the current operational information, anything lost will not be available for future trending or data mining to find areas of improvement at the facility.
As he recounted at the time, Mike McCreary, the Chief of Technical Services at Mercy Hospital Systems in Joplin, said the experience had led him to reprioritize, having seen the human and capital toll.
“We have folks reevaluating our disaster planning to measure theories against realities, to now understand the gaps between what our disaster plan was and how it stacks up against the truth,” McCreary says. Coming out of this stiff trial, he says, the Mercy Hospital System will be more ready.
As CIOs and helpdesks confront a new wave of worry with handheld and PDA devices in the field, it is not a new experience; the same managers have faced similar problems for years with laptops, flash drives, CDs and floppy disks. As with laptops, unlocked PDAs can carry the added risk of network data access, upload or deletion that some helpdesks have addressed with passwords, two-level authentication and modern encryption methods.
As personal and business technologies inevitably mingle and overlap between home and BYOT (bring your own technology) in the workplace, more opportunities arise for hacks, viruses and malware to cause data corruption and infect networks. While institutions in banking and other data-sensitive industries wire devices to prohibit surfing or sharing in many ways, the greatest widespread enemy remains stupid behavior and irresponsibility. For most businesses today, education and enforceable policies and penalties are the main deterrents is spite of human behavior that seems to have irreversibly stymied old school IT practices on closed networks.