Among the hundreds of stories arriving this week surrounding the 10th 9/11 anniversary, a good handful will come from trade magazines and analyst groups looking at the risks and preparations for protecting data in the midst of a disaster, via planning and business continuity preparation.
While the human tragedy of 9/11 instantly dwarfs any material cost, it's not crass to recount the lessons learned by survivors returning normality to their lives, and it's not easy for us to gauge the chances of another big event soon. That said, some of the connections of risk exposure and the checklists offered based on 9/11 will be tenuous to compare to daily reality in a practical way.
In a world where data and technology support so many daily working and consumption processes, the scale of the 9/11 disaster can quickly overwhelm the conversation. But in a more pedestrian way, if not as widespread, the loss of information from a laptop or home PC can be as devastating to a business as a flood in a data center.
There are information risks of all sizes and likelihood inside and outside individual control. Some affect day-to-day continuity and call for first-responder attention. Other types of risk associated with data loss will have delayed or lasting effect. We may not be able to assure uninterrupted Internet service, but like traffic accidents, the greatest threats to data integrity, especially the self-inflicted ones, usually occur close to home.
Disaster Preparedness at the Top
The large-scale data infrastructure world understands the cost of unforced data errors very well. By way of example, a finding of the 9/11 Commission noted the questionable location of the lower Manhattan Emergency Operations Center next to a known terrorist target, with no backup site.
By contrast, most private and rentable industry-supporting data centers are thinly publicized innocuous buildings that aren’t recognized immediately from the outside. For decades, data managers have also mirrored their databases in at least two geographically separated sites.
When you visit or read about a modern commercial data center operation, it's quickly apparent that the operators don’t need to be reminded to cool or keep their gear dry. Facilities are high, weathertight and surrounded by security staffs who employ some of the tightest protocols in the world.
Quality of service is built into the service-level agreements demanded by businesses when colocating equipment or signing up for managed data center services. Direct city power feeds, massive cooling systems, diesel generators and rooms with thousands of batteries are all parts of the cost of entry paid by operators.
But one layer below the commercial data center, risk increases and takes on different profiles, whether the facility is located in Manhattan, New York or Manhattan, Kansas. Primary among these are captive but decentralized data facilities and ongoing dependence on small or desktop databases. Even more data exposure arises non-digitally in paper records, especially in distributed operational industries such as health care.
In June of this year, a deadly EF-5 tornado laid waste to whole sections of Joplin, Missouri, including the St. John’s Regional Medical Center and its adjacent data center. Once emergency facilities were erected and survivors were cared for, attention was turned to medical records and documents critical to ongoing operations.
In a stunning bit of good timing, St. Johns had migrated the majority of its patient data, hospital records keeping, registration, scheduling and pharmacy applications to a shared hospital data center mirrored in St. Louis and Washington, Missouri only weeks before.
The onsite data center that was destroyed contained a few dozen legacy servers and older patient information sources that were not mission critical and had not yet been migrated to the larger, shared hospital system.
Hospital technicians in Joplin were left trying to piece together historical data from backup tapes and drives left in the rubble, and older microfilm and microfiche backup files of data from 2005 and before were still waiting examination.
If the older records were less important than the current operational information, anything lost will not be available for future trending or data mining to find areas of improvement at the facility.
As he recounted at the time, Mike McCreary, the Chief of Technical Services at Mercy Hospital Systems in Joplin, said the experience had led him to reprioritize, having seen the human and capital toll.
“We have folks reevaluating our disaster planning to measure theories against realities, to now understand the gaps between what our disaster plan was and how it stacks up against the truth,” McCreary says. Coming out of this stiff trial, he says, the Mercy Hospital System will be more ready.
As CIOs and helpdesks confront a new wave of worry with handheld and PDA devices in the field, it is not a new experience; the same managers have faced similar problems for years with laptops, flash drives, CDs and floppy disks. As with laptops, unlocked PDAs can carry the added risk of network data access, upload or deletion that some helpdesks have addressed with passwords, two-level authentication and modern encryption methods.
As personal and business technologies inevitably mingle and overlap between home and BYOT (bring your own technology) in the workplace, more opportunities arise for hacks, viruses and malware to cause data corruption and infect networks. While institutions in banking and other data-sensitive industries wire devices to prohibit surfing or sharing in many ways, the greatest widespread enemy remains stupid behavior and irresponsibility. For most businesses today, education and enforceable policies and penalties are the main deterrents is spite of human behavior that seems to have irreversibly stymied old school IT practices on closed networks.
And as leisure time and work comingle more than ever, home computer failure can cause important data to be lost on failing or aged hard drives. The good news in personal computing is that, just as for businesses, highly dependable consumer level encrypted data backup is inexpensive and easy through cloud providers like Mozy or Carbonite. Anyone who has experienced the loss of work while working at home at a critical moment isn’t likely to repeat the mistake.
One difference is that home users of work data are wise to take the additional step to back up their entire hard drive on an external drive at home, and not for just more redundancy. Providers like Carbonite will back up documents and pictures automatically, but cannot restore applications and other copyrighted software on a computer without an additional license. If a computer’s drive can be reformatted, it can be restored completely with such backup, remembering that a local external drive will create yet another copy of all your proprietary data that will not be encrypted.
Individuals and businesses of all size and complexity are now more likely to face global threats of hacking, data and intellectual property theft from criminal, commercial and even state-sponsored attacks.
Long time risk analyst Robert Charette of ITABHI Solutions says that the threat of criminal or hostile state activity could be used as a competitive lever by groups that don't answer to legal codes of the countries they operate in.
Charette even coined a term for the tactic, calling it "riskfare."
"China can manipulate the U.S. by changing risks because all they have to do is not buy our treasury bonds," he said. "Cyber warfare, because we're integrated by technology, can allow tremendous threats through relatively small things."
The thesis is that the manipulation of risk is going to be much more powerful in the future and that it's going to be deliberate. Businesses have responded in part by installing chief risk officers as much as a way of evaluate investments in technology as they are used to monitor threats.
Musegh Hakinian is the security architect at Intralinks, a B2B provider of secure workspaces for companies in M&A or collaborating on research or products in highly-regulated industries.
"You want to remember that while the nature of applications used by consumers has changed for business and government, the threat is also changing," Hakinian says. For example, a G-mail attack this summer targeting White House officials calls for a different discussion than a natural disaster or fighting off mischievous hackers trying to build a reputation.
As industries collaborate on security threats, customers should ask whether they can extend their own security standards to cloud providers and others. The bigger question is budgeting for risk across a range of adversaries and internal measures that aren't likely to earn or retain funding over a period of time when nothing terrible, much less bad, has happened.
And it's unlikely to be controlled or addressed on the mixed technology environment of the offsite or mobile worker. "There is no consumer culture that rewards the good players," Hakinian said. "It's very difficult for consumers to gauge which providers are doing great work on the security front and if you are spending more on security, it doesn't guarantee any specific return."
Different observers have pegged the greatest failing of 9/11 on either a lack of intelligence, or a failure to heed visible warnings. What's clear is that the uncertainty will bring risk management closer to to the forefront of managing disasters or attacks as well as assets and investments in the business, information and technology environments.
The lessons we've learned turn out not to have justified plastic sheeting and duct tape, but there is still plenty of evidence that the best planning starts at home.