Business continuity and the vulnerability of IT infrastructures

A series of international terrorist attacks, natural disasters and large scale power failures over the past few years has served to highlight the vulnerability of IT infrastructures. Ensuring business continuity has consequently become a major concern for organisations of all sizes, as senior executives have come to realise that even a few hours of downtime could severely impact the health of the business.

According to a recent survey of global continuity practices performed by information service Continuity Central, for example, 32% of businesses would find just four hours of downtime potentially “fatal” for their organisation. The vast majority, however, 72.9%, said this would be true within 24 hours of their IT infrastructure disappearing – demonstrating just how critical and deeply embedded IT has become within the fabric of most businesses.

In recognition of this position, MI5 now recommends businesses prioritise the protection of their IT infrastructure as a matter of business continuity, second only to providing physical protection for their buildings and staff. According to Continuity Central, the majority of organisations have now started to properly address this issue, with 73.4% of CIOs and IT directors surveyed confirming they have a business continuity plan (BCP) in place. Of these, 46.3% said they test their plans annually, with a further 32.1% performing tests at least four times a year.

For the majority of top-tier organisations, such business continuity measures are now an absolute, if irksome, necessity. As Chris Keeling, partner at Acuity Risk Management, provider of security services to a number of the major investment banks, observes, there are now numerous pressures forcing senior management to address business continuity at a boardroom level. “They are very keen to be seen to be doing the right thing for the organisation, for its clients, for its stakeholders, and also in response to more regulatory guidance and pressure,” he explains.

In such cases, the “right thing” has meant divorcing those individuals performing the work from the technical production that supports that work. Barry Clark, consultant and former superintendent at Scotland Yard, reveals this approach has prompted the widespread relocation of data centres to remote locations, coupled with the duplication of major IT systems at an alternative venue. Continuity Central found 46.5% of businesses surveyed now include a standby site in their BCP. These are usually furnished with the necessary IT infrastructure, including hardware, software, and communications.

But despite these promising developments among the great and the good of the business world, there is still a lot of work to be done. In particular, small to medium companies continue to lag behind their larger, better funded counterparts. Limited financial resources make it particularly costly for SMEs, many of which border on profitability in the first few years of existence, to secure adequate backup and recovery solutions.

For the majority of top-tier organisations business continuity measures are now an absolute, if irksome, necessity.

This is all the more worrying because smaller organisations tend to have more concentrated IT infrastructures, making the impact of a disruption disproportionately damaging. Data, for example, is often held on a single server in a single location, leaving the business highly exposed to the risk of critical data loss. Minimising the impact of downtime in the event of a major disruption to local power supplies, or an internet service provider, therefore remains an ongoing challenge for this segment of the business community.

As Ian Lauwerys, IT director at Kennedy’s law firm attests, however, developments within the emergent, but increasingly popular, field of virtualisation look set to significantly reduce these prohibitive costs. Because virtual machines are hardware independent, a physical server can act as a recovery target for any virtual machine. This significantly reduces the hardware costs implicit in business continuity plans, by repurposing underutilised existing servers as recovery targets.

Lauwerys confirms that colleagues in other, similarly small, law firms have realised these benefits through the creation of disaster recovery centres that run on virtualised servers. Otherwise, adds Lauwerys, they “couldn’t see any other way of doing it because they wouldn’t have had the resources”.

In addition to reduced costs, virtualisation all but eliminates scheduled hardware maintenance outages. For example, the rising California-based star in this space, VMWare, provides software that allows IT administrators to move running virtual machines from one physical server to another without downtime, as well as products that allow restore procedures to be built into existing methodologies and infrastructures. Using VMWare, companies such as underwriter Market International have substantially reduced restore time following a disruption from eight hours to eight minutes.

While virtualisation might still be in its infancy, its importance to the business continuity arena is already clear. As IT becomes ever more pervasive throughout business, and the associated implications of failure grow, the importance of BCP to the SME community will become as acutely obvious as it is to that of the largest organisations. And when it does, virtualisation will surely prove a critical part of their provisions.

Pete Swabey

Pete Swabey

Pete was Editor of Information Age and head of technology research for Vitesse Media plc from 2005 to 2013, before moving on to be Senior Editor and then Editorial Director at The Economist Intelligence...

Related Topics