Disaster Recovery: Lessons Learned from 9/11

Experts on a keynote panel at Comdex compare notes on IT disaster recovery efforts in the wake of Sept. 11's terrorist attacks. The good news? It could have been much worse.
Posted November 16, 2001

David Needle

While it pales in comparison to the terrible human toll that cost thousands of lives, businesses in the surrounding area of the September 11 terrorist attacks area suffered immense damage.

In addition to the tremendous loss of expertise and skills of workers killed in the disaster, businesses lost physical assets, data and the information technology to continue operating.

The good news is, it could have been much worse.

A keynote panel of IT experts with high-profile clients affected by the catastrophe, recounted the good, the bad and the ugly at this week's Comdex show in Las Vegas of their efforts to get and keep businesses working.

If nothing else, 9/11 changed IT planners perception, particularly in the Northeast, of just how devastating a disaster can be, according to John Burke, CEO of Big Apple Technologies.

Burke recounts that one company in New York planned to fly its back-up tapes to another part of the country in case of an emergency or "disaster" event like an office fire or flooding. But flying anywhere was out of the question in the immediate aftermath of 9/11.

While EDS client American Express Bank in New York was back in operation within a day of 9/11, EDS executive Bob Naylor says another New York bank had a disaster recovery center two blocks away from the World Trade Center and still hasn't recovered. Similarly, panelist Capt. Chris Christopher said the Pentagon thought it had secured one server with a back-up system across the hall. Neither survived the plane crash on 9/11.

Stanley Quintanta, vice president of AT&T Business Continuity Solutions, says businesses of all sizes need to ask "What do I need to survive?" Quintanta says this risk assessment should determine how many IT resources the business can afford to lose in a disaster. Everything else should be protected to the highest degree.

Risk Assessments Lacking

Naylor gave the example of a New York company with 85 servers. Of those, the company identified 12 servers that had to be protected at all costs, and in fact, those were the only ones to come out of 9/11 still protected. Capt. Christopher calls the expense of back-up systems and networks business insurance.

While backups of some kind are common, the panel argued most businesses haven't done a thorough enough risk assessment of what could happen in a disaster and how to minimize the damage.

"Many companies, particularly in the East Coast, will budget between one and five percent of their IT spending" on backup systems, and recovery. It has to be more," says Burke. "On the West Coast, where they have had to deal with more natural disasters, they spend more like 10 to 15 percent."

Christopher says the military follows the example of many large companies in being sure its IT services contract includes provisions for continuous service. So for example, it's up to EDS to restore the network when communications have been disrupted.

Preparing for disaster is nothing new. Most recently systems were exhaustively tested for the Y2K bug. "But for (9/11), people weren't prepared," says Burke

Smaller companies may not have the money to safeguard all their crucial systems. Burke suggests one possible solution: Share the expense of disaster recovery hardware, software and hosting by partnering with another company of about the same size. But don't hook up with a business down the street; choose a company miles away if not farther.

Technology writer and internet.com contributing editor David Needle has been writing about technology for 20 years. He lives in Silicon Valley.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.