Business Continuity Disaster Recovery COOP Crisis Management John Glenn CRP

 

Worth Quoting

According to Computer Security Institute (http://www.gocsi.com/)

Based on responses from 503 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities, the findings of the "2002 Computer Crime and Security Survey" confirm that the threat from computer crime and other information security breaches continues unabated and that the financial toll is mounting.

Highlights of the "2002 Computer Crime and Security Survey" include:

  • Ninety percent of respondents (primarily large corporations and government agencies) detected computer security breaches within the last twelve months.

  • Eighty percent acknowledged financial losses due to computer breaches.

  • Forty-four percent (223 respondents) were willing and/or able to quantify their financial losses. These 223 respondents reported $455,848,000 in financial losses.

  • As in previous years, the most serious financial losses occurred through theft of proprietary information (26 respondents reported $170,827,000) and financial fraud (25 respondents reported $115,753,000).

  • For the fifth year in a row, more respondents (74%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (33%).

  • Thirty-four percent reported the intrusions to law enforcement. (In 1996, only 16% acknowledged reporting intrusions to law enforcement.)

Respondents detected a wide range of attacks and abuses.

Here are some examples of attacks and abuses:

  • Forty percent detected system penetration from the outside.

  • Forty percent detected denial of service attacks.

  • Seventy-eight percent detected employee abuse of Internet access privileges (for example, downloading pornography or pirated software, or inappropriate use of e-mail systems).

  • Eighty-five percent detected computer viruses.

  • For the fourth year, we asked some questions about electronic commerce over the Internet. Here are some of the results:

  • Ninety-eight percent of respondents have WWW sites.

  • Fifty-two percent conduct electronic commerce on their sites.

  • Thirty-eight percent suffered unauthorized access or misuse on their Web sites within the last twelve months. Twenty-one percent said that they didn't know if there had been unauthorized access or misuse.

  • Twenty-five percent of those acknowledging attacks reported from two to five incidents. Thirty-nine percent reported ten or more incidents.

  • Seventy percent of those attacked reported vandalism (only 64% in 2000).

  • Fifty-five percent reported denial of service (only 60% in 2000).

  • Twelve percent reported theft of transaction information.

  • Six percent reported financial fraud (only 3% in 2000).

The complete report may be read at http://www.gocsi.com/press/20020407.html.

 

 

Over 40 percent of all companies experiencing some type of information-related disaster never re-open. Critical applications such as ERP, SCM, CRM, and e-mail make protecting your information with an integrated business continuity solution more important than ever before.
Source EMC2 (http://www.emc.com/continuity/index.jsp#)

 

 

ROI And The Costs of Business Continuity Planning

(A VISTASTOR whitepaper at http://www.vistastor.com/briefs/ROI.pdf)

We have all seen the statistics:

  • Typical distributed network sites have a downtime cost of between $20,000 and $80,000 per hour, but for a retail brokerage, it is estimated that an hour of downtime will cost the company $6.5 million. (Source: Contingency Planning Research)

  • 43 percent of companies experiencing disasters never re-open, and 29 percent close within two years. (Source: McGladrey and Pullen)

  • It is estimated that 1 out of every 500 data centers will have a severe disaster each year. (Source: McGladrey and Pullen)

  • A company that experiences a computer outage lasting more than 10 days will never fully recover financially. 50 percent will be out of business within five years. (Source: “Disaster Recovery Planning: Managing Risk and Catastrophe in Information Systems,” Jon Toigo.)

    Now consider this: A KPMG study shows that only 5% to 6% of an overall IT budget is generally allocated for disaster-recovery planning and preparation. Further, among those corporations with business continuity plans, less than one half meet an acceptable portion of their recovery objectives, and between 5% and 10% did not adequately test their plans.

     

 

Excepted from Info Security News Magazine, 2000 Cited on http://www.hp.com/hps/briefs/bc_capability.pdf

  • 88% of e-commerce is not covered by a data recovery/business continuity (DR/BC) plan

  • 42% of managers do not believe their plans would be effective.

  • 92% of companies fail to update their testing or planning following upgrades or system installations.

  • 53% of firms recover less than 25% of their total losses through insurance.

  • An effective DR/BC plan can reduce losses by 90%.

 

 

Excerpted from Mitigating Disasters in Veterinary Practices and Humane Shelters
http://www.animaldisasters.com/Business%20Continuity.htm#Examples

OSHA requires that all business with more than 10 employees to have a written Emergency Contingency Plan (ECP). For businesses with 10 or less employees a written plan is not mandated, but highly recommended. The purpose of an ECP is to prevent accidents, and if they do occur to be able to effectively control them and reduce their impact.

Complying with the regulations set out by OSHA are generally beneficial to companies in that compliance results in lower number of injuries to staff, decreased severity of injury when accidents occur and decreased losses due to business disruption and the consequences of litigation when procedures have not been followed. These are the identical goals of any business or community disaster preparedness program. Adaptation of the principles of human safety in emergencies, such as evacuations, can be readily adapted by animal health professionals to the care of animals.

This site should be visited by all planners. Well researched general and specific information.

 

 

"80% of all companies which undergo a major fire never actually recover..." (National Audit Office)

Cited by Ark & General at http://www.arkgen.co.uk/continuity.html>

 

 

Over the last decade, the overall cost of disasters to the United States has grown significantly.

From 1989 to 1993, the average annual losses from disasters were $3.3 billion. Over the last 4 years, the average annual losses have increased to $13 billion.

On the Federal side alone, disasters have cost over $20 billion over the last four years. The disaster losses are equally as staggering for the American public.

Since 1993, over 1.4 million Americans have been impacted by Presidentially declared disasters, resulting in the loss of their homes, property, communities, jobs, and in some cases their lives. This figure does not include the hundreds of thousands of people impacted by natural hazard events that were managed entirely at the State and local levels, and involved the personal savings and private resources of property owners.

(The) emphasis on mitigation led FEMA to introduce a National Mitigation Strategy in December of 1995 to encourage a national focus on hazard mitigation. (See Federal Emergency Management Agency, "National Mitigation Strategy: Partnerships for Building Safer Communities," Washington, DC: Government Printing Office, 1995)

Source: FEMA (http://www.fema.gov/mit/cb_intro.htm)

 

 

"Mitigation saved the Anheuser Busch facility in Los Angeles after Northridge. The Anheuser-Busch Engineering Department retrofitted the plant to conform to the LA seismic code -- and the plant was functioning within days of the earthquake.

"Without those revisions -- they would have sustained more than $300 million in direct and interruption losses."

Source: James L. Witt, Director, Federal Emergency Management Agency (http://www.fema.gov/mit/cb_bus.htm)

 

 

Using the results of the (Castaic Union School) District's risk analysis, it was determined that the potential economic costs from either a dam failure or oil pipeline break following an earthquake were enormous. The first potential cost to the School District would be incurred from both building and content damage. Replacement of the school buildings would cost an estimated $7.7 million in direct construction costs (1995 dollars).

Second, if such an earthquake occurred, alternative school facilities would have to be located and rented at an estimated cost of over $500,000 per year.

Third, the community would have to absorb the costs of losing the educational services provided by the District in the time period between the actual loss of the facilities and the relocation to temporary facilities. The School District calculated the cost of the lost public services based on the operating expenses required to provide the services. The daily cost of lost educational services was estimated at $28,601.

Source: FEMA (http://www.fema.gov/mit/cb_aqmul.htm)

 

 

Business Average Hourly Impact
Retail Brokerage $6.45 million
Credit Card Sales Authorization $2.6 million
Home Shopping Channels $113,750
Airline Reservation Centers $89,500
Package Shipping Service $28,250
Source: Contingency Planning Research

When you consider that most businesses experience two hours of downtime per week, those are incredible numbers. At Ontrack, we've uncovered even more eye-opening facts about data loss and the life of your business.

  • Most companies value 100 megabytes of data at more than $1 million.
  • 43 percent of lost or stolen data is valued at $5 million.
  • 43 percent of companies experiencing disasters never reopen, and 29 percent close within two years. (Source: McGladrey and Pullen)
  • It is estimated that 1 out of 500 data centers will have a severe disaster each year. (McGladrey and Pullen)
  • 40 percent of respondents to a computer security survey had detected and verified incidents of computer crime during the previous year. (NCSA Annual Worry Report)
  • Computer crimes cost firms who detect and verify incidents of computer crime between $145 million and $730 million each year. (NCSA Annual Worry Report)
  • A company that experiences a computer outage lasting more than 10 days will never fully recover financially. 50 percent will be out of business within five years. (Disaster Recovery Planning: Managing Risk & Catastrophe in Information Systems by Jon Toigo)

Source: Ontrack Data International, Inc. (http://www.ontrack.com/)

 

 

Average Hourly Cost of Downtime
Brokerage House1 (or large e-commerce site) $ 6.4 million
Credit Card Sales and Authorization1 $ 2.6 million
Catalog Sales1 $ 90 thousand
Package Shipping and Transportation Industry1 $ 28 thousand
UNIX Networks2 $ 75 thousand
PC LANs2 $ 18 thousand
Average Hourly Cost to Re-create Data2 $ 50 thousand
  1. Contingency Planning Association Research
  2. Strategic Research

Source: Quantum Corporation (http://www2.dlttape.com/proveit/is_white/continuity.htm)

 

 

"On-line systems fail an average of nine times a year, with an average outage duration of 4 hours per failure." Stratus Computers Study quoted in Action Plan for Disaster (SRS-013), SunGard Recovery Services Inc.

"In the three years prior to 1992, there were a total of nearly 1.5 million (IT) security breaches. wracking up costs of more than $330 million." Information Week quoted in Action Plan for Disaster (ibid.).