Originally created 11/05/01

Backing up data is just for starters



Last month's terrorist attacks have prompted many companies to take a new look at how, when and where their data is backed up and just how secure it is.

World Trade Center tenants, such as Morgan Stanley and Cantor Fitzgerald, can't replace the people they lost on Sept. 11. But the firms could, in many cases, replicate their data.

Because they had backed up critical data at sites far from the Trade Center site, both Morgan Stanley and Cantor Fitzgerald were back in business within two days. Customers could access their accounts, and grieving relatives of missing employees could get information about benefits.

The events of Sept. 11 have many businesses taking a fresh look at data security. Some that didn't worry about where they kept backup tapes are worrying about it now. And even companies that were security-conscious before are taking a fresh look at their procedures.

Joe Blomker, president of Maryville Technologies, says that before the terrorist attacks, most companies had envisioned a natural disaster, such as an earthquake or hurricane, as the worst that could happen to them.

"Clearly, Sept. 11 wasn't a natural disaster," he said, "and it has people thinking about security in a different light."

Still, Blomker sees a lot of complacency in the corporate world. He said he gets more security questions after a virus scare than he got after the terrorist attacks.

MasterCard International, which opened a new global technology and operations center just last month in O'Fallon, Mo., has always taken security seriously.

Its state-of-the-art data center is designed to California earthquake standards and built to survive a 125-mph hit from a tornado. The campus has enough backup generators to power all of O'Fallon for a couple of weeks, without even refilling the fuel tanks. And MasterCard can switch its credit-card processing to a mirrored backup facility - at an undisclosed location far from O'Fallon - within seconds if anything happens to the computers on site.

But after Sept. 11, company officials took a fresh look at security and decided it needed to be tighter. Employees and visitors used to be able to drive into the parking lots unchecked; now security guards stop and check all vehicles entering company property.

Thinking about worst-case scenarios, from natural disasters to power outages to sabotage, is a way of life at MasterCard, said Arthur Ahrens, senior vice president for computer and network services. "When you open your wallet and you pull out your MasterCard, we want it to work every time," he said. If it doesn't, the company knows, the MasterCard may go back in the wallet and stay there, unused.

For that reason, employees in the MasterCard operations command center monitor systems at 20,000 member banks. If anything goes wrong at one of them, the MasterCard center here takes over that bank's processing operations. At any moment, Ahrens said, the center probably is standing in for at least one member bank somewhere in the world.

Twice a year, MasterCard switches over to the mirrored backup site as a test. Ahrens said the tests have always gone smoothly. "Our members don't even know it's going on."

Data-security experts say all companies should look at their operations and ask how much money they would lose if a given system or piece of information were unavailable for an hour, a day or a week.

The answers will determine how often they should back up and how much they should spend to be ready for a disaster. For companies like MasterCard, which aims for 99.999 percent reliability, that means maintaining an instantly available, redundant facility. Companies that merely want to make sure they can get back in business within a day or two might sign a contract with a vendor who could quickly assemble the servers and other hardware needed to replicate a damaged data center.

But all the hardware in the world won't save a company if it hasn't protected its data properly. That doesn't mean making a backup tape and putting it in a company safe or an employee's car, said Michael Lewis, facility manager for Recall Total Information Management in St. Louis.

Recall operates a tape vault - basically a large, reinforced-concrete warehouse - in Maryland Heights, Mo., where its trucks handle about 8,000 shipments a day for 415 clients.

Recall's New York office had eight clients in the World Trade Center, including Cantor Fitzgerald, and 17 others within a block of the towers. The attack sent Recall employees scrambling to deliver about 30,000 tapes to the clients' alternate sites. For example, Cantor was back in business, across the river in New Jersey.

Lewis' staff has never experienced a crisis like that. But, he emphasized, data disasters are a daily occurrence.

"We run about 12 special deliveries a day," he said. "People's systems crash, or maybe people have a vendor in, and the vendor hits a cable and that brings the system down."

Last month's Nimda virus caused a flurry of activity, corrupting servers at about 25 Recall clients. Most were doing daily backups, so after an emergency delivery from Recall, the most they lost was one day's worth of data.

An e-commerce company faces some special security risks - after all, it's inviting the public into its server, so it must beware of hackers. And it faces a loss of credibility if the Web site is down when someone tries to access it.

Centrics Technology, an e-commerce subsidiary of CPI Corp., runs the online arm of CPI's Sears Portrait Studios. Donald Shaffer, a Centrics vice president, said the 11-month-old company moved its Web site from an in-house network to Inflow Inc.'s Web-hosting facility for several reasons.

It relies on Inflow's firewall software to prevent unauthorized access. "They're proactive in preventing attacks on the site, which we would be reactive to if we weren't working with them," Shaffer said.

Inflow also guarantees that it'll keep the Web site running. A generator kicks in if downtown St. Louis suffers a power failure, and Inflow has connections to three Internet service providers.

Shaffer says building in such backups "would be cost-prohibitive for us to do on our own." In the event of a natural or man-made disaster, Centrics' operation could be shifted to one of Inflow's 17 other offices around the nation.

Disaster planning is, in fact, a growing business for Inflow. It maintains disk storage space for companies that want to back up their servers frequently; such a strategy can be a valuable complement to daily tape backups, said J.R. Wiesmann, manager of Inflow's St. Louis office.

Clients also can contract for Inflow to be a "hot" disaster-recovery site, with hardware on standby at all times, or a "cold" site, with vendors under contract to ship in hardware quickly when it's needed. Wiesmann says he's had five inquiries since Sept. 11 from companies interested in disaster planning.

But Lewis, the manager of Recall's St. Louis facility, says data security hasn't taken on a sense of urgency yet for many companies. "A lot of people say it can't happen here or it won't happen to me," he said.

The last time data security got a lot of attention was in 1999, when people were worried that their computers wouldn't be able to read information properly after Jan. 1, 2000. "After Y2K was over, they decided, 'We dodged the bullet, so we're OK,' " he said.

Many companies take the first step, backing up their data, but then don't take the second step of making sure the backups are in a secure place.

Lewis said he knows of one company where an employee was told to take tapes home at night - until the tapes were trapped in the employee's car after an accident.

When backup tapes are stored on a company's premises, they are useless in the event of a disaster and they are susceptible to mismanagement by employees. "I've heard horror stories of somebody putting a tape in a drive and overwriting it, and now their IRS information from two years ago is gone," Lewis said.

Many companies have let their guard down, Lewis said, as they have moved from mainframe computers to decentralized networks of PCs.

"That's a scary thing in some ways. It used to be XYZ Corporation knew everything that was coming in, because it went on the mainframe," Lewis said. "Now each department is doing its own thing, and they don't know who is backing up what."

Companies with a lot of field representatives, such as consultants or insurance sales people, may even be storing critical client data on laptops without backing it up, said Jim Reinert, director of business development for Ontrack Inc., a data-recovery company in Minneapolis.

More and more, companies can't even refer to paper documents if, say, a sales person's laptop is stolen. Ninety-three percent of corporate communications are created electronically, Reinert said, and 70 percent of those are never printed out.

Sometimes, though, companies stick with the can't-happen-here mentality until it's too late.

"Sometimes it takes a disaster, a company's system crashes before they realize they don't have a good backup procedure," said Mark Avetta, president of infrastructure services at Trinity Cos. in Chesterfield, Mo. "It can have a big impact on a company's bottom line."

Tips to help you safeguard your data

1. Back up critical data daily to redundant servers, network drives, tape or optical drives.

2. Don't forget to back up laptops. Many businesses do not realize the importance of data stored on laptops, which can easily be lost or damaged.

3. Maintain copies of all backups off-site. That way, you'll still have your data even if your main office suffers serious damage.

4. Perform system maintenance regularly to ensure peak performance, prevent overwriting of data and protect computers from viruses.

5. Never assume your data is unrecoverable. Various software tools and laboratory services can recover data even from a damaged computer.

Source: Ontrack Data International Inc. (www.ontrack.com)

(For news and information about St. Louis, visit http://stltoday.com. Distributed by Scripps Howard News Service.)

(For news and information about St. Louis, visit http://stltoday.com. Distributed by Scripps Howard News Service.)