After a summer filled with tales of data theft, natural disasters, and executives going to jail in part because of email messages they wrote, you'd think IT pros who oversee storage matters in their organizations would be totally focused on mitigating the real risks they and their companies face. But a series of research reports from the UK and Germany indicate otherwise. In fact, according to these studies, many companies haven't yet implemented adequate business continuity plans, have failed to address email-compliance issues, and are ignoring the danger posed by widespread use of USB memory sticks. Disasters, compliance, and data theft are known risks. Yet many companies apparently still like to pretend they don't exist.
Inadequate Business Continuity Planning
Perhaps the most shocking report comes from AXA Group, a UK-based international insurance company. AXA's research reveals that 46 percent of UK companies don't have a business continuity plan. This statistic is particularly distressing because 17 percent of the companies surveyed have been affected by a disaster. Around 20 percent of those companies needed more than 1 week to get up and running again, and 8 percent needed more than 6 months.
Of course, establishing a business continuity plan is only the first step. After all, the folks in New Orleans had a plan to deal with a catastrophic hurricane. It just didn't work. According to AXA, fewer than half the companies that developed business continuity plans used professional advice in doing so, and only 30 percent had ever tested the plan. Of companies that had tested their plan, 20 percent say they've tested their business continuity procedures only once, and 40 percent test their plan only once a year. The net result: Only 42 percent of the companies that have business continuity plans and also actually faced a disaster felt that their plan had been effective.
Ignoring Email Compliance
In the same way that companies have ignored the need to have a well-conceived, well-rehearsed business continuity plan, many companies are also apparently turning a blind eye to the compliance dangers that email poses. In a survey of 100 CIOs by Cryoserver, a UK-based email-compliance company, 80 percent say that they have little or no confidence that their email systems are in compliance with major regulations. At the same time, 68 percent indicate that they've had to retrieve email to resolve a regulatory or compliance issue.
The Cryoserver survey results paint a complex picture. On the one hand, virtually all the CIOs acknowledge that the misuse of email could hurt their companies, and only 18 percent feel that they're sufficiently investing in appropriate email technology. On the other hand, 75 percent of the CIOs said that they had no idea how vulnerable their email system might make their company, and only around 25 percent have ever had their email systems assessed by third-party experts. Finally, the Cryoserver report shows that CIOs greatly underestimate the costs they could incur from a lawsuit that arises through the misuse of email. The report cited the example of Perot Systems, which said it spent more than $7 million sifting through 5 years of email to defend itself against the claims of a former employee.
Memory Sticks and Data Theft
The loss of data stored on USB memory sticks is the third area to which storage pros seem to be oblivious. According a survey by Steganos, a German data-encryption company, 41 percent of respondents say that they store company data on memory sticks. Of that group, 83 percent say that they don't use any data encryption. Without data encryption, if a memory stick were lost or stolen, anybody could extract, copy, edit, and transmit the data on it.
Laptop users, who are big users of memory sticks, are only slightly more likely to encrypt data, with 76 percent claiming to do so. Of course, many people find memory sticks a convenient, easy way to transport data. But memory sticks are easily lost or stolen. Many companies, the Steganos report argues, don't yet have adequate policies governing the use of memory sticks or encrypting them.
Business continuity, email compliance, and the use of portable memory devices are known risks. Although many storage pros focus primarily on ensuring that systems meet their service level agreements (SLAs), storage pros have an important role in shaping data-protection policies--including disaster recovery (which includes creating and testing a business continuity plan), email archiving, and protecting data in portable storage devices. Storage administrators should take the lead in mitigating the ongoing risks to data and the risks of the misuse of data to their companies.
