Is Your Data Safe from Disaster?

Companies like Iron Mountain can securely store backup information in high-tech vaults, leaving you little excuse for not having a plan

Iron Mountain is a company that likes to keep a low profile. So it takes sharp eyes to locate one if its key buildings in Burlington, Mass. No name marks the one-story structure. No corporate slogan trumpets its mission. Only a tiny street number -- 21 -- lets visitors know they've arrived. The proliferation of surveillance cameras makes it clear they shouldn't try anything funny.

Why all the secrecy and security? This is the off-site data-protection division of Iron Mountain (IRM ), a Boston-based company that guards back-up copies of mission-critical corporate data, on paper or electronically. The nondescript building of concrete vaults outside Boston is a technology Fort Knox, one of many the company uses to store tapes the size of eight-track cartridges for customers that remain unnamed. Even the tapes bear only a bar-code marking. Customers demand discretion, which suits Iron Mountain just fine. "It's an industry we don't need to advertise," says Rob McLaughlin, Iron Mountain's general manager for New England. The company has revenues of nearly $1 billion last year.

MARKET DARLING.

  Suddenly, this low-profile data-storage operation and others like it have been thrust into the spotlight. The terrorist attacks on the World Trade Center and Pentagon have illustrated how vulnerable any business is to disaster and loss of both manpower and critical data. The stock market has heaped accolades on some of the companies that protect the bits and bytes. Iron Mountain's shares, for instance, jumped 3%, to about $42 on Sept. 17, when the overall market fell 7%. The stock closed on Sept. 20 at $41.10 (see BW Online 9/4/01, "Spinning Paper into Gold at Iron Mountain").

Services such as those provided by Iron Mountain, whose low-tech approach is trucking tapes to and from the vaults, have become a high priority as companies seek to protect data against potential disasters. "The risk of terrorism will get more people to focus on backup and contingency plans," says John Jackson, president of Comdisco, which provides data-processing centers for companies that have been pushed out of their own offices.

Businesses, of course, have been making extra copies and otherwise protecting their data for a long time. Indeed, banks have to do it by law. But many big companies now are being forced to rethink their disaster-recovery and business-continuity plans to a degree they never would have contemplated before Sept. 11. And many smaller companies now feel compelled to implement plans for the first time. The alternative is to risk being wiped out entirely. Indeed, consultants worry that many of the law, real-estate, accounting, and other firms that had offices or a headquarters at the World Trade Center may have lost everything because they did not have recovery plans or backup systems in place.

CLOSING UP SHOP.

  The National Fire Protection Agency estimates that 43% of businesses directly affected by a disaster never reopen, and an additional 29% close after three years. About two-thirds of companies that were in the World Trade Center when the Twin Towers were bombed in 1993 didn't have recovery plans in place then. According to consultants, scores of companies went out of business because they were barred from the building for five weeks and couldn't retrieve their data. The reasons for the lack of planning: inertia, possible lack of tech expertise, and no perceived threat greater than an occasional storm.

Even some of those who may have learned their lesson after the 1993 bombing didn't take it far enough. At least one firm located in the World Trade Center had a plan -- but the copies were kept at the office, says Frank Schlier, group vice-president for financial services at Gartner Inc. "You need the plan [to be] somewhere else and [to have] copies of it," he says. Also, he points out, there needs to be training, an established corporate ethic, and a thorough process that's widely known, rather than concentrated among a small group of people who work, say on the 103rd floor.

A Wall Street mantra -- diversification -- may take on added meaning as companies rethink protecting their assets, both physical and human. Experts say top executives and strategists should not be based in the same building, much less on one floor. Although banks and other firms generally scatter offices by function, that's not enough, says Schlier. One attack could destroy an entire investment-banking operation.

DIDN'T SEEM IMPORTANT.

  Existing disaster plans also should be continually reassessed and updated, experts say. That's especially true for companies that are growing rapidly, which causes priorities to change. In a conference call with Gartner, Don DeMarco, director of IBM's business continuity and recovery services, says several companies hit by the disaster are now having trouble recovering programs that didn't seem critical when their contingency plans were put in place but are more important now.

For smaller outfits, many of which cringe at the cost or complexity of a backup operation, a good option might be to hire outside vendors to handle it. The cost could be as little as $700 a month, experts estimate. Data recovery requires three elements -- backup, computer-processing capability for access, and places for your employees to sit and connect.

This is where companies like Iron Mountain come in. They physically pick up tapes from clients, deposit them in their vaults, and return them when needed. Costs start at about $150 a month and rise depending on the amount of data and services contracted. They also truck the tape cartridges to "hot sites," or computer-processing plants set up by companies like Comdisco, SunGard, and IBM. Costs for this phase range from about $500 a month to as much as $1 million, depending on the amount of data, type of storage, computers, and facilities involved.

Obviously, that's a lot. But it could be one tech expenditure that companies can't afford to put off.

By Faith Keenan in Boston

Edited by Thane Peterson