Threats to business take many forms, from natural disasters and malicious attacks to system failures and basic negligence. The following examples – arguably some of the worst and some of the most embarassing disasters to have befallen businesses – provide a salient warning of the importance of anticipating the worst, whatever that may be.
World Trade Center terrorist attacks
There can be no bleaker example of the critical importance of comprehensive business contingency planning than the events of September 11th 2001. The destruction of the World Trade Center proved to be the single worst disaster in business history. Effective planning on the part of some World Trade Center tenants, however, not only helped minimise business disruption, but saved many lives.
Most of the financial services companies affected had disaster recovery facilities across the river in New Jersey. IBM, HP and SunGard reported hundreds of disasters each, but by using spare capacity elsewhere in the US, they coped. Fiduciary Trust International, became a model of effective business continuity planning when, within hours of the attacks, members of Fiduciary’s management team were at the company’s disaster recovery site in New Jersey. Two days later, the company was able to resume trading.
Continuity rating: 9
Verdict: The single worst disaster in business history, but most companies fared surprisingly well.
Chicago business district flood
The underground flooding of Chicago’s business district in April 1992 proved to be the largest business disaster in the city’s history. The flooding occurred when construction work along the Chicago River accidentally punctured one of a series of underground freight tunnels originally used for transporting coal and removing ashes from offices in Chicago’s downtown district. As a result, the network of tunnels – which led into the basements of many the business district’s older buildings – quickly filled with water.
Comdisco Disaster Recovery Services received its first declaration before 9:00am on the day of the flooding. By midday, 12 firms had declared 18 individual disasters. By the end of the day, 33 companies had been forced to temporarily relocate to business ‘hotsites’.
According to the Chicago Sun Times, the event cost the city $40 million and it took five and a half weeks to pump out all of the water from the affected buildings.
Continuity rating: 8
Verdict: Although one of the largest business disasters in recent US history, the impact of this accident was mitigated by the disaster recovery plans many businesses already had in place.
Illinois Bell fire
In 1988, the Illinois Bell telephone company suffered a major fire in its Hinsdale switching centre, affecting 38,000 customers and causing an estimated $60 million in damage. According to court reports, the automated switching station, which was capable of handling 3.5 million calls daily, was often unattended. Moreover, the centre had no automatic firefighting systems, and its alarm system rang in a fire station 168 miles away, rather than at the local fire company. As a result the blaze burned for an hour before being discovered, totally destroying the station’s equipment.
Bell had no emergency back-up equipment, which meant customers in Chicago’s western and southwestern suburbs were without service for more than a month. As a result, five class actions suits were filed against the company.
Continuity rating: 2
Verdict: A lack of emergency planning following a catalogue of basic business errors made this disaster much worse than it should have been.
Hotmail hacked
In 1999, Microsoft, the world’s biggest software company, was the victim of one of the Internet’s biggest ever security breaches.
Hackers discovered they were able to circumvent the surprisingly simplistic security measures in place on Microsoft’s Hotmail email servers, giving them access to the contents of around 50 million Hotmail accounts. As a result of the breach, Microsoft was forced to shut down its Hotmail system for 10 hours before posting an apology on its website.
Continuity rating: 3
Verdict: The impact of this security breach was measured mostly in the embarrassment caused for Microsoft.
North American blackouts
The lights went out across large swathes of North America on 14 August 2003, plunging more than 50 million people into darkness and knocking out large sections of the wireless network and many Internet service providers. An astonishing three-in-four companies located in the affected areas were disrupted by the blackout, either directly or through one or more of their suppliers’ systems going down.
The vast majority of the companies affected admitted they were ill prepared for a crisis on that scale. “This blackout demonstrated that most IT departments, especially those in mid-sized companies, are still flying by the seat of their pants,” commented Jason Livingstone, an analyst with research group Info-Tech. But it wasn’t just mid-sized companies that were affected: Automotive giant General Motors had to close more than a dozen of its plants, while rival Ford closed 23.
Continuity rating: 7
Verdict: Although many of the companies affected by the blackout had disaster recovery strategies, few were sophisticated enough to deal with the level of disruption.
Hospital network crash
In 2002, the Beth Israel Deaconess Hospital in Boston USA suffered a network overload that shut down its internal computer networks for almost four days. According to the Boston Globe, a researcher at the hospital literally pulled the plug on a computer carrying out intensive data crunching after being told that his data processing was overwhelming the systems, threatening to grind the hospital’s network to a halt. His action came too late, however, as the data had already become stuck in an endless loop in the network. Technicians shut down part of the network to contain it, but that created a cascade of new problems when the entire system crashed.
Talking to the Boston Globe, John Halamka, the hospital’s chief information officer said, “The message is make sure you’re ready for a massive disruption of your network – whether it’s 9/11 or a natural disaster or whatever.'”
As a result of the crash, the hospital plans to spend $3 million to replace its entire network, doubling its capacity.
Continuity rating: 3
Verdict: Simple capacity load planning could have averted this disaster. A lack of clear system recovery guidelines compounded the problem.
Powergen security breach
In 2000, UK energy utility supplier Powergen had to advise around 7,000 of its customers to cancel their credit and debit cards, following a major security breach on its website. The company was also forced to close down the site and order a complete security review. The breach was caused by John Chamberlain, an IT manager, who had gone to the Powergen site to pay his bill online. Having just watched a BBC programme on Internet security, he decided to test Powergen’s system.
He later told the BBC that in under three minutes he had access to 5,000 credit card details and names and addresses. Compounding the problem, Powergen didn’t contact its customers to tell them of the breach until 12 days later, when the story was reported on technology news site Silicon.com.
Continuity rating: 4
Verdict: When disaster strikes, dealing with the consequences effectively and rapidly is critical.
Credit card numbers theft
Data Processors International, a US credit card transaction company based in Omaha Nebraska, was the victim of a system security breach in February 2003 that, according to the US Secret Service, led to as many as eight million account numbers being stolen. The price of replacing the cards cost the credit card issuers between $32 million and $40 million according to the Nilson Report, a US credit card industry trade journal.
Continuity rating: 5
Verdict: One of the largest thefts of its type in history, and it happened to a relatively small company.
UK fuel crisis
The Autumn of 2000 was a challenging time for UK businesses as demonstrators protesting against high UK fuel taxes shut down fuel deliveries across the country. The crisis was compounded by a spate of floods as well as some severe rail transport chaos. A survey by the UK Institute of Management found that 93% of UK businesses had been disrupted by the fuel crisis, 66 per cent by the rail problems, and 64 per cent by the flooding.
The fuel crisis had an additional knock-on effect when a hacker attacked over 100 corporate websites to post a message of support for the demonstrators. Parts of HSBC’s UK banking site, for example, were offline for three days after the attack on its site.
Continuity rating: 4
Verdict: Disasters do not only come in the form of a single blow; the cumulative effect of a series of events can prove equally as damaging.