Disaster recovery implementations are on the rise. But testing of these plans has lagged behind the pace of change at most organizations. The infrastructure of most large orgs is complex and dynamic in the best of times. Consider how much has changed in your business since February 2020. Has your disaster recovery plan been tested since your workforce went remote? Pandemic notwithstanding, what else has changed in your organization in the last 18 months?
The frequency of disaster recovery testing must mirror the pace of change. A January 2021 whitepaper from iland reveals where enterprises are struggling with disaster recovery and disaster recovery as a service. The results may help you as you implement new and better protocols for DR.
DR and DRaaS 101
Disaster recovery is the method by which an organization regains access to and functionality of its IT infrastructure after any type of negative event. Most organizations replicate data and processing in an off-site location that cannot be affected by the negative event.
DR plans typically include a dedicated recovery team, risk evaluation, business-critical asset identification, backups, and testing/optimization.
Many companies are moving to a DRaaS model where a third party provides DR through a software solution. Data and IT infrastructure are backed up to a cloud computing environment that is unlikely to be impacted by negative events within the organization.
Disasters Versus disasters
The word “disaster” probably brings the wrong things to mind when we talk about information security. Yes, a tornado could potentially take out your office building. Or the whole place could burn to the ground in a wildfire.
But the disasters your DR plan is mostly likely to be up against are much more mundane. Employees delete data. The sprinkler system in your building leaks. Your hardware overheats. Or the local utility company severs your power or network connection. And don’t forget ransomware attacks!
Despite all the AI integrated into systems, these human errors are not going away. The physical world will still intrude on virtual systems. Your DR plan has to be ready for it all.
Disaster Recovery in the Real World
IT services provider iland recently surveyed 150 UK enterprises on their DR plans and plan testing. All respondent companies employed a minimum of 500 people. The results offer a strong reminder that most companies are not paying enough attention to DR.
iland found that only 54% of organizations surveyed have any type of company-wide disaster recovery plan in place. Of those 81 companies, half test their plan annually or less often than annually. A shocking 7% of companies who took the time to make a plan have never tested it.
For companies that have tested their DR plan, zero (none, nada) felt that their plan was completely successful. 44% found their plan to be inadequate. 22% encountered issues that would result in sustained downtime. And another 22% found issues but felt that they would recover between 1 day and 1 week.
The top four problems experienced during recovery testing were networking issues; data integrity problems; service unavailability; and application performance issues.
Consider, too, that 85% of the companies surveyed had experienced a failure at some point. They know it’s going to happen, yet they still aren’t testing their plans!
Ransomware: Remediation Versus Prevention
The best DR plans acknowledge the reality we live in. And today’s reality is that most organizations are less focused on preventing security breaches than they should be.
If your organization is relying on recovery in the event of a breach, you need to be ready to actually recover. Your DR plan needs to be robust and crystal clear to all stakeholders. It also needs frequent testing and updating. Remember: most companies surveyed found their DR plan to be inadequate on some level. This means that yours is probably lacking too.
Give Serious Consideration to DR
The pace of change is not going to slow down. The iland research shows that too many organizations are giving inadequate attention to keeping their disaster recovery plans up to date. The status of DR needs serious consideration right now. Ask your IT leadership what the plan is and when was the last time it was tested. If it hasn’t been tested, make it a goal to do so in the next three months or less.