Companies ill-prepared for disaster
A majority of companies are not adequately prepared to recover critical IT systems in the event of a disaster.
So said Riaan Hamman, CTO at Puleng Technologies and a member of the Disaster Recovery Preparedness Council, when addressing the ITWeb Business Continuity 2013 Summit this morning in Bryanston.
Hamman highlighted some findings of a survey the council is undertaking.
"'Disaster recovery' are two words all IT managers and business owners fear," said Hamman. "How can we predict disasters? What is the probability of a disaster occurring? Can we quantify that probability? Apparently we can, and it has already been done."
According to Hamman, three out of four surveyed organisations are at risk of failing to recover from a disaster or outage.
"The cost of losing critical applications has been estimated by experts to be $5 000 per minute," he noted, adding that, in the survey, it emerged that some 36% of organisations lost critical apps, virtual machines and critical data files for hours, while 11% lost these for days.
"Especially at today's rate of exchange, that equates to a substantial amount of money. The question is not if a disaster could happen, but when it would occur, how prepared are you for that scenario?"
He added that, according to the study, human error, and software and hardware failures are the biggest causes of outage or data loss. Other causes include power outages and weather issues.
Hamman revealed that a majority of organisations struggle with disaster recovery compliance reporting, and he believes this is an area ripe for automation.
The study discovered that a massive 70% of surveyed organisations need to produce disaster recovery reports for factors such as compliance; 60% find compliance reporting overly difficult, manual and expensive; and 50% have to manually create disaster recovery reports.
According to Hamman, many organisations fall short when it comes to disaster recovery planning. "Disaster recovery planning is an imperfect science clouded in uncertainty and risk." Some 60% of survey respondents indicated they do not have a fully documented disaster recovery plan, and 40% said their disaster recovery plans did not prove useful in their worst disaster recovery events.
The other concern, said Hamman, is that the majority of organisations rarely, if ever, test their plans. "Without testing and verification of disaster recovery plans, most companies really have no idea as to whether they can fully recover their IT systems in the event of a disaster or extended outage," he noted.
According to the study, 50% of the respondents test their disaster recovery plans only once or twice a year, while 13% never test them.
When companies perform disaster recovery tests, he said, 70% do not pass their own tests. "This echoes our grading system, which finds that three out of four companies, even [those] with a disaster recovery plan, are not prepared to recover from a disaster or major outage."
About 50% of respondents who have disaster recovery plans do not document the results of their tests, while only a third of those who test achieve committed SLAs. Only one in four of those who fail their disaster recovery testing actually re-test as a follow-up, the survey discovered.
Hamman also noted that most organisations do not have the skills, time or money to test their disaster recovery preparedness. "For disaster recovery preparedness to improve, companies must automate processes to overcome the high cost in time and money of testing and verifying their disaster recovery plans.
"Testing disaster recovery plans is expensive. Most companies do not see beyond the initial cost, to the cost implications of not being able to recover from a disaster - that will prove to be expensive."