While almost every enterprise carries out full scenario testing for their disaster recovery plans, about half of them are not up to snuff, according to an international study.
The research, commissioned by Symantec, polled over 1,000 IT professionals across the U.S., Europe, Middle East, and South Africa. According the findings, the major barriers to comprehensive disaster plan testing were lack of resources in terms of people and budget, as well as disruption to employees.
"We found that organizations periodically take the burden of doing full scenario testing, but the average frequency of the tests were every eight months," Sean Derrington, director of product marketing and storage management at Symantec, said. "The barriers that we found meant that organizations cannot do this effectively testing with as much frequency as they should." One of the contributing factors, Derrington said, could be that more enterprise applications are now deemed mission critical. The study found over one-third of applications are deemed mission critical by IT managers.
"And in today's heterogeneous data centers, that means it's going to be across Windows, Unix, and probably even the mainframe," Derrington said.
He said that because of this, over 47 per cent of poll respondents cited employee disruption as a factor in the decreased frequency of their disaster recovery testing; much higher than the 19 per cent who answered the same way in 2003. This means that more of the employee population is being affected during tests and this ultimately leads to a longer period of time between tests, Derrington said.
Another significant statistic indicated that 88 per cent of surveyed IT professionals carried out a probability and impact assessment for at least one threat, but only 40 per cent carried out these precautions for all threats.
IDC Canada analyst David Senf said that internal threats are most often overlooked by IT managers in favor of external threats. He said that while most Canadian firms understand the likelihood of a threat occurring -- for instance, spam is more likely than cyber terrorism -- enterprises are not as effective of weighing the business impact of these threats.
"So, maybe they'll put spam up around the same level as employee sabotage," Senf said. "We know spam doesn't have the same business impact as an employee who is able to gain access to a system who shouldn't and, either maliciously or unintentionally, lets that information out of the organization."
Senf said that only about one quarter of Canadian firms have a formal and regularly tested, disaster plan in place; with most organizations having an ad hoc plan in place.
"Often times it's a plan that doesn't cover the entire organization and is tested in some spots, but not in others," Senf said.
Symantec said that what is needed, and lacking, in most companies is a risk assessment plan. A comprehensive disaster recovery plan, according to Derrington, includes the proper technology, people and process. To develop this plan, he said it is crucial for the IT department to sit down with business executives to create and understand a risk assessment strategy. But as the study showed 77 per cent of CEOs are failing to take an active role in disaster planning, which is part of the problem according to analysts like Senf.
"Management needs to be taking an active role because business continuity planning is about managing risk and to be able to know what risks to focus on and what not to worry about," Senf said. "In other words, management needs to decide where they are going to spend and get the biggest bang for their buck, and if their not doing that from a holistic standpoint across the organization they can't protect against the largest threats. Canadian organizations have told us that the lack of management buy-in and support for business continuity and disaster recovery planning is a key reason why organizations are failing."
Derrington said that while this may seem like a daunting task for companies not yet engaging the entire business in disaster recovery planning, he reminds enterprises that this is a living process. He said that in order to be effective, these plans need to be updated on a periodic basis, which means that they will also have to be tested on a periodic basis.