New survey raises serious concerns about the effectiveness of disaster recovery plans

Although almost all UK companies back up their critical IT systems and data, more than a quarter of them still do not have a disaster recovery plan in place. Half of those that do have plans, fail to test them. Also, 15% of companies do not take their backups off-site. This is despite the fact that 92% of businesses now consider disaster recovery planning an important driver of their IT expenditure.

These are among the early findings of the 2008 Information Security Breaches Survey (ISBS) carried out by a consortium, led by PricewaterhouseCoopers LLP, on behalf of the Department for Business, Enterprise & Regulatory Reform (BERR). The full results of the survey will be launched at Infosecurity Europe in London, 22-24 April www.infosec.co.uk.

The survey shows that 58% of UK businesses would suffer significant business disruption if their IT systems were not available for a day – the highest figure recorded since the surveys began. This rises to 70% of large companies.

Some 68% of companies polled believe that business continuity in a disaster situation is a very important driver of their information security expenditure, and a further 24% say it is important. Only 2% say it is not very important.

As a result, UK businesses appear better protected than ever:

  • 99% of UK companies back up their critical systems and data. 86% do this at least on a daily basis.

  • 85% of all UK companies take their backups off-site (up from 76% two years ago); 91% of large businesses take their backups off-site.

  • 72% of all UK businesses have a disaster recovery plan in place, up from 58% two years ago. 91% of large companies have a disaster recovery plan.

However, there are concerns about the effectiveness of these controls:

  • 28% of companies do not have a disaster recovery plan in place.

  • Almost half of the disaster recovery plans have not been tested in the last year.

  • 10% of companies with a disaster recovery plan do not store backups off-site.

  • When companies suffered a systems failure or data corruption incident, 31% had no contingency plan in place and a further 10% found their contingency plan to be ineffective.

The south-west has now overtaken London as the region with the most disaster recovery plans in place (possibly as a result of last year’s floods), but fewer of these plans are tested than in other regions.

Chris Potter, partner, PricewaterhouseCoopers LLP, who led the survey commented:

It is encouraging to see that almost every UK business makes backups and the vast majority now take these backups off-site. The risks are well understood; it does not take an incident to raise awareness.

“The number of companies with a disaster recovery plan has gone up. However, experience shows that plans are only effective if regularly tested. It is a concern that only half of plans have been tested in the last year.”

Martin Sadler, Director of HP’s Systems Security Lab at HP Labs Bristol, one of the consortium members responsible for the survey, added:

“There has been an explosion of information within businesses. Acquiring, analysing and delivering the right information to people so they can act on it is a major challenge for companies. The volume of data, and companies’ dependence on it, pose significant backup challenges for them.

“Increasingly, businesses need to back up their data more frequently. One in five large companies now automatically replicates transaction data to an off-site location as those transactions occur. Companies of all sizes are now using storage area networks to organise their data better.

Taking backups off-site poses its own security risks. Historically, backups have tended to be unencrypted to minimise the effort to restore data. More companies are now considering whether they ought to be encrypting their backups.