When it comes to disaster preparedness, it would seem that members of the c-suite at many businesses weren’t Scouts — or long ago ceased embracing the Scout motto “be prepared.”
Numerous studies have shown that disaster preparedness continues to be low on the list of priorities for many companies — despite numerous headlines decrying the financial devastation and public relations nightmares resulting from data breaches, hurricanes and a variety of other manmade and natural disasters. (Just ask Target®, Skype™, SnapChat and the many others who have all found themselves the subject of disaster-centric headlines if they didn’t wish they had been better prepared.)
The 2011 Numbers
Cyber attacks, human error, epic storms and other maladies are nothing new, and most in the c-suite know that it’s not a matter of if a disaster is going to happen, but when. Nonetheless, many have preferred to hedge their bets and avoid investing in disaster preparedness or at the very least, in making it a priority.
A 2011 study conducted by AFCOM, an association for data center and facilities management professionals, found that more than 15 percent of data centers had no plan for business continuity (BC) or disaster recovery (DR); 50 percent had no formal plan for replacing damaged equipment following a disaster; and two-thirds had no procedures to deal with cybercrime.
The statistics are just as dismaying in the often-cited 2011 study by Symantec, a security, storage and systems management solutions provider. In that report, only 50 percent of small- to medium-sized businesses (SMBs) admitted to having a DR plan in place.
Dismal 2013 Findings
Respondents said up to 50 percent of their applications housed in data centers were considered business-critical but 7 percent had no DR plan of any kind. More than 70 percent had a snapshot-based DR solution, but only 30 percent had three-fourths or more of their environment protected by a DR plan. The responses were particularly disturbing given that 76 percent of respondents had experienced an outage in the past year — and 42 percent had experienced one in the last six months.
Even more disconcerting — 77 percent were not fully confident their DR plan would work. Thirty-six percent admitted they tested their DR solution only once a year; 18 percent had never tested their DR solution.
Now in 2014, the IT Disaster Recovery Preparedness (DRP) Council — a group formed by IT business, government and academic leaders to increase DR preparedness awareness and improve DR practices — will publish the findings of a study benchmarking disaster preparedness trends among a mix of large and small companies. If the initial results are any indication, it appears many companies have still not learned their lesson when it comes to the value of DR planning and testing.
Preliminary results released in August 2013 showed that 72 percent of survey participants were literally failing in terms of disaster readiness. The study used a common grading system with A for best to F for worst. Only 28 percent of respondents scored a C or better.
Surprisingly, among those not making the grade for DR preparedness were organizations in highly regulated industries — such as financial services, healthcare and government — where compliance mandates and regulations make DR not just a “nice-to-have” but a requirement. The preliminary findings show:
- One in five financial services respondents citing losses from outages ranging from $100,000 to $5 million;
- One in four healthcare organization respondents estimating losses between $50,000 and $1 million;
- Ninety percent of federal, state and local government respondents saying their DR plans were not adequately funded;
- Forty percent of financial services and healthcare companies indicated a lack of funds for DR; and
- More than half of financial service companies only testing DR plans once a year; government and healthcare were not far behind.
One-third of the respondents also reported the loss of critical applications for hours; 11 percent said they had lost them for days. With the cost of losing critical applications estimated at approximately $5,000 a minute, the financial impact of this downtime is significant. Add in fines or penalties for noncompliance, and things get even uglier.
And the Answer Is…
So what is preventing companies, including those that could face noncompliance and legal ramifications, from making DR planning and testing a priority? Is it the complexity of the task, a lack of expertise or just the belief that disaster only happens to other companies? The good news is that help is out there if businesses are willing to accept it.
There is a wide range of solutions on the market to help companies protect their IT assets in the face of manmade or natural disasters. Some, like those provided by Peak 10, also can help businesses meet some of their compliance obligations. (Learn why Peak 10 leads the industry in security, availability and compliance.)
There’s an investment involved; nothing is free. But working with companies such as Peak 10 that have expertise in DR planning and can tailor solutions to fit specific business needs and budgets can be far more cost effective than approaching DR planning half heartedly or not at all — and ending up as another dismal statistic.