New Survey Raises Serious Concerns about the Effectiveness of Disaster Recovery Plans

The Survey Shows That 58 Percent of UK Businesses Would Suffer Significant Business Disruption if Their IT Systems Were Not Available for a Day

(14.04.08) - Although almost all UK companies back up their critical IT systems and data, more than a quarter of them still do not have a disaster recovery plan in place. Half of those that do have plans, fail to test them. Also, 15 percent of companies do not take their backups off-site. This is despite the fact that 92 percent of businesses now consider disaster recovery planning an important driver of their IT expenditure.

These are among the early findings of the 2008 Information Security Breaches Survey (ISBS) carried out by a consortium, led by PricewaterhouseCoopers LLP, on behalf of the Department for Business, Enterprise & Regulatory Reform (BERR).

The survey shows that 58 percent of UK businesses would suffer significant business disruption if their IT systems were not available for a day - the highest figure recorded since the surveys began. This rises to 70 percent of large companies.

Some 68 percent of companies polled believe that business continuity in a disaster situation is a very important driver of their information security expenditure, and a further 24 percent say it is important. Only 2 percent say it is not very important.

As a result, UK businesses appear better protected than ever:

· 99 percent of UK companies back up their critical systems and data. 86 percent do this at least on a daily basis.

· 85 percent of all UK companies take their backups off-site (up from 76 percent two years ago); 91 percent of large businesses take their backups off-site.

· 72 percent of all UK businesses have a disaster recovery plan in place, up from 58 percent two years ago. 91 percent of large companies have a disaster recovery plan.

· However, there are concerns about the effectiveness of these controls:

· 28 percent of companies do not have a disaster recovery plan in place.

· Almost half of the disaster recovery plans have not been tested in the last year.

· 10 percent of companies with a disaster recovery plan do not store backups off-site.

When companies suffered a systems failure or data corruption incident, 31 percent had no contingency plan in place and a further 10 percent found their contingency plan to be ineffective.

The south-west has now overtaken London as the region with the most disaster recovery plans in place (possibly as a result of last year’s floods), but fewer of these plans are tested than in other regions.

Chris Potter, partner, PricewaterhouseCoopers LLP, who led the survey commented:

"It is encouraging to see that almost every UK business makes backups and the vast majority now take these backups off-site. The risks are well understood; it does not take an incident to raise awareness.

"The number of companies with a disaster recovery plan has gone up. However, experience shows that plans are only effective if regularly tested. It is a concern that only half of plans have been tested in the last year."

Martin Sadler, Director of HP’s Systems Security Lab at HP Labs Bristol, one of the consortium members responsible for the survey, added:

"There has been an explosion of information within businesses. Acquiring, analysing and delivering the right information to people so they can act on it is a major challenge for companies. The volume of data, and companies’ dependence on it, pose significant backup challenges for them. Increasingly, businesses need to back up their data more frequently. One in five large companies now automatically replicates transaction data to an off-site location as those transactions occur. Companies of all sizes are now using storage area networks to organise their data better.

Taking backups off-site poses its own security risks. Historically, backups have tended to be unencrypted to minimise the effort to restore data. More companies are now considering whether they ought to be encrypting their backups." (PricewaterhouseCoopers: ra)