disaster

Disasters and security incidents happen. It is a fact. The problem is that organizations are still planning a response to these situations with little time, despite the fact that most of them have been forced to use a disaster recovery plan in the past 24 months. This is shown in a study by Gartner carried out in several countries highlighting this aspect (how these business continuity plans are managed and how the information security is safeguarded, what is their IT budget to accelerate the service restoration, etc.), which shows some of the most common disaster recovery management mistakes and discusses the key points to avoid them.

Short-sighted companies

In the report, made after interviewing more than 900 companies from six countries (United States, Canada, United Kingdom, Germany, India and Brazil), the consulting firm reveals that 75% of companies surveyed plan business continuity strategy just seven days in advance or even less. A striking fact that is striking when 86% of institutions claim to have had to implement a disaster recovery plan (which includes the recovery of the business, a crisis or incident management, the management of disaster recovery from the IT point of view, the availability of third parties or suppliers etc.) in the past 24 months.

Moreover, according to another report, this time made by Swiss Re, a company in the insurance sector, the number of natural and man-made disasters has increased exponentially in the last 40 years. While between 1970 and 1985 there were less than 100 disasters per year on average, between 1986 and 2013 there were 150, 2005 being by far the worst year (with more than 250 incidents that year).

Lack of capacity to determine their plans’ effectiveness

Another error detected by Gartner is the inability of most organizations to establish whether or not the business continuity plan they have defined is effective. Only 35% of the surveyed organizations surveyed dealt with exercises to test the effectiveness of their plan, just 30% used metrics for this purpose and 27% used score cards. At least half rely on audit reports, a practice somewhat weaker than the previous options, says Gartner.

incident management

Recovery Time and budget

As for the recovery time from a disaster, it is also generally high. Seventy six percent of the participants in the survey claimed that their business and their company’s systems are operational in 24 hours. Only 35% indicated that they are able to fix their systems in less than four hours.

The report also showed which sectors are more willing to increase their IT budget to improve their response to disasters. These are the health sector (this is what 71% of the respondents in this segment of the survey believe), communications (63%), transport (56%), banking (54%), and retail (52%). Contrary to these only 36% of the utilities and public sectors interviewees expect to increase the amount for this area in 2015. Furthermore, 9% of the respondents of these last two sectors believe that the IT budget for disaster recovery will be reduced this year.

Monitoring and management tools

Interestingly, as the study denotes, companies that have a greater degree of maturity in managing business continuity plans used software that facilitates this aspect and others such as monitoring certain parameters, from risk management to analysis of the incidents’ impact on the business and the disaster recovery plan management process. In general, 50% of the consulted organizations have acquired some of these tools in the past 12 months. Also gaining ‘market points’, are early warning systems of natural disasters (used by 32% of the companies), climate (24%), geopolitical (23%) and other aspects that may cause disruption of the business.

Extra effort to reduce the applications’ unplanned downtimes

A remarkable and positive aspect of the report is the growing number of IT managers who are starting projects in order to reduce (if not eliminate) the unplanned downtime of applications. According to Gartner, 40% of falls occur due to failures in the application (bugs, performance problems, or changes that cause problems); 50% are due to errors in operations, 20% are due to the hardware (problems on servers, networks…), operating systems, environmental factors (related to overheating, for example) and disasters.

“Statistics show the importance of establishing and maintaining a program focused on reducing, if not minimizing, the duration of unexpected downtimes and its impact on operations”, says the study along these lines.

Recommendations

Finally, from Gartner, they provide some advice to organizations who want to improve their business continuity plans and their disaster recovery policy.

  • Define a longer-term program, at least three years.
  • Use this program to know the largest time frame an organization can support when there has been a disaster or other incident involving a business interruption.
  • Check what insurance is held by the company in the event of a situation like this and act accordingly.
  • Analyze the use of tools that allow monitoring and managing business continuity plans to help standardize the strategy and to provide real time analytics and an x-ray of the operational area that allows managers to make better decisions during a crisis, incident or disaster.