04 November 2024

Stephen Young, Executive Director, Assurestor

The scale, destructiveness, frequency and cost of cyberattacks is a major concern for many organisations, with the cycle of deploying, upgrading and testing the latest security defences all-pervasive. Often overlooked in this seemingly never-ending cycle of prevention and protection are the nuances in what we call the ‘recoverability factor,’ a company’s readiness to respond and recover from a major disaster.

But with 78% of senior IT professionals admitting that their organisation has lost data due to a system failure, human error or a cyberattack in the past 12 months in a recent Assurestor survey, there’s a clear message here that protection measures are being breached regularly.

Knowing that at some point your data, and your business, will be threatened, focus then shifts from security and prevention to recovery. The operational, financial or reputational implications can be catastrophic, so reducing the amount of data impacted and the speed of recovering operational status becomes the priority.

However, just 54% of IT respondents felt confident that they could recover their data and mitigate downtime in a future disaster. Unfortunately, during a hectic recovery phase, there are no second chances to conceive a new disaster recovery strategy. Businesses must execute on the plan they have implemented.

Low confidence leaves questions

The fact that most survey respondents lack confidence in their own recovery systems is a concern, with almost 40% describing a lack of technical skills or expertise in-house, 29% pointing to a lack of investment or budget and 28% criticising the lack of senior support.

In isolation, this may leave many feeling uneasy, but when looked at in their entirety, it leaves organisations with significant questions about their ability to survive a serious data threat or significant downtime.

We only need to look at the recent global outage that affected organisations across multiple sectors, from airlines to healthcare. While not a traditional data breach, it’s been estimated to cost businesses up to $1.5 billion and is proof that no-one can afford to be complacent.

Measuring business readiness

Currently, there is no way to measure business readiness to recover from a major data threat or system failure, with the worst possible outcome impacting the very viability of the business.

Recoverability is no longer a choice but must be part of a company’s fitness agenda. Support from the top down is critical, as is sufficient funding to avoid fostering a culture of complacency. I strongly believe that if those tasked with protecting the business in the event of system failure, an attack or human error do not feel that threats are taken seriously enough, then their approach and attitude may well reflect this.

Any business evaluating their recoverability procedures and solutions in the face of an increasingly challenging IT landscape should consider the following five-point checklist as part of their planning process:

1. Test, test and test again: Put in place a well-structured recovery environment to optimise data recovery testing and ensure it can be conducted in the least disruptive way to the business. Solutions are now available that run testing without consuming vital resources or impacting the day-to-day production environment, allowing for business-as-usual.
2. Consider a Chief Recovery Officer: Many put their faith – and ability to recover – into the hands of a small group or one individual. Consider what the role of a Chief Recovery Officer with more defined responsibility would look like as part of a broader team that includes IT, security and risk management collaboration, and one who reports to the Board on the business’ ongoing recoverability status.
3. Redefine ‘disaster’: The traditional image of fire, flood and acts of God is outdated. The increasing threat and sophistication of cyberattacks is the new reality. When, not if, your security is compromised, and your backup data is potentially unavailable, what exactly is your foolproof backup plan?
4. Fail to plan, plan to fail: Two-thirds of our survey respondents said they review and update disaster recovery plans at least every six months, but this leaves it open to falling down the priority list. Disaster recovery and data backup is a priority that all business functions should push for and be adapted to meet any newly identified requirements after frequent recovery testing.
5. Calculate your downtime: How long can you afford to be down? Do some napkin maths on what the cost of just one hour of downtime would be. Can you afford to lose any data without significant impact? Without this visibility your recovery plan may be flawed.