Security Experts:

Disaster Recovery: Confidence High, Experience Low

With everything moving to the cloud, it is little surprise that Disaster Recovery (DR) is now also offered as cloud-based DRaaS. The majority of organizations still employ on-premise DR, but cloud usage is growing. A new survey investigates how and why UK businesses are employing DR; how they rate their existing DR readiness, and whether they are considering a move to cloud.

An Opinion Matters survey, which questioned 250 IT decision makers, was commissioned by iland. iland is a US-based cloud infrastructure provider with eight data centers in the US, UK and Singapore. In Gartner's 2016 Magic Quadrant for DRaaS it was placed squarely among the leaders.

The majority of outages are still caused by system failure (reported by 53% of respondents) closely followed by human error (52%). Cyber attacks are relatively low in comparison at 32%, while environmental issues (flood, storm, fire and power outages) are even lower at 20%.

What is immediately apparent from the survey is that DR is a necessity rather than a luxury -- 95% of respondents admitted to an outage over the last 12 months. Beyond the clear implication of these figures (that an outage will almost certainly happen), things get a bit confused. Confidence is high, but experience is poor. Ninety-eight percent of respondents claimed that employees would have post-disaster access to systems within 24 hours, while 27% claim access would be immediate.

Experience, however, throws doubt over such claims. Confidence in a successful DR failover was only substantiated in 38% of cases. Fifty-eight percent of respondents experienced issues during a failover. Forty percent had been confident in the process -- but 30% experienced issues, and 10% experienced significant issues.

There seems to be a clear understanding of the business impact of an outage. Eighty-three percent of respondents would expect 'significant impact' from an outage lasting hours. However, 4% predict 'catastrophic impact' within seconds, 2% within minutes, and 7% within hours. The obvious conclusion from such figures is that organizations are over-confident in their ability to mitigate a critical incident through disaster recovery.

"In today's business world, the question is no longer if a company will need to trigger a disaster recovery plan, but when," said Justin Giardina, CTO at iland. "This study shows there is work to be done, as teams seem to put too much confidence into inadequately tested systems."

Training and testing is indeed another confused issue. Nearly two-thirds of respondents claim to have a trained team and regular testing -- and yet the issues continue. The remaining 37% have either lightly trained or untrained teams, while testing is infrequent or non-existent.

Needless to say, DRaaS removes or limits organizations' need for trained on-premise staff; so iland was particularly interested in reasons for companies not to move to a cloud solution. Nearly two-thirds of the on-premise users cited concerns over security and compliance as reasons to stay on-premise. These are indeed complex issues, but in many cases established cloud providers can provide improved security -- especially in areas of limited data use in the cloud. Compliance, especially with national or regional data protection laws, is also complex -- but Monica Brink, director EMEA marketing at iland, confirmed that iland always adheres to the local laws pertaining, and has its own experts continuously monitoring new developments (such as GDPR).

Without these hindrances, DRaaS becomes an attractive proposition. Brink told SecurityWeek that an increasing number of companies, both large and small, are beginning to adopt DRaaS. The reality is that cloud is now offering lower costs and the potential for almost zero downtime with greater ease, reliability and efficiency.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.