Effectiveness of DR plans questioned

LONDON – Although almost all UK companies back up their critical IT systems and data, more than a quarter of them still do not have a disaster recovery plan in place, according to the 2008 Information Security Breaches Survey (ISBS), which was carried out by a consortium led by PricewaterhouseCoopers on behalf of the Department for Business, Enterprise & Regulatory Reform (BERR).

The survey found that half of those that do have plans fail to test them and that 15% of companies do not take their backups off site. This is despite that fact that 92% of businesses now consider disaster recovery planning an important driver of their IT expenditure.

Some 68% of companies polled believe business continuity in a disaster situation is a very important driver of their information security expenditure, and a further 24% say it is important. Only 2% say it is not very important. And UK businesses are certainly improving their protection: 99% of UK companies back up their critical systems and data, with 86% doing this at least on a daily basis. Some 85% of all UK companies take their backups off site (up from 76% two years ago); 91% of large businesses take their backups off site. Seventy-two percent of all UK businesses have a disaster recovery plan in place, up from 58% two years ago. Of which, 91% of large companies have a disaster recovery plan.

However, there are still concerns about the effectiveness of these controls. The survey found that 28% of companies do not have a disaster recovery plan in place, almost half of the disaster recovery plans have not been tested in the past year, 10% of companies with a disaster recovery plan do not store backups off site, 31% have no contingency plan in place in case of a systems failure or data corruption incident and a further 10% found their contingency plan to be ineffective.

The south-west has now overtaken London as the region with the most disaster recovery plans in place (possibly as a result of last year’s floods), but fewer of these plans are tested than in other regions.

“It is encouraging to see that almost every UK business makes backups and the vast majority now take these backups off site. The risks are well understood; it does not take an incident to raise awareness,” said Chris Potter, a partner at PricewaterhouseCoopers who led the survey. “The number of companies with a disaster recovery plan has gone up. However, experience shows that plans are only effective if regularly tested. It is a concern that only half of plans have been tested in the past year.”