Companies still fail to test disaster recovery plans regularly

More than 60 per cent (62 per cent) of companies surveyed in the UK and Germany say that they either test their disaster recovery plan either less than once a year, or do not test it at all, according to new research undertaken by Kroll Ontrack.

Despite multiple warnings about the consequences of failing to have a robust disaster recovery plan in place, the new study found that only 38 per cent of respondents said that their enterprise tested its disaster recovery plan on a regular basis. Only nine per cent of companies test their plan every one to five months and another 29 per cent every six to 12 months.

The findings follow a report by IDC earlier in 2015, which found that a typical Fortune 1000 company experiences an average loss of $100,000 (£66,470) per hour when struck by infrastructure failure and additional costs of between $500,000 and $1 million (£660,000) when faced with a critical application failure.

While half the companies surveyed by Kroll Ontrack had not experienced an IT disaster in the previous three years, more than a third had to invoke their disaster recovery plan. While the majority of these companies had to invoke their plan between one and five times, a small minority were forced to undertake disaster recovery measures more than 10 times in the last three years.

Another concern raised by Kroll Ontrack’s new study is that even though employees’ mobile devices are now an important element of corporate IT infrastructure, this hasn’t been accounted for by most companies’ disaster recovery plans. Almost half (48 per cent) of respondents said that their plans do not cover mobile devices used by employees to access corporate systems.

In a separate poll undertaken in the UK, almost half of respondents (46 per cent) said that they didn’t have a disaster recovery plan in place at all, while a quarter (24 per cent) said that they didn’t know whether they had a plan or not.

Kroll Ontrack has developed a free data recovery plan template that businesses can use to build their own plan together with guidance on what needs to be included. It recommends that any plan should take into account the following:

  • IT services: Which business processes are supported by which systems? What are the risks?
  • People: Who are the stakeholders, on both the business and IT side, in a given DR process?
  • Suppliers: Which external suppliers would you need to contact in the event of an IT outage? Your data recovery provider, for example.
  • Locations: Where will you work if your normal premises are rendered inaccessible?
  • Testing: How will you test the DR plan?
  • Training: What training and documentation will be provided to end users?