UK businesses adopt a “concerning Titanic mindset” to data recovery and disaster protection

Stephen Young on September 24, 2024

Senior IT professionals lack confidence in recovery solutions, despite 78% losing data in the last 12 months

Professionals admit that their organisation has lost data due to system failure, human error or a cyberattack in the past year. Yet, despite the experience, many still lack confidence in their data recovery technology and testing capabilities. This is according to new research into business resilience in an increasingly hostile cyber landscape, published by business protection and recovery specialist Assurestor, who warns that a “concerning Titanic mindset” is putting data – and entire businesses – at risk.

While 78% of respondents have suffered data loss at least once in the past 12 months, only a little more than half (54%) are confident they could recover their data and mitigate downtime in a future disaster. One in four is not confident in recovery solutions that include tape backup and cloud backup. Backup-as-a-Service (BaaS) and Disaster Recovery-as-a-Service (DRaaS) prompt the highest levels of confidence at 63% and 56% respectively.

Most businesses not meeting the testing ‘Gold Standard’

Of IT professionals interviewed, just 5% say they test monthly, which Assurestor considers to be the ‘Gold Standard for true recoverability’. One in five (20%) admit to testing just once a year or less. Of those that do test more regularly, 60% of respondents check their data is fully recoverable and usable only once every six months.

Commenting on the findings, Stephen Young, Executive Director at Assurestor, says: “Absolute reliability in your systems and data recovery is non-negotiable. If there is even an iota of doubt, it’s an open door for challenges. This uncertainty needs to be identified and addressed before disaster strikes. The fact that only just over half of respondents think their data is recoverable is a concern; this figure should be much nearer to 100%. Otherwise, how can your ‘readiness for recoverability’ be reported confidently to the Board and senior stakeholders? Confidence comes from identifying a company’s realistic needs, without compromising on cost – and thoroughly testing, repeatedly.”

He adds: “What we are seeing is what we call a ‘Titanic mindset’ when it comes to data recovery. Organisations are thinking they’re unsinkable – until they’re not. The recent global outage, while not a traditional data hack, has been estimated to cost businesses up to $1.5 billion and is proof that no organisation can afford to be complacent regarding downtime. Closer to home, last year’s Rhysida attack at the British Library highlights the impact of a cyberattack on an organisation operating with legacy systems and security in today’s aggressive cyber environment.”

The survey of senior IT professionals (including CTOs and CIOs) also highlights:

● Recoverability needs to be on the business ‘fitness agenda’. When it comes to the core challenges in disaster recovery planning, 39% of respondents point to ‘lack of skills/ expertise in-house’, 29% say ‘lack of investment or budget’, and 28% criticise ‘lack of senior support’. Assurestor adds: “Lack of top-down support in the way of insufficient funding can foster a culture of complacency, even apathy. If those tasked with protecting the business in the event of a data issue, attack or human error do not feel that threats are taken seriously – or understood – enough, then their approach and attitude may well reflect this.”

● Today’s data disasters impact more than just IT systems. The biggest impact for IT professionals suffering a disaster leading to irrecoverable data is financial loss (35%), customer service implications (30%) and operational downtime (28%). 16% of respondents admit it would likely force the closure of the business.

Providing award-winning recoverability, data backup, disaster recovery (DR) and protective technology solutions, Assurestor has created a checklist to help businesses evaluating their recoverability procedures and solutions in the face of an increasingly challenging IT landscape:

1. Test, test and test again: Put in place a well-structured recovery environment to optimise data recovery testing and ensure it can be conducted in the least disruptive way to the business. Sophisticated solutions are now available that run testing without consuming vital resources or impacting the day-to-day production environment, allowing for business-as-usual.

2. Consider a Chief Recovery Officer: Many put their faith – and ability to recover – into the hands of a small group or one individual. Consider what the role of a Chief Recovery Officer with more defined responsibility would look like as part of a broader team that includes IT, security and risk management collaboration, and one who reports to the Board on the business’ ongoing recoverability status.

3. Redefine ‘disaster’: The traditional image of fire, flood and acts of God is outdated. The increasing threat and sophistication of cyberattacks is the new reality. When, not if, your security is compromised, what is your backup plan?

4. Fail to plan, plan to fail: Two-thirds of survey respondents say they review and update DR plans at least every six months, but this leaves it open to falling down the priority list. DR and data backup is a priority that all business functions should push for and be adapted to meet any new requirements after each recovery test.

5. Calculate your downtime: How long can you afford to be down? Do some napkin maths on what the costs of just one hour of downtime would be. Can you afford to lose any data without significant impact? Without this visibility your recovery plan may be flawed.

Business readiness for a ransomware attack

Stephen Young on September 21, 2024

The growing threat

The threat from ransomware is growing with the sophistication of the attacks – and technical ability of the attackers – constantly challenging the security measures implemented by businesses striving to protect their systems and data in an increasingly hostile cyber environment.

It’s no longer a case of if a business is attacked, but when, and, at that point, how ready is the business to recover effectively and efficiently from such an attack? There are few second chances when the stakes are so high.

A recent Sophos survey indicated 59% of global businesses were hit by some form of ransomware. 94% of businesses indicated that the attackers had attempted to compromise their backup systems, with 57% being successful.

The time to assess the ability of a business to fully recover has never been more urgent, with a stress on the proactiveness of that preparation time. Identifying any flaws in the plan, or recovery technology deployed, are crucial tasks in a business fitness test.

Fully testing the recoverability of an organisation requires frequent testing – and this can only be carried out effectively if the testing process is non-disruptive, quick, simple and encompasses the business’ entire system and data. Crucially, the skillset and prior experience of staff charged with conducting a successful recovery needs to be factored in for a requirement so nuanced and potentially infrequent.

When the chaos and stress of a business-threatening ransomware attack is unfolding, discovering unnoticed or overlooked flaws in the recovery plan – alongside a lack of skills and experience in business recovery – is irresponsible business practice. Having the confidence to invoke an extremely well-tested and orchestrated business recovery process is critical. When security is compromised this could be the only time to thwart the attempts of cyber criminals to extort significant sums from the business, often even business-ending.

Cloud provider effectiveness

MSPs are ideally positioned to offer DRaaS and BaaS platforms that provide non-disruptive disaster recovery testing, enabling teams charged with business recovery to carry out full and frequent tests without impacting production environments. Additionally, the separation of cloud recovery systems from the production environments adds another layer of much-needed protection.

MSPs specialising in disaster recovery technologies can significantly improve the recovery of an organisation when struck by ransomware. MSPs will have the experience, exposure and expertise to advise on effective techniques and services to deploy, balancing business requirements with available budgets, keeping those achievable RTOs and RPOs realistic.

MSPs can remove many of the concerns for organisations when considering and budgeting for disaster recovery solutions, including; the capital cost of the hardware and software required; the ability to scale up or down as business needs change; the necessary skills required to maintain such a system and invoke a recovery when needed; and the ongoing maintenance costs and inevitable renewal costs.

An update to your approach

Now is the time to shift thinking within IT teams, but also the wider business, about the potential for risk and the collaborative efforts required to protect the business from what will become an undeniable set of threats.

The recommended rhythm and cadence of testing might seem unrealistic, or even unachievable with the current technology deployed within a business. That’s ok. What we strongly believe is that by setting in place a new standard – even if simply an improvement on the status quo at first – businesses can create a necessary shift in mindset towards recoverability and data usability. Setting this new operational standard will undoubtedly place the business in a better state of readiness to recover from a major issue, as and when it happens.