Survey raises concerns over effectiveness of disaster recovery plans

These are among findings of the 2008 Information Security Breaches Survey (ISBS), carried out by a consortium, led by PricewaterhouseCoopers, on behalf of the Department for Business, Enterprise & Regulatory Reform (BERR). The study also finds that 15% of companies do not take their backups off-site – in spite of the apparent fact that 92% of businesses now consider disaster recovery planning an important driver of their IT expenditure. And in spite of the survey’s finding that 58% of UK businesses would suffer significant business disruption if their IT systems were not available for a day – rising to 70% with large companies. The bottom line: although the study does find UK companies better protected than ever, the alarming fact is that, when companies suffered a systems failure or data corruption incident, 31% had no contingency plan in place and a further 10% found their contingency plan to be ineffective. Says Chris Potter, one of the partners at PricewaterhouseCoopers , who led the survey: “The number of companies with a disaster recovery plan has gone up. However, experience shows that plans are only effective if regularly tested. It is a concern that only half of plans have been tested in the last year.” And Martin Sadler, Director of HP’s Systems Security Lab at HP Labs Bristol, adds: “Increasingly, businesses need to back up their data more frequently. One in five large companies now automatically replicates transaction data to an off-site location as those transactions occur. Companies of all sizes are now using storage area networks to organise their data better. “[But] taking backups off-site poses its own security risks. Historically, backups have tended to be unencrypted to minimise the effort to restore data. More companies are now considering whether they ought to be encrypting their backups.” The full results of the survey will be launched at Infosecurity Europe in London, 22-24 April www.infosec.co.uk.