disaster recovery directions - macquarie...

Conducted by

A Research Report from

Disaster Recovery Directions

2013 / 2014

How Australian businesses are dealing with today’s Disaster

Recovery challenges

25 October 2013

VERSION 2, RELEASED

P a g e | 1 | Disaster Recovery Directions 25 October 2013

CONTENTS

EXECUTIVE SUMMARY ................................................................................................................................ 2

ABOUT THIS REPORT ................................................................................................................................... 4

INTRODUCTION .................................................................................................................................................. 4

ABOUT ZDNET AND CBS INTERACTIVE ................................................................................................................... 4

ABOUT MACQUARIE TELECOM.............................................................................................................................. 4

OVER THREE-QUARTERS OF BUSINESSES HAVE DISASTER RECOVERY COMPLIANCE OBLIGATIONS ............ 5

MOST BUSINESSES HAVE DISASTER RECOVERY PLANS, BUT TEST THEM INFREQUENTLY ............................ 6

MOST BUSINESSES HAVE A DISASTER RECOVERY PLAN ................................................................................................ 6

DISASTER RECOVERY TESTING IS INFREQUENT IN MOST BUSINESSES .............................................................................. 7

ALMOST THREE-QUARTERS OF BUSINESSES TEST LESS FREQUENTLY THAN THEY WOULD LIKE ............................................... 8

DR TEST METRICS AND OUTCOMES ............................................................................................................ 9

RECOVERY TIME AND RECOVERY POINT OBJECTIVES ARE CHALLENGING .......................................................................... 9

TESTING RESULTS SHOW DR OBJECTIVES ARE NOT ALWAYS ACHIEVED ......................................................................... 11

A VARIETY OF DR APPROACHES ARE IN USE.............................................................................................. 13

ON-PREMISES DR CAPABILITY STILL MOST COMMON ............................................................................................... 13

DR BUDGETS VARY CONSIDERABLY .......................................................................................................... 14

METHODOLOGY AND RESPONDENT DEMOGRAPHICS .............................................................................. 15

INTRODUCTION ................................................................................................................................................ 15

RESPONDENT ORGANISATIONS ............................................................................................................................ 15


Executive Summary

Australian organisations increasingly rely on information and communications technology (ICT) to

connect with customers and deliver services. ICT offers great benefits to businesses, but also

brings potential vulnerabilities if systems become unavailable. As a result, businesses must make

adequate provision to enable business continuity for mission critical processes – and in a cost-

effective way.

Balancing these demands is important for all businesses – there are many examples of disaster-

affected businesses that failed to recover. The threat of business disruption is not the only driver

for businesses in making responsible provision for disasters. Compliance requirements for large

businesses and for those in critical industries such as the finance sector make boards responsible

for providing adequate disaster recovery precautions.

This research study looks at how Australian organisations with 200+ staff deal with their disaster

recovery (DR) challenges. The key findings are:

Over three-quarters of businesses have DR compliance obligations

While industry-specific obligations are most common, respondents also report compliance

obligations to government or other regulation such as Sarbanes-Oxley.

These regulations should not be taken lightly – in some cases Boards are responsible for

ensuring compliance is appropriate to the organisation’s operations.

Regulations also stipulate the need for regular testing and review of disaster

recovery/business continuity plans.

While most businesses have disaster recovery plans, they test their plan infrequently

Almost nine out of every ten businesses has a DR plan.

Only one-third (33%) of businesses test their DR plans more than once a year.

The remaining two-thirds risk their DR plans becoming outdated: if they don’t test their DR

plan often how do they know it’s still appropriate?

Businesses would like to test DR plans more frequently but obstacles frustrate them

67% of businesses face resource and/or cost challenges in optimising their DR test plans.

48% say it takes too much time and effort to arrange and execute DR tests.

23% report cost and resource obstacles prevent more frequent testing.

Only 29% say they are testing as frequently as they’d like.

Respondents report challenging DR metrics for recovery time objectives (RTO) and

recovery point (RPO)

Close to two-thirds (64%) of businesses have a target of 4 hours or less to re-establish

systems and processes following a disaster or disruption.

Almost one-fifth (19%) are so reliant on IT systems they need to recover in less than one

hour.


Test results indicate room for improvement

58% of businesses do not meet their RTO target every time they run a DR test.

Even though the remaining organisations meet their targets “most times” that still leaves

doubts – would a real disaster be like most times, or like one of the times where targets

aren’t met?

10% frequently fail to meet RPO targets, and 8% frequently miss RTO targets - the DR plans

in these businesses are not fit for purpose, and need improvement.

Almost two-thirds of businesses depend partly or completely on on-premises DR

capabilities

60% of businesses depend partly or wholly on DR capabilities based in their premises. 34% of

businesses have on premises DR capabilities only. That’s a high risk should a disaster destroy

those premises or render them inaccessible.

A further 26%provide DR from a mix of on-premises and off-premises assets, either hosted

or hosted private cloud, or public cloud.

32% have a DR capability hosted off-premises (but not public cloud). These organisations

stand a better chance to avoid disruption from local disasters than others that rely only on

on-premises DR. Only 2% have DR capabilities provided solely via public cloud.

Respondents report annual DR budgets as low as $5K or less all the way up to $100K and

above

Almost one-half (46%) of respondents have to make do with a DR budget of less than A$10K.

More than one-quarter (28%) have a DR budget worth between $10K to $50K.

A smidgen over one-quarter (26%) have DR budgets of $50K or more.

Many businesses are making responsible plans to mitigate IT disaster risks, and are following

through by investing appropriately in DR, and in testing plans regularly. However, others need

to do more to provide adequate protection:

13% of businesses don’t have a DR plan – they need to get one.

25% of those with a DR plan test it less than once a year or not at all, and 37% test once a

year. All of these businesses need to be testing DR plans more often.

Time, effort and resource challenges prevent most businesses from testing DR plans more

often. These businesses should review available DR approaches, and keep up to date with

new services such as public cloud that may better suit their budgets.

While 42% of businesses meet DR targets every time they test, the remaining 58% that don’t

should take action – either by enhancing their DR capabilities to meet the DR targets, or

reviewing RTO and RPO with business leaders and adjusting targets where possible to what’s

achievable with their current DR assets. If current inadequacies are not addressed the

business is left open to potentially unacceptable risk.


About this report

Introduction

This report was commissioned by Macquarie Telecom in September 2013 with the goal of

understanding how Australian businesses with 200 or more staff are dealing with growing

disaster recovery (DR) challenges.

Disaster recovery and business continuity is a topic of major interest to ZDNet and an exciting

area to work on. If you were one of the 112 IT decision-makers who responded to the survey we

thank you sincerely for your time to provide the information that lies at the centre of the report.

If not, we hope you may join us in future research studies. We trust you find this report

interesting and we welcome your feedback.

About ZDNet and CBS Interactive

ZDNet (www.zdnet.com) is where technology means business. The site attracts an enthusiastic

audience of business technology decision-makers, who visit for the latest coverage and analysis of

how technology impacts business. Around 500,000 unique visitors per month in Australia and

New Zealand take advantage of ZDNet’s in-depth content.

About Macquarie Telecom

Founded in 1992, Macquarie Telecom (ASX:MAQ) is Australia’s number one Managed Hosting and

business-only telecommunications company. Macquarie Telecom is a full service hosting provider

offering managed dedicated servers, managed colocation, and managed private and public clouds

for mid-size businesses and corporate IT departments. Macquarie Telecom’s fully owned

Australian based Intellicentre 2 is the most certified data centre in the country, offering our

customers ISO27001 and PCI compliance.

http://www.zdnet.com/


Over three-quarters of businesses have DR compliance

obligations

Business in the survey all have a minimum of 200 staff, and are more likely to have compliance

obligations for disaster recovery than smaller organisations.

Industry-specific compliance is most common

More than one-third (36%) of respondents report compliance obligations related to their

industry sector.

Examples include the finance sector where the Australian Prudential Regulation

Authority’s (ARPA) prudential standard CPS 232 “requires each regulated institution ... to

implement a whole-of-business approach to business continuity management that is

appropriate to the nature and scale of its operations”. In addition, the standard states “The

Board is ultimately responsible for the business continuity of the regulated institution”.

Government compliance obligations apply to 31% of respondents, and 10% have more general

obligations based on ASX and SOX regulations.

9% of respondents say they have more than one type of compliance obligation.


Most businesses have DR plans, but test them

infrequently

Most businesses have a disaster recovery plan

Almost nine out of every ten businesses has a DR plan

87% of Australian businesses with 200 or more staff have a DR plan in place.

However, 22% test their plans less than once per year.

13% of businesses don’t yet have a DR plan.


DR testing is infrequent in most businesses

Only one-third (33%) of businesses test their DR plans more than once a year

17% of businesses test their DR plan at least once per quarter, and 16% do so at least once

every six months.

Given the speed at which businesses and their supporting ICT infrastructure change, it’s

surprising so few businesses test DR capabilities quarterly.

32% test their DR plans once a year, the, most common testing interval

Almost one-quarter (22%) of businesses have no assurance their DR plans actually still work

11% test less often than once a year, while another 11% don’t test their plan ever.

13% don’t have a DR plan at all

While 8% will implement a plan in the next year, 5% have no plans to introduce one in the

next year.


Almost three-quarters of businesses test less often than they would

like

67% of businesses are facing resource and/or cost challenges in optimising their DR test plans

The time and effort involved in DR testing is the major barrier to testing more often

48% say it takes too much time and effort to arrange and execute DR tests

Limited resource and budget also contribute to sub-optimal testing

23% cite cost and resource obstacles as barriers to frequent testing (13% don’t have internal

resources to handle testing, 6% can’t convince management to increase the testing budget,

and 4% say testing is too expensive)

Around one-quarter (29%) of businesses say they do already test often enough


DR Test metrics and outcomes

Recovery time and recovery point objectives are challenging

Businesses typically specify recovery targets in their DR plans. The main targets are the recovery

time objective (RTO) –the time it takes to re-establish systems following a disruption or disaster-

and the recovery point objective (RPO) – the time elapsed since the last back-up version of the

company’s systems.

Close to two-thirds (64%) of businesses have a target of 4 hours or less to re-establish systems

and processes following a disaster or disruption.

Almost one-fifth (19%) are so reliant on IT systems they need to recover in less than one

hour.

Only 11% have the relative luxury of more than 24 hours to re-establish their systems.

P a g e | 1 0 | Disaster Recovery Directions 25 October 2013

Recovery point objectives are also demanding. Almost two-thirds (63%) have a maximum data

loss threshold of 4 hours, of which 29% can tolerate data loss of less than one hour.


Testing results show DR objectives are not always achieved

An important part of DR testing is to prove whether RTO and RPO targets can be met, and to use

test results as the basis for ongoing improvement of DR plans.

While close to one-half of businesses meet their RTO target (42% do so) every time they run DR

tests, more than one-half do not.

46% meet their RPO target every time.

It’s true that 49% and 44% respectively meet RTO and RPO targets “most times”, but that still

leaves doubts – would a real disaster be like most times, or like one of the times where targets

aren’t achieved?

10% often fail to meet RPO targets, and 8% frequently miss RTO targets - the DR plans in these

businesses are not fit for purpose, and need improvement.


A variety of DR approaches are in use

On-premises DR capability still most common

Over one-half (60%) of businesses depend partly or completely on DR capabilities based in their

own premises.

Just over one-third (34%) of businesses have on premises DR capabilities only, a risky

approach should a disaster destroy those premises or render them inaccessible.

A further 26% provide DR from a mix of on-premises and off-premises assets, either hosted

or hosted private cloud, or public cloud.

The 32 % who have off-premises DR facilities are better placed to overcome local disasters

Just under one-third (32%) have a DR capability hosted off-premises. These organisations

stand a better chance to avoid disruption from local disasters that others that rely on on-

premises DR. That goes also for the 2% of respondents that have DR capabilities provided

solely via public cloud.


DR budgets vary considerably

Respondents report DR budgets from as little as $5K or less all the way up to $100K and above.

Almost one-half (46%) of respondents have to make do with a DR budget of less than A$10K

26% have <$5K and 20% have $5K to $9.9K

More than one-quarter (28%) have a DR budget worth between $10K to $50K.

11% have budgets between $10K to $19.9K, and 17% have $20K to $49.9K

A smidgen over one-quarter (26%) have DR budgets of $50K or more

13% have budgets between $50K to $99.9K, and 13% have more than $100K


Methodology and Respondent Demographics

Introduction

In September 2013, ZDNet Australia invited registered members and readers to take part in The

Disaster Recovery Directions survey. These business and IT leaders regularly visit the ZDNet

Australia Website, and are therefore well-informed about the topics covered in this survey.

The survey used an online questionnaire to complete the fieldwork, and the resulting analysis

based on a quantitative analysis of the responses. The online questionnaire did not present all

questions to businesses that don’t have a DR plan. As a result, responses to these subsequent

questions include a subset of the total respondents.

The total sample comprises 112 businesses and has a margin of error of 9.23%

Respondent organisations

The breakdown by organisation size and is given below:


The sample comprises a good spread of organisation types across industry sector. The largest

sectors are education, government, healthcare, and manufacturing.

disaster recovery directions - macquarie...

Documents