disaster recovery directions - macquarie...
TRANSCRIPT
Conducted by
A Research Report from
Disaster Recovery Directions
2013 / 2014
How Australian businesses are dealing with today’s Disaster
Recovery challenges
25 October 2013
VERSION 2, RELEASED
P a g e | 1 | Disaster Recovery Directions 25 October 2013
CONTENTS
EXECUTIVE SUMMARY ................................................................................................................................ 2
ABOUT THIS REPORT ................................................................................................................................... 4
INTRODUCTION .................................................................................................................................................. 4
ABOUT ZDNET AND CBS INTERACTIVE ................................................................................................................... 4
ABOUT MACQUARIE TELECOM.............................................................................................................................. 4
OVER THREE-QUARTERS OF BUSINESSES HAVE DISASTER RECOVERY COMPLIANCE OBLIGATIONS ............ 5
MOST BUSINESSES HAVE DISASTER RECOVERY PLANS, BUT TEST THEM INFREQUENTLY ............................ 6
MOST BUSINESSES HAVE A DISASTER RECOVERY PLAN ................................................................................................ 6
DISASTER RECOVERY TESTING IS INFREQUENT IN MOST BUSINESSES .............................................................................. 7
ALMOST THREE-QUARTERS OF BUSINESSES TEST LESS FREQUENTLY THAN THEY WOULD LIKE ............................................... 8
DR TEST METRICS AND OUTCOMES ............................................................................................................ 9
RECOVERY TIME AND RECOVERY POINT OBJECTIVES ARE CHALLENGING .......................................................................... 9
TESTING RESULTS SHOW DR OBJECTIVES ARE NOT ALWAYS ACHIEVED ......................................................................... 11
A VARIETY OF DR APPROACHES ARE IN USE.............................................................................................. 13
ON-PREMISES DR CAPABILITY STILL MOST COMMON ............................................................................................... 13
DR BUDGETS VARY CONSIDERABLY .......................................................................................................... 14
METHODOLOGY AND RESPONDENT DEMOGRAPHICS .............................................................................. 15
INTRODUCTION ................................................................................................................................................ 15
RESPONDENT ORGANISATIONS ............................................................................................................................ 15
P a g e | 2 | Disaster Recovery Directions 25 October 2013
Executive Summary
Australian organisations increasingly rely on information and communications technology (ICT) to
connect with customers and deliver services. ICT offers great benefits to businesses, but also
brings potential vulnerabilities if systems become unavailable. As a result, businesses must make
adequate provision to enable business continuity for mission critical processes – and in a cost-
effective way.
Balancing these demands is important for all businesses – there are many examples of disaster-
affected businesses that failed to recover. The threat of business disruption is not the only driver
for businesses in making responsible provision for disasters. Compliance requirements for large
businesses and for those in critical industries such as the finance sector make boards responsible
for providing adequate disaster recovery precautions.
This research study looks at how Australian organisations with 200+ staff deal with their disaster
recovery (DR) challenges. The key findings are:
Over three-quarters of businesses have DR compliance obligations
While industry-specific obligations are most common, respondents also report compliance
obligations to government or other regulation such as Sarbanes-Oxley.
These regulations should not be taken lightly – in some cases Boards are responsible for
ensuring compliance is appropriate to the organisation’s operations.
Regulations also stipulate the need for regular testing and review of disaster
recovery/business continuity plans.
While most businesses have disaster recovery plans, they test their plan infrequently
Almost nine out of every ten businesses has a DR plan.
Only one-third (33%) of businesses test their DR plans more than once a year.
The remaining two-thirds risk their DR plans becoming outdated: if they don’t test their DR
plan often how do they know it’s still appropriate?
Businesses would like to test DR plans more frequently but obstacles frustrate them
67% of businesses face resource and/or cost challenges in optimising their DR test plans.
48% say it takes too much time and effort to arrange and execute DR tests.
23% report cost and resource obstacles prevent more frequent testing.
Only 29% say they are testing as frequently as they’d like.
Respondents report challenging DR metrics for recovery time objectives (RTO) and
recovery point (RPO)
Close to two-thirds (64%) of businesses have a target of 4 hours or less to re-establish
systems and processes following a disaster or disruption.
Almost one-fifth (19%) are so reliant on IT systems they need to recover in less than one
hour.
P a g e | 3 | Disaster Recovery Directions 25 October 2013
Test results indicate room for improvement
58% of businesses do not meet their RTO target every time they run a DR test.
Even though the remaining organisations meet their targets “most times” that still leaves
doubts – would a real disaster be like most times, or like one of the times where targets
aren’t met?
10% frequently fail to meet RPO targets, and 8% frequently miss RTO targets - the DR plans
in these businesses are not fit for purpose, and need improvement.
Almost two-thirds of businesses depend partly or completely on on-premises DR
capabilities
60% of businesses depend partly or wholly on DR capabilities based in their premises. 34% of
businesses have on premises DR capabilities only. That’s a high risk should a disaster destroy
those premises or render them inaccessible.
A further 26%provide DR from a mix of on-premises and off-premises assets, either hosted
or hosted private cloud, or public cloud.
32% have a DR capability hosted off-premises (but not public cloud). These organisations
stand a better chance to avoid disruption from local disasters than others that rely only on
on-premises DR. Only 2% have DR capabilities provided solely via public cloud.
Respondents report annual DR budgets as low as $5K or less all the way up to $100K and
above
Almost one-half (46%) of respondents have to make do with a DR budget of less than A$10K.
More than one-quarter (28%) have a DR budget worth between $10K to $50K.
A smidgen over one-quarter (26%) have DR budgets of $50K or more.
Many businesses are making responsible plans to mitigate IT disaster risks, and are following
through by investing appropriately in DR, and in testing plans regularly. However, others need
to do more to provide adequate protection:
13% of businesses don’t have a DR plan – they need to get one.
25% of those with a DR plan test it less than once a year or not at all, and 37% test once a
year. All of these businesses need to be testing DR plans more often.
Time, effort and resource challenges prevent most businesses from testing DR plans more
often. These businesses should review available DR approaches, and keep up to date with
new services such as public cloud that may better suit their budgets.
While 42% of businesses meet DR targets every time they test, the remaining 58% that don’t
should take action – either by enhancing their DR capabilities to meet the DR targets, or
reviewing RTO and RPO with business leaders and adjusting targets where possible to what’s
achievable with their current DR assets. If current inadequacies are not addressed the
business is left open to potentially unacceptable risk.
P a g e | 4 | Disaster Recovery Directions 25 October 2013
About this report
Introduction
This report was commissioned by Macquarie Telecom in September 2013 with the goal of
understanding how Australian businesses with 200 or more staff are dealing with growing
disaster recovery (DR) challenges.
Disaster recovery and business continuity is a topic of major interest to ZDNet and an exciting
area to work on. If you were one of the 112 IT decision-makers who responded to the survey we
thank you sincerely for your time to provide the information that lies at the centre of the report.
If not, we hope you may join us in future research studies. We trust you find this report
interesting and we welcome your feedback.
About ZDNet and CBS Interactive
ZDNet (www.zdnet.com) is where technology means business. The site attracts an enthusiastic
audience of business technology decision-makers, who visit for the latest coverage and analysis of
how technology impacts business. Around 500,000 unique visitors per month in Australia and
New Zealand take advantage of ZDNet’s in-depth content.
About Macquarie Telecom
Founded in 1992, Macquarie Telecom (ASX:MAQ) is Australia’s number one Managed Hosting and
business-only telecommunications company. Macquarie Telecom is a full service hosting provider
offering managed dedicated servers, managed colocation, and managed private and public clouds
for mid-size businesses and corporate IT departments. Macquarie Telecom’s fully owned
Australian based Intellicentre 2 is the most certified data centre in the country, offering our
customers ISO27001 and PCI compliance.
P a g e | 5 | Disaster Recovery Directions 25 October 2013
Over three-quarters of businesses have DR compliance
obligations
Business in the survey all have a minimum of 200 staff, and are more likely to have compliance
obligations for disaster recovery than smaller organisations.
Industry-specific compliance is most common
More than one-third (36%) of respondents report compliance obligations related to their
industry sector.
Examples include the finance sector where the Australian Prudential Regulation
Authority’s (ARPA) prudential standard CPS 232 “requires each regulated institution ... to
implement a whole-of-business approach to business continuity management that is
appropriate to the nature and scale of its operations”. In addition, the standard states “The
Board is ultimately responsible for the business continuity of the regulated institution”.
Government compliance obligations apply to 31% of respondents, and 10% have more general
obligations based on ASX and SOX regulations.
9% of respondents say they have more than one type of compliance obligation.
P a g e | 6 | Disaster Recovery Directions 25 October 2013
Most businesses have DR plans, but test them
infrequently
Most businesses have a disaster recovery plan
Almost nine out of every ten businesses has a DR plan
87% of Australian businesses with 200 or more staff have a DR plan in place.
However, 22% test their plans less than once per year.
13% of businesses don’t yet have a DR plan.
P a g e | 7 | Disaster Recovery Directions 25 October 2013
DR testing is infrequent in most businesses
Only one-third (33%) of businesses test their DR plans more than once a year
17% of businesses test their DR plan at least once per quarter, and 16% do so at least once
every six months.
Given the speed at which businesses and their supporting ICT infrastructure change, it’s
surprising so few businesses test DR capabilities quarterly.
32% test their DR plans once a year, the, most common testing interval
Almost one-quarter (22%) of businesses have no assurance their DR plans actually still work
11% test less often than once a year, while another 11% don’t test their plan ever.
13% don’t have a DR plan at all
While 8% will implement a plan in the next year, 5% have no plans to introduce one in the
next year.
P a g e | 8 | Disaster Recovery Directions 25 October 2013
Almost three-quarters of businesses test less often than they would
like
67% of businesses are facing resource and/or cost challenges in optimising their DR test plans
The time and effort involved in DR testing is the major barrier to testing more often
48% say it takes too much time and effort to arrange and execute DR tests
Limited resource and budget also contribute to sub-optimal testing
23% cite cost and resource obstacles as barriers to frequent testing (13% don’t have internal
resources to handle testing, 6% can’t convince management to increase the testing budget,
and 4% say testing is too expensive)
Around one-quarter (29%) of businesses say they do already test often enough
P a g e | 9 | Disaster Recovery Directions 25 October 2013
DR Test metrics and outcomes
Recovery time and recovery point objectives are challenging
Businesses typically specify recovery targets in their DR plans. The main targets are the recovery
time objective (RTO) –the time it takes to re-establish systems following a disruption or disaster-
and the recovery point objective (RPO) – the time elapsed since the last back-up version of the
company’s systems.
Close to two-thirds (64%) of businesses have a target of 4 hours or less to re-establish systems
and processes following a disaster or disruption.
Almost one-fifth (19%) are so reliant on IT systems they need to recover in less than one
hour.
Only 11% have the relative luxury of more than 24 hours to re-establish their systems.
P a g e | 1 0 | Disaster Recovery Directions 25 October 2013
Recovery point objectives are also demanding. Almost two-thirds (63%) have a maximum data
loss threshold of 4 hours, of which 29% can tolerate data loss of less than one hour.
P a g e | 1 1 | Disaster Recovery Directions 25 October 2013
Testing results show DR objectives are not always achieved
An important part of DR testing is to prove whether RTO and RPO targets can be met, and to use
test results as the basis for ongoing improvement of DR plans.
While close to one-half of businesses meet their RTO target (42% do so) every time they run DR
tests, more than one-half do not.
46% meet their RPO target every time.
It’s true that 49% and 44% respectively meet RTO and RPO targets “most times”, but that still
leaves doubts – would a real disaster be like most times, or like one of the times where targets
aren’t achieved?
10% often fail to meet RPO targets, and 8% frequently miss RTO targets - the DR plans in these
businesses are not fit for purpose, and need improvement.
P a g e | 1 2 | Disaster Recovery Directions 25 October 2013
P a g e | 1 3 | Disaster Recovery Directions 25 October 2013
A variety of DR approaches are in use
On-premises DR capability still most common
Over one-half (60%) of businesses depend partly or completely on DR capabilities based in their
own premises.
Just over one-third (34%) of businesses have on premises DR capabilities only, a risky
approach should a disaster destroy those premises or render them inaccessible.
A further 26% provide DR from a mix of on-premises and off-premises assets, either hosted
or hosted private cloud, or public cloud.
The 32 % who have off-premises DR facilities are better placed to overcome local disasters
Just under one-third (32%) have a DR capability hosted off-premises. These organisations
stand a better chance to avoid disruption from local disasters that others that rely on on-
premises DR. That goes also for the 2% of respondents that have DR capabilities provided
solely via public cloud.
P a g e | 1 4 | Disaster Recovery Directions 25 October 2013
DR budgets vary considerably
Respondents report DR budgets from as little as $5K or less all the way up to $100K and above.
Almost one-half (46%) of respondents have to make do with a DR budget of less than A$10K
26% have <$5K and 20% have $5K to $9.9K
More than one-quarter (28%) have a DR budget worth between $10K to $50K.
11% have budgets between $10K to $19.9K, and 17% have $20K to $49.9K
A smidgen over one-quarter (26%) have DR budgets of $50K or more
13% have budgets between $50K to $99.9K, and 13% have more than $100K
P a g e | 1 5 | Disaster Recovery Directions 25 October 2013
Methodology and Respondent Demographics
Introduction
In September 2013, ZDNet Australia invited registered members and readers to take part in The
Disaster Recovery Directions survey. These business and IT leaders regularly visit the ZDNet
Australia Website, and are therefore well-informed about the topics covered in this survey.
The survey used an online questionnaire to complete the fieldwork, and the resulting analysis
based on a quantitative analysis of the responses. The online questionnaire did not present all
questions to businesses that don’t have a DR plan. As a result, responses to these subsequent
questions include a subset of the total respondents.
The total sample comprises 112 businesses and has a margin of error of 9.23%
Respondent organisations
The breakdown by organisation size and is given below:
P a g e | 1 6 | Disaster Recovery Directions 25 October 2013
The sample comprises a good spread of organisation types across industry sector. The largest
sectors are education, government, healthcare, and manufacturing.