With all the cyber security threats, the importance of disaster recovery testing has become more critical to businesses that any other time before.
Organizations need to test their Disaster Recovery (DR) plans regularly. Due to the large opportunity for lost productivity, operational efficiency, and brand damage, the potential data loss and downtime is likely to keep even the most experienced IT departments or managed IT services providers awake at night. Hence the importance of disaster recovery testing.
The number of businesses that do disaster recovery (DR) testing is lower than one would expect. The recent study surveyed 150 organizations and found that disaster recovery (DR) testing frequency was low. Over 50 percent of the respondents conducted testing once every two years. Approximately 44 percent of organizations test less frequently as they believe that their disaster recovery (DR) is inadequate after their initial test. Another 22 percent ran into issues when testing their disaster recovery (DR) that would have caused sustained downtime for their organization.
When should you test disaster recovery testing?
Some organizations believe that disaster recovery (DR) testing is not happening due to the fear of the results. Industry reports show that IT departments do not have the time and resources to replace their disaster recovery (DR) system with a reliable one. Unfortunately, they are taking a timed approach to data risk management.
An organizations confidence in their disaster recovery (DR) plan is determined by how many times and how extensively it is tested. disaster recovery (DR) testing needs to be conducted on a scheduled basis and as frequently as possible due to how complex and dynamic an organizations infrastructure may be.
Based on the consideration of the frequency of outages, respondents to the survey admitted they understand and hear the message based on research from industry cybersecurity professionals. The focus is on finding a proven remedy to cyber security breaches rather than preventing them. In case the only way to undo the damage caused by ransomware attacks is to recover from tested and proven data backups that have not been encrypted. Regular disaster recovery (DR) testing will give all organizations a clear view of the entire process of recovering their data from backups. This is particularly important since many ransomware attacks from cyber security professionals try to target backups as well. There have been many organizations in the news that are great examples of those that failed to recover after a ransomware attack.
When it comes to testing, time and planning is of the essence for any organization. Budget and resources are limited in almost every organization however recovering from a ransomware attack should not be a budget limited option. The lack of technical skills within an organization is an ongoing issue to keep day-to-day operations running. Testing an organizations disaster recovery (DR) gets pushed to the bottom of the never-ending task list for organizations when it should be a priority. Testing an organizations disaster recovery (DR) approach can be quite difficult. The additional cost of shutting down production systems or scheduling this out of hours compounds the issue of low priority to organizations.
Testing should be more than just an afterthought
Given the dynamic and fragile nature of a technical ecosystems, it is concerning that over half of the organizations included in the study only conduct disaster recovery (DR) testing annually at best.
The results of infrequent disaster recovery (DR) testing are predictable. Infrequent testers are concerned about their disaster recovery (DR) almost half the time. An untested disaster recovery (DR) will ultimately fail and nothing can be done about it.
It is often due to the importance of disaster recovery (DR) within the organization that disaster recovery (DR) testing is not done as frequently as it should be. Questions to organizations should include the following:
- Is senior management aware of the definition of a disaster recovery (DR) plan?
- Has your organization classified what data is mission-critical?
- Has your organization classified what data is sensitive?
- Did your organization identify any physical facility constraints?
- What is acceptable downtime for your organization?
- Who will be involved in the disaster recovery (DR) plan and communication?