Crossed Fingers

Risky Business: Disaster Recovery Needs More Than Crossed Fingers

Crossed FingersThe list of potential culprits is long: Cyber criminals, hackers, rogue governments, competitors, terrorists/freedom fighters, disaffected current and former staff,  not to mention whoever was behind the denial of service attack on Sony’s PlayStation Network and Sony Entertainment Network and a bomb threat to an American Airlines flight carrying the president of Sony’s online entertainment unit… The bad guys are out to get you and the odds are that they will. Throw in Mother Nature, and the problem isn’t if, but when disaster will strike — and then what do you do next? For most large organizations, the answer to the last part appears to involve prayer. Unfortunately, this is neither the time nor place to seek divine intervention.

A recent report from Gartner predicts information security spending will grow almost 8% (to $71.1 billion) this year, or about four times more than the average growth of the entire IT market in 2014. According to Gartner this security splurge can be largely attributed to last year’s democratization of security threats, driven by the easy availability of malicious software (malware) and infrastructure (via the underground economy) that can be used to launch advanced targeted attacks. “This has led to increased awareness among organizations that would have traditionally treated security as an IT function and a cost center,” said Gartner research director Lawrence Pingree.

The IT vendors certainly seem to be paying attention to the growing security challenges — or at least the growing security budgets:

  • Microsoft is looking to improve its business continuity solutions with the InMage acquisition;
  • VMware unveiled new disaster recovery and backup product releases at VMworld 2014;
  • Dell launched a new backup and disaster recovery suite; and,
  • IBM is opening two disaster recovery/resiliency centers.

Around the same time as these vendor announcements, Gartner was officially recognizing the business continuity/disaster recovery (BC/DR) space with its very own Magic Quadrant for Business Continuity Management Planning Software. The research company said that business continuity management planning (BCMP) software is the key tool used to manage the business continuity management (BCM) program process — from risk assessment to business impact analysis (BIA), through recovery plan development, exercising, and invocation. The 2013 BCMP market was valued at $162 million, a jump of 24% on the 2012 market. Given the increased focus from government agencies, regulators, and private-sector preparedness initiatives, Gartner anticipates that adoption will continue to grow in the next five years to well over 51%.

Unfortunately, this may well be a case of too little, too late. “After analyzing 10 years of data, we realize most organizations cannot keep up with cybercrime — and the bad guys are winning,” said Wade Baker, principal author of Verizon’s 2014 Data Breach Investigations Report.

According to the most recent DBIR:

  • in 75% of cases it takes attackers days or less to compromise their target;
  • only 25% of the time do victim organizations discover the attack in days or less;
  • last year’s DBIR found attacks occurring in minutes or less in 84% of the cases; but,
  • 66% of breaches went undetected for months, or even years;
  • the cost of an unplanned data center outage has jumped 41% since 2010, to just over $7,900 per minute;
  • 43% of organizations affected by an outage never reopen, and 51% close within two years, meaning businesses have just a 6% chance of survival following an outage;
  • 83% of businesses are not fully prepared for an online security incident;
  • 73% of organizations worldwide are not taking adequate steps to protect their data and IT systems;
  • 78% have experienced outages of critical applications due to poor planning, testing, and technological deficiencies;
  • of that group, 63% say that losses ranged from a few thousand dollars to over $5M worth of critical applications failure, data center outages, and data loss;
  • approximately 28% of this group also said their organization lost data center functionality for up to weeks at a time; and,
  • more than 60% do not have a fully documented disaster recovery plan, and among the minority that do, 23% have never tested those plans.

The bottom line is that most organizations are gambling that they won’t be one of the unlucky few that suffer an IT misfortune, and the odds are in their favor. However those odds also include the fact that only 6% of the victims survive. So having a comprehensive and regularly tested BC/DR capability in place sounds like good business to me.