Are Businesses Adopting A ‘Titanic Mindset’ To Data Recovery?

It was a year ago when the Rhysida ransomware gang made the headlines when it attacked the British Library’s systems, resulting in major disruption and the theft of service users’ data, which was leaked when the British Library refused to co-operate.

Since then, we’ve all witnessed the chaos that erupted from the more recent global outage that made headlines and affected systems across the world. While not a traditional data attack, it’s been estimated to cost businesses up to $1.5 billion and is proof that no organisation can afford to be complacent regarding downtime. 

Lessons, of course, have been learnt. The British Library, in fact, opted for full transparency in the aftermath, publishing details of the intrusion and its response. Meanwhile, CrowdStrike apologised for the faulty software update that led to system crashes at banks, airlines, healthcare, media companies, hotel chains and more.

So, what have we learnt? An organisation’s ability to reliably recover systems and data is non-negotiable. There is absolutely no room for doubt – and if there is, any uncertainty needs to be identified and addressed before disaster strikes. 

Absolute confidence in data recovery
It’s concerning that in recent study we undertook among senior IT professionals in the UK, 78% of respondents admitted they had suffered data loss due to system failure, human error or a cyberattack at least once in the past 12 months.

Yet only just over half (54%) said they are confident they could recover their data and mitigate downtime in a future disaster. 

The fact that only just over half of respondents think their data is recoverable is a concern; this figure should be much nearer to 100%. Otherwise, how can your readiness for recoverability be reported confidently to the business and senior stakeholders? Confidence comes from identifying an organisation’s realistic needs, without compromising on cost or making sure you have the right tools for the job.

Meeting the testing ‘gold standard’
Confidence also comes from thoroughly and repeatedly testing systems and disaster recovery (DR) processes. So, it was surprising to see that of the UK IT professionals interviewed, one in five say they test just once a year or less, while 60% of respondents check their data is fully recoverable and usable once every six months. Just 5% say they test monthly (below). 

We advocate for a ‘gold standard’ for DR testing – twice-yearly, non-invasive full failover tests supported by monthly system boot tests and data integrity checks. In addition to rigorous data validation, testing the ability of workloads (applications and data) for failover capabilities needs to be designed into the recovery plan. This should also allow for network and connectivity testing, a critical and often overlooked component in the testing process.

The challenge is that many technologies deployed today to recover systems and data do not allow for non-disruptive testing. While testing can be carried out, these tests can never be thorough enough without significant disruption and, as a result, deliver a compromised test. 

Organisations need to put in place a well-structured recovery environment to optimise data recovery testing and ensure it can be conducted in the least disruptive way to the business. There are sophisticated solutions now that run testing without consuming vital resources or impacting the day-to-day production environment, which means business-as-usual.

Making data recovery part of business ‘fitness agenda’
When it comes to the core challenges in DR planning, our survey respondents were clear in what they are lacking from the business, with 39% pointing to a lack of skills or expertise in-house, 29% to a lack of investment or budget, and 28% to a lack of senior support. 

A lack of top-down support can foster a culture of complacency, even apathy. If those responsible for protecting and recovering the business in the event of a data issue or cybersecurity attack do not feel that it’s being taken seriously enough, then their approach and attitude may well reflect this.

Aligned to a thorough testing regime is the confidence to report that systems are recoverable, and the business is in a state of readiness to respond. A secondary benefit is that it fosters a culture of professionalism regarding an aspect of IT that often sits in the shadows until it is needed.

To some extent, I think what we’re seeing from this study is a ‘Titanic mindset’ to data recovery, which is potentially putting data - and businesses - at risk. Organisations, it seems, think they are unsinkable -  until they’re not. 

Stephen Young is Executive Director at Assurestor

Image:  SerrNovik

You Might Also Read: 

Make Sure Your Disaster Recovery Plan Works When You Need It Most:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Cyber Security Teams Feel The Pressure 
Increase Security For Your Enterprise Cloud With A Next-Generation Firewall »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

rPeople Staffing

rPeople Staffing

rPeople provides direct placement in all areas of your organization, including and specializing in Technical and Executive hiring.

Cyber Security For Critical Manufacturing (ManuSec)

Cyber Security For Critical Manufacturing (ManuSec)

Cyber Security For Critical Manufacturing (Manusec) is a global series of summits focusing on Cyber Security for Critical Manufacturing Sectors.

V-Key

V-Key

V-Key is a global leader in software based digital security, providing solutions for mobile identity, authentication, authorization, and mobile payments for major banks.

HexaTrust

HexaTrust

The HEXATRUST club was founded by a group of French SMEs that are complementary players with expertise in information security systems, cybersecurity, cloud confidence and digital trust.

Securepoint

Securepoint

Securepoint is the market leader in the development of professional “Unified Threat Management” solutions in Germany.

CyberForce Program - US Department of Energy

CyberForce Program - US Department of Energy

The Department of Energy’s (DOE) CyberForce Program is a workforce development program that seeks to inspire and develop the next generation of cyber defenders for the energy sector.

CSIRT GOV - Poland

CSIRT GOV - Poland

Computer Security Incident Response Team CSIRT GOV, run by the Head of the Internal Security Agency, acts as the national CSIRT responsible for coordinating the response to computer incidents.

Cybersecurity Professionals

Cybersecurity Professionals

Search vacancies from top cyber security jobs worldwide on CyberSecurity Professionals. View IT security jobs or upload your CV to be seen by recruiters from industry leading firms.

CSC Digital Brand Services

CSC Digital Brand Services

Our brand protection and security expertise give our customers peace of mind that no matter how fast the digital world changes, their intellectual property and digital assets will be secure.

TAC Security (TAC Infosec)

TAC Security (TAC Infosec)

TAC Security (aka TAC Infosec) is a leading and trusted cyber security consulting partner that specializes in securing the IT infrastructure and assets of enterprises.

Fortiphyd Logic

Fortiphyd Logic

Fortiphyd Logic equips operators of the power grid, oil & gas, and other critical infrastructure with the tools and training they need to defend their industrial networks from advanced cyberattacks.

Ultra Electronics

Ultra Electronics

Ultra specialises in providing application-engineered bespoke solutions. We focus on mission critical and intelligent systems in the defence, security, critical detection & control markets.

KirkpatrickPrice

KirkpatrickPrice

KirkpatrickPrice is dedicated to providing you with innovative security guidance and efficient audit services.

Cloud4C

Cloud4C

Cloud4C is a leading automation-driven, application focused cloud Managed Services Provider.

American Technology Services (ATS)

American Technology Services (ATS)

American Technology Services provides unparalleled services in information technology to support small and mid-sized business. From top-level strategy, to managed services and infrastructure support.

Mantodea Security

Mantodea Security

Mantodea Security is an industry-agnostic powerhouse backed by extensive experience and expertise in the realm of IT security.