SYMANTEC has announced the global results of its annual Disaster Recovery survey, which demonstrates a significant decline in executive involvement in disaster recovery planning and a significant increase in the number of organisations re-evaluating their disaster recovery plans due to virtualisation. As more applications and data are managed in a virtual environment, organisations are evaluating the most efficient ways to manage applications and data in both physical and virtual environments.

The survey found that nearly one-third of organisations reported they have had to implement part of their DR plan. However, in the past year there was a significant decrease in executive involvement on DR committees. And, while there appears to be improvement in successful disaster recovery testing, one-third of respondents indicate testing will impact their customers, and one-fifth admit such testing could negatively affect their organisation’s sales and revenue.

With a rapid increase in mission critical applications combined with the continued growth of stored data – both physical and virtual – it is crucial that IT organisations incorporate a comprehensive, proven disaster recovery plan into the overall business strategy. This will help ensure the successful recovery of data and applications with the least amount of impact to business operations should a disaster – natural disaster, human error or system failure – occur.

Although 56 per cent of applications were deemed mission critical by respondents – significantly up from 36 per cent in 2007 – only 54 per cent of all applications are covered by DR plans. With the increase in the number of mission critical applications, it becomes difficult for organisations with flat IT budgets to maintain the availability of a greater number of mission critical applications.  As a result, companies should look at more cost effective ways to protect applications including reducing spare servers, increasing server capacity, looking at physical to virtual configurations, and more.

Disaster recovery plans are not documents collecting dust on shelves.  In the past year, one third of organisations surveyed had to execute their disaster recovery plans due to a variety of factors including: Hardware and software failure (36 per cent of organisations); external security threats (28 percent of organisations); power outage/failure/issues (26 per cent of organisations); natural disasters (23 per cent of organisations); IT problem management (23 percent of organisations); data leakage or loss (22 per cent of organisations); and accidental and malicious employee behaviour (21 per cent of organisations). Given the regularity of events that cause downtime, IT organisations should expect that their DR plans will be tested at some point in the future.

Survey results also indicate that that C-level involvement in DR planning is declining. In the 2007 survey, 55 per cent of respondents said that their DR committees involved the CIO, CTO or IT director. However, in 2008 that number dropped to 33 per cent worldwide. Symantec believes that such a move is a troubling trend, particularly in light of the mission critical applications not currently covered in DR plans and the reevaluation of plans due to virtualisation. Increased executive involvement has been shown to increase the success of DR plans.

Virtualisation is the major factor that is causing more than half (55 per cent) of respondents globally – 64 per cent in North America – to revaluate their DR plans. In some cases virtualisation is being deployed for DR purposes and applications and data in virtual environments pose a difficult challenge since processes for physical environments may not work in virtual environments. In addition, native DR tools in virtual environments are immature and don’t provide the enterprise-class protection that organisations require. The respondents reported that 35 per cent of their virtual servers are not currently covered in organisations’ DR plans, and only 37 per cent of respondents reported that they back up all of their virtual systems.

Fifty-four percent of respondents listed resource constraints as their top challenge with backing up virtual systems, which points to the need for simplification and automation. Globally, 35 per cent of respondents cited too many different tools as the biggest challenge in protecting mission-critical data and applications within physical and virtual environments. Complications with having different tools for physical and virtual environments include higher training costs, operating inefficiencies, greater software costs and workforces that work in silos. Lack of automated recovery and insufficient backup tools came in close second, each with 33 per cent.

According to survey data, while having a disaster recovery plan is essential in most organisations today, knowing that disaster recovery plans work is equally important.  In 2007, 88 percent of IT professionals polled carried out a probability and impact assessment for at least one threat.  In 2008, that number increased to 98 percent of respondents indicating that they have carried out an assessment for at least one threat.  However, respondents report that 30 percent of tests fail to meet recovery time objectives and the average global RTO is 9.54 hours.

Respondents also reported the top reasons why their tests failed include: Human error (35 per cent); technology failure (29 per cent); insufficient IT infrastructure (25 percent); out-of-date plans (24 per cent) and inappropriate processes (23 pe rcent). Since human error is the greatest problem hindering successful recoveries, organisations should look to automation that will speed recovery and reduce errors and reliance on personnel.

In addition, 93 per cent of IT organisations report they have tested their disaster recovery plan since it was created, yet 30 per cent of those tests are not fully successful – improved from 50 percent failed tests in 2007 – and only 16 percent say that tests have never failed. 

The study showed that approximately 47 per cent of organisations test their DR plans either only once a year or less due to disruption to the business and lack of resources. Reasons cited include: Lack of staff availability (39 per cent), disruption to employees (39 per cent), budgetary issues (37 per cent) and disruption to customers (32 per cent). In addition, 21 per cent admit DR testing could impact sales and revenue.  In fact, those in Asia and EMEA are less likely to test their DR plans, with 12 percent of respondents in EMEA and 8 percent in Asia Pacific reporting that they never test their DR plans.

While survey results indicate that the IT industry has demonstrated some improvements in successful DR testing over the past year, only 31 per cent of respondents report that they could achieve baseline operations within one day if a significant disaster occurred that destroyed their main data centre. And, only three percent of respondents said they could have baseline operations within 12 hours and nearly half (47 per cent) reported that it would take a full week to achieve 100 per cent normal operations.

“While the research identifies a significant improvement in DR testing in the industry, we are concerned that organisations are not testing more frequently to improve their plans, and are not using adequate tools to reduce the overall business impact,� says Mark Lohmeyer, vice president of the Symantec’s Veritas Cluster Server Group.

“Virtualisation is obviously changing the game for disaster recovery and organisations should involve IT executives in the process of reevaluating their DR plans and then implement best practices and solutions that ensure a successful and rapid return to full operations in the event of a disaster.

Symantec recommends that enterprises implement a holistic data protection solution across virtual environments, remote offices, desktops, laptops, servers, applications and databases that can quickly recovery vital data and systems in the event of a disaster. In addition, consolidating on a single management tool that manages both physical and virtual environments will also help reduce the amount of tools needed.

The security vendor also recommends that organisations implement automated solutions that minimize human involvement and address other weaknesses in their DR plans to help to reduce downtime. Finally, using solutions that provide testing tools that minimise the impact of testing on customers is also recommended, so that organisations can test without affecting business processes, customers and employees.