Most business continuity plans would not withstand a regional disaster because they are built to overcome severe outages lasting only up to seven days, according to a newly published Gartner poll.
Gartner analyst Roberta Witty said that the results of the poll, for which 359 UK, US and Canadian information security and risk management professionals were interviewed, showed that organisations must "mature" their business continuity and disaster recovery strategies. The key was to enable IT operations and staff to endure outages of at least 30 days, an effort that would require additional IT budget spending and collaboration across enterprise business units at most businesses.
Nearly 60% of those interviewed said that their business continuity plans were limited to outages of seven days or less, and most of the interviewees admitted to focusing mostly on rebounding from internal IT disruptions, not from regional disasters that could also damage facilities.
Witty said this was a very short-sighted tactic considering damage caused by Hurricane Katrina in 2005, as well as potential harm from outages terrorist attacks, pandemics, service provider outages, civil unrest or other unpredictable events.
"If you start looking at some of the events we've [experienced] over the last few years, companies must plan for events that actually take much longer to recover from," Witty said. "This is an issue [businesses] have to deal with. It's in front of everyone's face right now."
The survey found that 77% of companies have come up with a business continuity plan covering power outages caused by fire, while 72% have a plan to get up and running after a natural disaster. Only 50% of companies are prepared to rebound from terrorism-related IT outages.
Witty did say that companies are starting to take pandemic concerns more seriously than in the past. The survey showed that 29% of organisations now have pandemic recovery measures in place, up from just 8% in 2005.
In order to withstand an outage of up to 30 days, companies must improve cross-training efforts and streamline emergency management, notification and incident management techniques for quicker response, she added. "That's what [business continuity] is about. If you don't have people to manage it, a datacentre is useless."