With cybercrime still on the rise, and remote work scenarios stressing IT infrastructures and security controls, every organization needs a disaster recovery (DR) plan to protect against data loss and quickly restore IT infrastructure and systems following a significant outage.
But planning for disaster recovery is only the first step. You might think your plan is solid, but you need to test it regularly and keep it updated as your environment constantly changes. Otherwise, you will uncover its shortcomings at the worst possible time—in the midst of a disaster.
Yet according to a recent survey, only about half of SMBs have a documented, company-wide DR plan in place. Of that subset, 50% test their DR plan annually or even less frequently, while 7% have never performed any disaster recovery testing.
Shockingly, not a single survey respondent said their last DR test was even moderately successful—every company in the survey that conducted testing reported experiencing significant issues impacting the network, service availability and performance, data integrity, and/or critical workloads. But at least these firms know what they need to fix.
Business risks from inadequate disaster recovery testing
Insurance can blunt the financial impacts of a disaster, but lost data may be irreplaceable. Unless you have a DR plan and test it regularly, chances are almost 80% that your business will experience significant downtime, data loss, and other negative impacts within a few years.
Here are 5 of the most significant impacts of not conducting disaster recovery testing:
- Downtime cost. About 80% of the time, significant unplanned downtime and data loss is caused by IT hardware or software failures. The cost of an hour of downtime for most SMBs is on the order of $20,000 to $40,000. But depending on the nature of your business it can be much more.
- Lost customers. Your customers and business partners have high expectations regarding your services. Ideally, you want to recover before they notice you were down. The longer it takes you to recover and the more problems you have, the more customers you’re likely to displease or lose outright. Further, your downtime may have caused your clients and partners that depend on your services to suffer losses as well.
- Reputational damage. Chances are you’ve worked long and hard to build a reputation as a reliable partner. But you can lose that in minutes, and the cost while hard to quantify will be enormous. Your failure to invest in protecting your business is not something that will impress customers or prospects. Without disaster recovery testing your priceless business reputation is not safe.
- Cybersecurity risk. When an organization is trying to recover from a disaster, some of its cybersecurity controls may be rendered ineffective, increasing the risk of an attack. Conversely, conducting disaster recovery testing helps you identify and remediate critical vulnerabilities before hackers have a chance to exploit them.
- Compliance risk. Depending on your industry (e.g., financial markets, government agencies, healthcare firms) and applicable regulations, your company’s ability to maintain business continuity could be a compliance requirement. For organizations like these, regular disaster recovery testing could help fend off fines and sanctions for noncompliance.
In short, unless you can afford to lose revenue, customers, and your good name in the market, disaster recovery testing is mission-critical.
What disaster recovery testing looks like
The purpose of disaster recovery testing is to gauge the effectiveness of your DR plan and determine whether you can restore operations within the planned timeframe (your Recovery Time Objective or RTO). Disaster recovery testing will also reveal faults in your IT and/or database environment that you need to fix.
Of course, disaster recovery testing also tests and trains your key employees who have responsibilities for restoring your business. The more they can practice the better they will perform when a real disaster is declared.
Disaster recovery testing doesn’t have to be a full-on simulation scenario where systems go down. You can learn a lot by reviewing your DR plan in a tabletop exercise. Think of it as a dress rehearsal, a step-by-step walk-through of the plan. It’s a great way to spot problems, especially missing pieces and errors.
How often should you perform disaster recovery testing? At least once every six months, given the pace of change in the average IT environment and the importance of practice for human performance.
Next steps
In today’s business environments, continuous availability is the target as downtime for mission-critical applications—like your databases—is considered unacceptable. Getting to “zero downtime” for your database environment, even in the face of outages and interruptions, usually requires special expertise and services to maximize the benefits of the high availability and disaster recovery capabilities your Oracle, Microsoft or other RDBMS offers.
Contact Buda Consulting to discuss a Reliability Review, our proven and tested approach that will evaluate your current risk profile and help determine the level of protection your database environment requires.