Business Continuity Management (BCM) is getting a boost from increased budget and more stringent requirements related to recovery time objectives (RTO) and companies wanting to improve overall IT resiliency. These are the findings of a newly released Gartner survey analysis* that also sheds light into other interesting aspects of what is driving companies to review their current data protection and recovery strategy.

The Risk of IT Outages
According to Gartner, 71% of organizations experience IT outages and over 25% have inadequate levels of BC/DR testing. When you put these two together is no wonder many companies are caught by surprise when they can’t quickly recover from unplanned service interruption.

When it comes to actually activating their IT disaster recovery plans, 72% of organizations reported having to use them within the past 24 months with 41% of those companies having between 2 and 5 incidents during this period. When it comes to full Business Recovery, meaning the recovery of entire business operations and not just IT systems, 51% of companies report having had to respond to up to anywhere between 1 and 5 incidents in that period.

Where Downtime Comes From
The Gartner survey also pointed to the causes of unplanned operations downtime, showing that the most common reasons IT systems are impacted relate to hardware, software, and operation issues. which are broken down as follows:

    40%: Application failures (bugs, performance issues, changes to applications causing problems)
    40%: Operations erros (someone not performing a task or performing incorrectly)
    20: Hardware failures, OSs, environmental (heating, cooling, power failures), disasters

The analysts point to the need for companies to reduce the duration and operations impact of unplanned downtime irrespective of its source. This leads us to the next key finding, on Recovery Time Objectives.

The Shift to Business Resiliency
There has been a dramatic change in the RTO goals for companies, as Gartner reports 4 hours or less RTO being the target for 64% of organizations, a change of 167% when compared tot he previous year. This indicates a shift in the mindset of IT professionals responsible for BCM and related areas (backup, disaster recovery, business continuity) from IT recovery to business resiliency.

When we look at the details of which types of IT services have the “less than 4 hours RTO” requirement we see that the lines that used to divide application tiers are blurring. Critical IT infrastructure services, mission-critical IT services, critical IT services, and important IT services (also called Tier 1, Tier 2, Tier 3, etc.) are all part of the same RTO requirement. The need for keeping applications, regardless of their defined “tier”, always accessible and expectations of a 24/7 business operations are key drivers forcing companies to look at BC/DR from a more holistic lens and start talking about resiliency, not just recovery.

By 2018, the number of organizations using disaster recovery as a service will exceed the number of organizations using traditional, syndicated recovery services – Gartner

With the ‘resiliency’ mindset growing among companies, so will the challenge to actually achieve true business resiliency. The research also sheds light onto data protection mechanisms companies are currently using for their different IT systems and points to over 50% of companies still using backup to disk and tape backup as their data protection methods. Replication in the form of VM replication, storage-based replication and database replication are also commonly used forms of IT recovery among all respondents. The rise of cloud-based DR in the form of Disaster Recovery-as-a-Service (DRaaS) now gives companies another option to improve business resiliency and is gaining momentum as it replaces traditional approaches to data protection with a cost-effective and scalable architecture. In fact, Gartner also predicts that by 2018, the number of organizations using disaster recovery as a service will exceed the number of organizations using traditional, syndicated recovery services**.

Cyberattacks Threaten IT Recovery

An increase in cyberattacks has also placed added scrutiny at data protection and recovery with Gartner predicting that, by 2020, 30% of organizations targeted by major cyberattacks will spend more than two months cleansing their backed-up data, resulting in delayed recoveries. It is therefore essential that companies include these types of disruptions to their BCM programs including crising and incident management, business recovery and IT disaster recovery management.

By 2020, 30% of organizations targeted by major cyberattacks will spend more than two months cleansing their backed-up data, resulting in delayed recoveries – Gartner

At Axcient we continue to see companies affected by different types of cyber threats like the Cryptolocker virus. The problem with this ransomware attack is that it encrypts all files it has access to and requests the user to wire money in order to receive the decryption key. Without proper backup and ability to quickly recover a clean version of your files and operating systems companies can be completely shut down for days. Axcient customers have a good way around the virus as customers can immediately spin up a clean version of their systems, file servers, databases, the entire IT infrastructure even and continue working while the affected servers can be cleaned up and readied for failback. The power of DRaaS is that it gives companies this ability to overcome what would be typically seen as a long business interruption with an extremely easy process for partial or full IT failover.

It is now time for companies to start changing the way they approach data protection and recovery and starting thinking in terms of IT resiliency.

* Survey Analysis: 2015 BCM Survey Results Provide BCM Leaders With Program Maturity Improvement Actions for 2016, Gartner, February 2016
** Critical Capabilities for Disaster Recovery as a Service, Gartner, Decembere 2015