Disaster recovery not priority: study

The findings of an Ernst & Young LLP study released earlier this month show that business owners in Canada are adopting a “not in my backyard” philosophy toward disaster recovery. The report polled 40 CEOs and 40 CIOs from 80 of Canada’s top 1,000 publicly traded companies taken from a list compiled by Report on Business, including Rogers Wireless Communications, Nortel Networks and Bell Canada.

While 34 per cent agreed that system failure is the most critical risk to their overall business objectives, 36 per cent admitted that they could not achieve a recovery time of 24 hours. “This certainly was a surprise to us. (The) numbers were higher than what we expected to see. We expected to see more of a shift since Sept. 11,” said Doug McPhie, partner at Ernst & Young LLP in Toronto.

McPhie added that businesses are in a state of denial when it comes to the idea that their systems could fall victim to an attack. Instead, there appears to be a hope-for-the-best mentality, as more than 25 per cent of companies that responded don’t have any sort of business continuity or disaster recovery plan in place.

And yet 83 per cent of the respondents insisted that the information stored on their IT systems or local networks is secure. McPhie said in Canada companies have made the basic investments around data protection by buying into technologies such as encryption and firewalls – which only affects the perimeter of information, not the entire network.

“It’s not an easy thing to put these plans together. We’re dealing with a number of companies that are trying to put various plans together, and they struggle with it just because of the complexity of their systems and of their business process,” McPhie said.

He added that dot-com outfits, for example, are more concerned with growth than with system reliability, even though past outages have been disastrous for several e-business sites, resulting in lost business and a banged-up reputation.

While Canada appeared to be more in tune with other countries on security in past surveys, McPhie fears that because the U.S. has increased its surveillance, Canada may now be falling behind. As system complexity continues to evolve, the entire mindset needs to change, he said.

“Companies need to be hardening their systems to deal with these incidents when they do happen. And they need to be testing these plans on a regular basis. What you put together three or four months ago might not work currently.”

However, despite these findings, at least one CIO isn’t entirely convinced that Canada is on the verge of drowning in its own security shortcomings. “I’m always suspect of numbers like this. It’s a broad-brush approach to assessing readiness, said Steve Kruspe, CIO at Charles Schwab Canada in Toronto.

He added that the majority of organizations are very concerned with security, from data protection to the overall networking environment. While cost is always a significant factor, disaster recovery and security policies are ultimately implemented depending on business needs.

Kruspe said Charles Schwab has several recovery plans in place for different aspects of the business, both on and off-site. “It all comes down to an assessment of what exactly the dependency is on technology and how critical a failure is going to affect you.”