Half of British businesses are not ready to implement disaster recovery plans despite taking pains to simulate the situation, according to a Symantec survey.
The survey of 900 IT managers across the UK, the rest of Europe, the US, South Africa and the Middle East found that in nearly half of tests disaster recovery plans failed.
Guy Bunker, chief scientist at Symantec, said that testing was a "disruption" to people and budgets, but warned that "having the actual disaster occur and not being prepared is much more serious."
He said the strong infrastructure in Britain sometimes led business executives to mistakenly believe they did not need to regularly test their disaster recovery plans. While nine in 10 businesses simulated a situation when disaster recovery would be needed, putting people, processes and technology to the test, few did so regularly enough, he suggested.
On average, tests were only being carried out every eight months - only half as often as Russian businesses. "People really don't test enough," he said. "The IT environment changes all the time and businesses have got to be ready for all eventualities and their consequences."
The result of this lack of testing was that companies were unable to meet their critical recovery time objectives - an alarming situation considering that half the companies globally have had to execute disaster recovery at some time, he said. Firms were often unable to deal with threats ranging from IT failure to natural disasters.
Bunker said that the floods this summer, cutting off businesses and homes, had changed some company attitudes, but not enough.
Attitudes among CEOs were part of the problem, Bunker said, since 77 percent do not take an active role on disaster recovery committees.
"It's a legacy problem," he said. "In the last 20 years IT has moved from being an important part of infrastructure to a vital part of infrastructure, but perhaps this is still not recognised by some CEOs."
Of all sectors, financial companies took the most responsibility in testing, owing to regulatory requirements and the sensitivity of data. But small companies took an even greater risk by not testing, he added. "Small firms think it will cost them a lot of money, but it's a fallacy."
Bunker advised businesses to test full-scale disasters every six months, and do shorter dry runs once a month or whenever major new technology is introduced. It was important for them to work out what would be affected by a range of possible disasters, which people and resources would be required to mitigate the problem, and how they would do so. This would enable best practice guidelines to be drawn up.
Companies also needed to ensure they had the right technology for data protection, server provisioning, application clustering, storage management and replication, he said.