How Compliance Can Help
Effective business continuity planning starts with honest assessments of risk areas, plus resolve, resources and funding to address those risks. For the past 10 years, we’ve conducted primary research on business continuity and resilience, focusing specifically on IT systems, given their essential role to the functioning of today’s enterprises.
A decade of research into business continuity and resilience has showed that, surprisingly, there is continued exposure to risk in areas for which solutions have been available for many years. Our recently released 2017 State of Resilience report, reflecting the responses of 5,632 IT professionals globally, revealed four troubling risks that have persisted over time and that threaten the continuity and function of critical enterprise systems:
1. System Availability/Uptime
CIOs continue to be held to high expectations around system availability and uptime, from email to enterprise resource planning. In the survey, 47 percent of respondents indicated this as their top concern, outranking every other IT area. As more and more IT organizations move to hybrid environments between cloud and on-premises data centers, the complexity – and the opportunity for system outages, network issues and configuration errors – increases.
Compounding the impact of system outages is the data loss that often accompanies an unplanned outage. Nearly 50 percent of those surveyed reported experiencing a failure of systems that required a high-availability/disaster recovery/back-up software tool to resume operations. Regrettably, those that had not deployed a “hot” backup server with ongoing replication experienced data loss. Thirty-five percent reported losing up to an hour of data, while 28 percent lost a few hours and 31 percent lost a day or more’s worth of data.
2. System/Data Security
Interestingly, although system availability is stated as the top concern, system/data security tops when it comes to investment plans, with 49 percent of our surveyed companies stating they plan to invest in the coming 24 months. And while cybersecurity and protection against attacks from outside the enterprise continue to make headlines, unauthorized access from the inside remains a very present danger.
The survey also looked specifically at companies using IBM Power platforms to run their enterprise applications. Only 73 percent currently have their systems audited for security exposures, and of those, 10 percent audit once every two years or more. The 27 percent who do not audit, along with the 10 percent who audit only once every two years or more, are at much greater risk of data breaches, particularly from internal resources who may have security access to files that are not being monitored.
3. Disaster Recovery
While system availability risk can be mitigated through various methods such as data center, network and power supply redundancy, many CIOs are being pushed by lean budgets to underfund these areas. As a result, outages occur, such as the one we witnessed at Atlanta’s Hartsfield-Jackson airport in December 2017 when a fire knocked out the power supply. Unplanned outages – whether power, networks or systems – will happen; they are an unfortunate reality of our interconnected world.
When disaster does strike, the question then becomes, “how quickly can service be restored?” In the IT world, this is known as RTO: recovery time objective. The goal is to keep RTO as low as possible. Unfortunately, the survey showed that only half of businesses are meeting their RTO, and, despite known risks, 85 percent of respondents had no disaster recovery plan or were less than 100 percent confident in their plan, due to inadequate tooling and/or testing.
4. Server and Data Migration
Migrations to new hardware, databases or cloud deployments can also be high-risk propositions. They typically require planned downtime and must be performed quickly under high amounts of stress. Forty-two percent of respondents noted that they had experienced a failed migration, and 68 percent reported their systems had been down up to 48 hours during their last migration.
How You Can Help Mitigate These Risks
As a compliance professional, you have a key influencer role to play in helping mitigate these risks. The first is to act as a trusted advisor to your CIO, who’s likely under intense pressure due to higher-than-ever expectations from internal and external customers, a growing array of technologies to deploy to address new business channels and opportunities and increasingly stretched and underfunded financial and human resources. They must know that they have an ally in the compliance area who can assist in escalating true risks to the business. This includes support for appropriate funding of risk-mitigating technologies and personnel. If your organization is not currently at “best practice” in these areas, encourage your CIO and IT leadership to better understand what plans, policies and solutions can help minimize these common challenges around data availability and resiliency.