Introduction
The Data Health Check is a snapshot of the world of IT, Cyber Security
and Resilience.
The COVID-19 crisis spans each of those categories and more. It is the greatest
continuity incident of
our lifetime.
We’ve been running the Data Health Check since 2008 and this year the survey took place
just after the UK went into lockdown.
Although some of our findings reveal shortcomings in Business Continuity Planning and
remote working practices, I would highly commend the way organisations responded.
Governments and businesses moved quickly to adapt and continue operations through the
lockdown. There are countless lessons to be learned but we should be proud of the
displays of flexibility, ingenuity, patience and community.
Running this survey over many years allows us to track long term trends. One such trend
is Cyber. Each year, the outlook has been a little bleaker with cyber attacks affecting
more organisations, causing downtime and data loss. This year however, we are at last
starting to turn the tide. The years of hard work scaling up Cyber defences is paying
dividends.
That would never be a simple change from one year to the next, but
between 2017 and 2020 it’s clear what impact it has made.
Peter Groucutt
Managing Director
Pandemic Planning
Pandemic preparedness
Prior to the Coronavirus outbreak, did your organisation have a plan for pandemic response?
The most striking response we found this year was that two thirds of organisations surveyed said they did not have a plan for infectious disease pandemic, despite 61% claiming to have an up to date Business Continuity Plan.
Do you have a Business Continuity Plan?
We’ve been impressed by the growth in Business Continuity Plans over the last five years, but this crisis has revealed a profound gap in that process for many organisations.
The impact of COVID-19
How has Coronavirus affected your business?
The impact of Coronavirus has been fast and severe. Half of organisations reported Loss of revenue as a consequence. Reduced hours, Pay cuts, Redundancy and staff furlough were also reported. It should be repeated that this survey took place in late March and early April 2020 so it is likely that these actions have increased further since then.
Data Protection
and DR
The impact of COVID-19
What were the causes of any data loss over the last 12 months?
For as long as we have been running the Data Health Check, the two chief causes of data loss
are always Hardware
Failure and Human Error. They fluctuate a little, but there is no trend up
or down.
Cyber causes however have been trending upwards every year. That changed in 2020. This is
the first year we have
seen Cyber Attack decrease as a cause of data loss. A Cyber Attack does
not necessitate a loss of data if it can be
adequately defended or data restored from backups. This is the first sign of organisations
finally starting to get a handle
on the cyber threat.
Testing and exercising
Have you tested your Disaster Recovery in the last 12 months?
Testing and exercising is critical to good resilience.
Firstly, the only way to be
certain that systems truly can
be recovered within agreed
timeframes is by testing them.
Secondly, the process of
exercising has value in itself.
Practising those actions
develops a kind of muscle memory.
That way, when
you need to recover in
anger, you’re not doing it
for the first time.
Testing against cyber threats
Have you tested your Disaster Recovery process specifically against cyber threats?
Here’s another good
indicator of turning the tide
on cyber.
In 2017 we started asking
if organisations who have
tested their DR plans, were
specifically testing their
Disaster Recovery against
cyber threats.
Now, 77% of organisations
are, up from 59%.
More organisations are
testing their DR and more are
testing against cyber. It’s this
proactivity that we need to
improve our defence against
cyber threats.
Cyber
Cyber skills
Do you have sufficient Cyber Security skills to deal with the current threat landscape?
Here is the most explicit
indicator that organisations
are getting a handle on the
cyber threat. Since 2017,
there has been an increase
of over 10 percentage points
in those who feel they have
the skills to deal with the
threat landscape.
That still leaves 36% who
don’t feel adequately skilled,
but the battle can’t be won
overnight. It takes training,
time and investment to make
that change.
Which takes us to…
Cyber budgets
Has your IT security budget increased in the last 12 months?
And here is the foundation
of that change. Since
2017, there has been a
steady growth in increasing
or maintaining IT security
budgets.
The only way to turn the
tide was to hire the right
people, invest in training and
development and get better
at it. That was never going to
be a quick fix between one
year and the next, but from
2017 to 2020 it’s clear what
impact it has made.
Cloud and
remote working
Assessing your cloud computing risks
Have you evaluated your continuity risks for cloud services compared with on-premises IT?
Throughout the the 2010s there was a rush to
cloud computing. It was the panacea that
promised to solve every IT problem. When the
hype subsided, we had a real picture of both the
benefits and the limitations of cloud computing.
In 2016, less than a third had evaluated the risks.
Five years on, and although there’s been a big
improvement, still less than half of organisations
have evaluated cloud-specific continuity risks.
Cloud computing recovery
Do you add any additional backup or recovery capabilities for your cloud services?
Of course, evaluating your risks
is just the first stage. If you find
unacceptable risk, you need to do
something about it. You can add
additional backups for cloud data.
In 2016, that was something only
28% of organisations actually did.
Five years on, and now two thirds of
organisations put in place additional
backups (within the same cloud, to
another cloud provider or back to onpremises
systems).
Remote access methods and devices
Although the majority of organisations can allow remote access to some degree, the methods of accessing applications are far from standard. 14% are forced to use applications locally and later transfer data. It’s a method that does work in a pinch but it’s more of a work-around than by-design. Our experience says that these manual processes are the ones most likely to go wrong and cause more pain later.
During the Coronavirus lockdown, could staff working from home access all systems?
When staff work from home, how do they access corporate systems?
Remote access and devices
When staff work remotely, who owns the device they use?
The other variable in remote working
is the device itself. Over half of
organisations use personally owned
devices for some or all employees.
From a security perspective,
company ownership is the simplest
to manage but many organisations
didn’t have devices for every
employee and weren’t able to source
enough at the time of lockdown.
Conclusion
In any other year, the improvements in
Cyber Security would be the biggest
take-away from the survey.
It’s a trend we’ve been keeping a
close eye on. Not only were cyber
threats growing each year, but the rate
of increase was growing too. This year,
that trend slowed and, in some cases,
reversed.
But that doesn’t mean the war has
been won. We’ve long considered
cyber security to be an arms-race
between businesses and criminals. The
criminals moved first and businesses
have been playing catch-up ever
since. We might have closed the gap
now but if we don’t keep up our pace
we’ll soon fall behind.
The improvements have come from
sustained investment and effort and the
only way to maintain these gains is to
keep going. So keep going.
But that’s not the front-page story this
year. 2020 will forever be the year the
world was changed by COVID-19.
The timing of the Data Health Check
makes it a fascinating snapshot of the
world at the beginning of lockdown. I
look forward to comparing these results
next year. I predict dramatic changes
in remote working and continuity
practices.
Peter Groucutt
Managing Director