The Data Health Check is a snapshot of the world of IT, Cyber Security
The COVID-19 crisis spans each of those categories and more. It is the greatest continuity incident of our lifetime.
We’ve been running the Data Health Check since 2008 and this year the survey took place just after the UK went into lockdown.
Although some of our findings reveal shortcomings in Business Continuity Planning and remote working practices, I would highly commend the way organisations responded. Governments and businesses moved quickly to adapt and continue operations through the lockdown. There are countless lessons to be learned but we should be proud of the displays of flexibility, ingenuity, patience and community.
Running this survey over many years allows us to track long term trends. One such trend is Cyber. Each year, the outlook has been a little bleaker with cyber attacks affecting more organisations, causing downtime and data loss. This year however, we are at last starting to turn the tide. The years of hard work scaling up Cyber defences is paying dividends.
That would never be a simple change from one year to the next, but between 2017 and 2020 it’s clear what impact it has made.
Prior to the Coronavirus outbreak, did your organisation have a plan for pandemic response?
The most striking response we found this year was that two thirds of organisations surveyed said they did not have a plan for infectious disease pandemic, despite 61% claiming to have an up to date Business Continuity Plan.
Do you have a Business Continuity Plan?
We’ve been impressed by the growth in Business Continuity Plans over the last five years, but this crisis has revealed a profound gap in that process for many organisations.
How has Coronavirus affected your business?
The impact of Coronavirus has been fast and severe. Half of organisations reported Loss of revenue as a consequence. Reduced hours, Pay cuts, Redundancy and staff furlough were also reported. It should be repeated that this survey took place in late March and early April 2020 so it is likely that these actions have increased further since then.
What were the causes of any data loss over the last 12 months?
For as long as we have been running the Data Health Check, the two chief causes of data loss
are always Hardware
Failure and Human Error. They fluctuate a little, but there is no trend up
Cyber causes however have been trending upwards every year. That changed in 2020. This is the first year we have seen Cyber Attack decrease as a cause of data loss. A Cyber Attack does not necessitate a loss of data if it can be adequately defended or data restored from backups. This is the first sign of organisations finally starting to get a handle on the cyber threat.
Have you tested your Disaster Recovery in the last 12 months?
Testing and exercising is critical to good resilience.
Firstly, the only way to be certain that systems truly can be recovered within agreed timeframes is by testing them.
Secondly, the process of exercising has value in itself. Practising those actions develops a kind of muscle memory. That way, when you need to recover in anger, you’re not doing it for the first time.
Have you tested your Disaster Recovery process specifically against cyber threats?
Here’s another good
indicator of turning the tide
In 2017 we started asking if organisations who have tested their DR plans, were specifically testing their Disaster Recovery against cyber threats.
Now, 77% of organisations are, up from 59%.
More organisations are testing their DR and more are testing against cyber. It’s this proactivity that we need to improve our defence against cyber threats.
Do you have sufficient Cyber Security skills to deal with the current threat landscape?
Here is the most explicit
indicator that organisations
are getting a handle on the
cyber threat. Since 2017,
there has been an increase
of over 10 percentage points
in those who feel they have
the skills to deal with the
That still leaves 36% who don’t feel adequately skilled, but the battle can’t be won overnight. It takes training, time and investment to make that change.
Which takes us to…
Has your IT security budget increased in the last 12 months?
And here is the foundation
of that change. Since
2017, there has been a
steady growth in increasing
or maintaining IT security
The only way to turn the tide was to hire the right people, invest in training and development and get better at it. That was never going to be a quick fix between one year and the next, but from 2017 to 2020 it’s clear what impact it has made.
Have you evaluated your continuity risks for cloud services compared with on-premises IT?
Throughout the the 2010s there was a rush to
cloud computing. It was the panacea that
promised to solve every IT problem. When the
hype subsided, we had a real picture of both the
benefits and the limitations of cloud computing.
In 2016, less than a third had evaluated the risks. Five years on, and although there’s been a big improvement, still less than half of organisations have evaluated cloud-specific continuity risks.
Do you add any additional backup or recovery capabilities for your cloud services?
Of course, evaluating your risks
is just the first stage. If you find
unacceptable risk, you need to do
something about it. You can add
additional backups for cloud data.
In 2016, that was something only 28% of organisations actually did. Five years on, and now two thirds of organisations put in place additional backups (within the same cloud, to another cloud provider or back to onpremises systems).
Although the majority of organisations can allow remote access to some degree, the methods of accessing applications are far from standard. 14% are forced to use applications locally and later transfer data. It’s a method that does work in a pinch but it’s more of a work-around than by-design. Our experience says that these manual processes are the ones most likely to go wrong and cause more pain later.
During the Coronavirus lockdown, could staff working from home access all systems?
When staff work from home, how do they access corporate systems?
When staff work remotely, who owns the device they use?
The other variable in remote working
is the device itself. Over half of
organisations use personally owned
devices for some or all employees.
From a security perspective, company ownership is the simplest to manage but many organisations didn’t have devices for every employee and weren’t able to source enough at the time of lockdown.
In any other year, the improvements in
Cyber Security would be the biggest
take-away from the survey.
It’s a trend we’ve been keeping a close eye on. Not only were cyber threats growing each year, but the rate of increase was growing too. This year, that trend slowed and, in some cases, reversed.
But that doesn’t mean the war has been won. We’ve long considered cyber security to be an arms-race between businesses and criminals. The criminals moved first and businesses have been playing catch-up ever since. We might have closed the gap now but if we don’t keep up our pace we’ll soon fall behind.
The improvements have come from sustained investment and effort and the only way to maintain these gains is to keep going. So keep going.
But that’s not the front-page story this year. 2020 will forever be the year the world was changed by COVID-19. The timing of the Data Health Check makes it a fascinating snapshot of the world at the beginning of lockdown. I look forward to comparing these results next year. I predict dramatic changes in remote working and continuity practices.