Canadian companies lax on disaster recovery

The findings of a Cap Gemini Ernst & Young study show that business owners in Canada are adopting a "not in my backyard"...

The findings of a Cap Gemini Ernst & Young study show that business owners in Canada are adopting a "not in my backyard" philosophy towards disaster recovery.

The report polled 40 chief executives and 40 chief information officers from 80 of Canada's top 1,000 publicly traded companies.

While 34% agreed that systems failure is the most critical risk to their overall business objectives, 36% admitted that they could not achieve a recovery time of 24 hours. "This certainly was a surprise to us. [The] numbers were higher than what we expected to see. We expected to see more of a shift since 11 September," said Doug McPhie, partner at Ernst & Young.

McPhie added that businesses are in a state of denial when it comes to the idea that their systems could fall victim to an attack. Over 25% of companies do not have any sort of business continuity or disaster recovery plan in place. And yet 83% of the respondents insisted that the information stored on their IT systems or local networks is secure.

McPhie said in Canada companies have made the basic investments around data protection by buying into technologies such as encryption and firewalls that only affect the perimeter of information, not the entire network.

"It's not an easy thing to put these plans together," McPhie said. "We're dealing with a number of companies that are trying to put various plans together, and they struggle with it just because of the complexity of their systems and of their business process."

He added that dotcom outfits, for example, are more concerned with growth than with system reliability even though past outages have been disastrous for several e-business sites.

"Companies need to be hardening their systems to deal with these incidents when they do happen," McPhie said. "And they need to be testing these plans on a regular basis. What you put together three or four months ago might not work currently."

"I'm always suspicious of numbers like this. It's a broad-brush approach to assessing readiness, said Steve Kruspe, chief information officer at Charles Schwab Canada. He added that while cost is always a significant factor, disaster recovery and security policies are ultimately implemented depending on business needs.

Kruspe said Charles Schwab has several recovery plans in place for different aspects of the business, both on and off-site. "It all comes down to an assessment of what exactly the dependency is on technology and how critical a failure is going to affect you."

Read more on IT risk management