Employees 'more of a worry than terrorists'

IT directors are more concerned about the security threat posed to systems by staff than by terrorist attacks, according to new research

Employee blunders and hardware and software failures are more of a worry for IT directors than the much-hyped threat of terrorism when it comes to disaster recovery planning, according to a new survey.

Half of the 877 IT directors interviewed for the research cited human-related issues -- accidental errors and malicious behaviour -- as the main threat to the security of their business. Almost two-thirds also cited hardware failure, while 59 per cent said software failure and viruses are a significant threat.

But only a quarter said terrorism is a major concern, and natural disasters such as floods were hardly mentioned by respondents.

Lindsey Armstrong, senior VP for Europe at Veritas, said in a statement: "What is surprising about this research is the fact that despite the recent obsessive concern with the threat of international terrorism, technology-related threats and potential human errors are still far more in the forefront of people's minds."

Worryingly almost a quarter admitted to not physically testing their disaster recovery plans at all and of those that do 37 per cent test only once a year. Yet 80 per cent said they had experienced unplanned downtime in the past year, with over a quarter suffering downtime on a quarterly basis or more. And 14 per cent had a system outage of between 24 and 48 hours, with 16 per cent of those suffering major data loss as a result.

Time, lack of budget and disruption to employees were the top three reasons given for not testing recovery plans.

IT departments are also putting their recovery plans at risk by not storing them securely, in many cases. Seventy per cent keep the plans in their main data centre, which isn't much use if it burns down. Only 20 per cent stored them away from the data centre and only 15 per cent store them offsite at a secure third-party location. An absent-minded 5 per cent admitted they had no idea where the plans are kept in the first place.

And despite the potential damage of a major failure, disaster recovery is being left to the IT departments to handle with the board taking little interest in the area. Responsibility is handed to the departmental IT manager in 56 per cent of cases and the divisional IT manager in 28 per cent of cases, while the CIO, CTO or IT director are responsible for disaster recovery in 22 per cent of cases.

Armstrong said: "Disaster recovery planning is fundamental to any organisation that is serious about its survival. Putting the security of data solely on the shoulders of the IT department isn't enough. In order to make the right business decisions about where budgets are allocated, what level of risk is involved in each area of the business and have a proper understanding of what is at risk if downtime occurs, the board must get involved. Shareholder value depends on the security of the company's data."

The annual survey was carried out by Dynamic Markets for Veritas. The research was conducted in large organisations with over 500 staff in the US, UK, France, Germany, Benelux, Spain, Sweden, Switzerland, South Africa, Austria, Poland, the Middle East, and Italy.