In October, 2014, NTT Communications surveyed a broad range of mid-size to enterprise organizations across a variety of sectors, including �nance, life sciences, government, manufacturing and technology, to assess how prepared they were to deal with a disaster a�ecting ongoing continuity of their business operations. The results paint a troubling picture.

The NTT Communications Disaster Recovery and Business Continuity Readiness survey revealed

that only slightly more than half of the surveyed organizations have a documented disaster recovery plan in place. A similar percentage of the surveyed organizations do not perform any of type of testing or preparation of their BCDR plans. Of those who do perform testing, only a quarter can state with any con�dence that tests met target recovery objectives de�ned by the business.

Is your company prepared to preventDOWNTIME AND DATA LOSS?THE NTT COMMUNICATIONS DISASTER RECOVERY & BUSINESS CONTINUITY READINESS SURVEY

$7,900

The survey results are reason for concern. When asked about the �nancial impact of a disaster event disrupting normal business operations, close to half of all respondents could not e�ectively estimate the cost per hour of downtime to their organization. A clear indication of inadequate awareness of the risk of a disaster to the organization as well as a propensity to under-budget for preparation, the survey reveals. Of those respondents who were able to put a value on the cost of downtime, estimates ranged from $100,000 to $1,000,000. While the majority of surveyed organizations acknowledged having one or more compliance or regulatory obligations requiring BCDR plans

The survey results indicate a high level of awareness of the need for business continuity and disaster recovery planning, yet many organizations acknowledge that they have no formal BCDR plans. For organizations that do have plans, there is often a one-dimensional approach favoring a single technology rather than a mix of BCDR techniques. This reliance on a one-size-�ts-all strategy highlights a substantial disconnect between budgets allocated to the planning and technology of BCDR and the areas of the business at greatest risk of downtime and data loss during a disaster.

Inadequate Awareness and Preparedness are Reasons for Concern

There is No Such Thing as a One-Size-Fits All BCDR Strategy

THE NTT COMMUNICATIONS DISASTER RECOVERY & BUSINESS CONTINUITY READINESS SURVEY

be in place, fewer than half had adequate funding for these initiatives. For those with funding, many reported relying on a single approach to disaster preparedness, even though this would limit their ability to prioritize recovery of individual business applications during an outage and meet required recovery objectives. Every business application has a di�erent tolerance for downtime and data loss. This often re�ects the importance of the application to the organization. For example, it might be possible to recover data lost from a system that processes supplier invoices by having vendors resubmit documentation, but data lost from an online customer order system may be gone forever. An organization’s ability to cope with application downtime and data loss can be measured by recovery time objective (RTO) and recovery point object (RPO).

About the Survey RespondentsThe NTT Communications Disaster Recovery and Business Continuity Readiness Survey examined how businesses in di�erent industry segments, sizes, and verticals plan for recovery scenarios.

Survey respondents were primarily from mid-market companies (52%) with revenues between $50 million and $1 billion. Businesses with revenues of greater than $50 million contributed 33% of responses, withlarge corporations with ($1 billion to $10 billion) contributing 15%.

When examined by industry or vertical segment,�nancial and legal accounted for 20% of responses, 20% were local, state or federal government, 15% healthcare and life sciences, manufacturing 15%,and 30% representative of other industries including advertising, media, high-tech, and retail.

Survey Questions Focused Primarily on Four Key Areas of Inquiry

Media, Finance, Healthcare, Technology and Government

Every business application has a di�erent tolerance for downtime and data loss. This often re�ects the importance of the application to the organization. For example, it might be possible to recover data lost from a system that processes supplier invoices by having vendors resubmit documentation, but data lost from an online customer order system may be gone forever. An organization’s ability to cope with application downtime and data loss can be measured by recovery time objective (RTO) and recovery point object (RPO).

RTO and RPO

RTORTO measures the amount of downtime a business can withstand during an application outage without incurring signi�cant loss. This is often measured in minutes, for business critical applications, to hours or even days for less important applications.

RPORPO measures an organization’s tolerance for data loss during application downtime. In the previous example, the online customer order system might have an RPO measured in seconds, whereas applications using data that can be easily recreated may have a much longer RPO.

• The presence of disaster recovery plans• The budgets and strategies used for disaster recovery readiness• The e�ectiveness of disaster recovery and business continuity planning• How con�dent organizations feel in their disaster recovery planning e�orts

THE NTT COMMUNICATIONS DISASTER RECOVERY & BUSINESS CONTINUITY READINESS SURVEY

We Heard from C-level IT Executives at Mid-Market Companies

The survey was conducted as a blind, web-based questionnaire directed to IT professionals in executive, management, and strategic roles with responsibilitiesfor evaluating, implementing, or approving the use of information technology. Respondents were mixed by title and functional responsibility with 25% in C-level management in information technology (IT), information systems (IS), or information architecture (IA), 30% in senior management (VP or higher), 30% in management

Raising Disaster Recovery Awareness is Essential to BCDR PlanningIt is unfortunately common for companies to spend more time assessing the technology of disaster recovery than they do gaining a clear understanding of the BCDR needs of the organization. This is somewhat understandable as it takes the dedicated time and e�ort of business leaders and key stakeholders to identify what is most important to the organization during an extended period of downtime. For example, Sales teams may place value on access to email and customer relationship management (CRM) systems.

For �nance, a functional �nancial management system will likely be more important than email. Customer support may place greater value on contact center systems and the phone system.

The e�ort to understand the needs of individual areas of the business is essential in establishing the priorities that guide BCDR planning. The majority of companies surveyed for the NTT Communications Disaster Recovery and Business Continuity Readiness survey indicated that they are aware of the need for disaster recovery and business continuity planning. However, surprisingly, only half of all companies surveyed employ more than a single method for data protection. More than 40% of respondents said there had not been a comprehensive analysis done on their most important line of business applications to determine the degree of �nancial impact a BCDR event would have on the business. This type of analysisis essential in determining the speed in which individual business applications need to be recovered.

level (director and below). 15% of survey respondents fell into the category of consultant or third party �rms. Although slanted towards US-based corporations, survey responses were received from organizations around the globe. 92% of respondentsindicated they were from US-based businesses with roughly 6 in 10 operating major business operations globally. The largest global operations were in Western Europe (18%), Asia/Paci�c (17%), Latin American (12%), and the Middle East or Africa (7%).

THE NTT COMMUNICATIONS DISASTER RECOVERY & BUSINESS CONTINUITY READINESS SURVEY

DO NOT have adocumented DR plan

Have NEVERconducted testingof recovery plans

Of execs surveyedagree BCDR is important

Across all industries and all functional levels (C-level, management, and administrators) there was a full understanding of the need for proper BCDR planning. However, 9 out of 10 respondents indicated that less than 5% of the IT annual budget had been allocated to disaster recovery planning and tools, and 56% believed they are either under-funded or are still trying to determine how to meet their

Mandated Compliance, Regulatory Oversight and CovenantsReducing the risk of downtime and data loss is increasingly a legal issue for many organizations. A long list of government regulations now dictate requirements for data integrity, which encompasses data loss from unforeseen outages, and IT system resilience. With many organizations highly dependent on IT for revenue generation and pro�tability, investment and banking covenants are also beginning to specify mandatory service levels forcritical applications.

Strict BCDR Planning is a Legal Obligation for Most BusinessesWhen asked whether BCDR preparedness was a regulatory or business requirement, 5 out of 10 respondents stated it was a strict requirement of the business, while 3 in 10 indicated that it wasboth a regulation and business requirement.

Less than 5% of Annual IT Budgets Allocated to BCDR

Respondents to the NTT Communications Disaster Recovery and Business Continuity Readiness survey represent a wide variety of industries and more than half (55%) indicated that they are held to oneor more external compliance or regulatory obligations. These regulations impose strict rules around recovery and business continuance, based on the line of business or the information requiring protection.

THE NTT COMMUNICATIONS DISASTER RECOVERY & BUSINESS CONTINUITY READINESS SURVEY

could not estimatethe hourly cost ofDOWNTIME

Only 1 in 10 asserted that their recovery e�orts are solely driven by regulations. Respondents were asked to select the regulations that apply to their industry. The top �ve regulations listed were:HIPPA: 55%, PCI: 36%, ISO: 26%, NIST/FERPA: 25%

recovery goals within the budget that has been allocated. These results present a signi�cant challenge. While companies continue to acknowledge that there are many unforeseen business risks to prepare for, there is still a sizable gap in both funding and resources to e�ectively meet their full recovery time objectives (RTO) and recovery point objectives (RPO).

DOWNTIME RECOVERY

do not konw theadditional cost ofRECOVERY SERVICES

Legal Penalties Increase Cost of Downtime to OrganizationsSurprisingly, 2 out of 10 respondents (20%) in IT positions stated that they are “not sure” if their business is under any regulatory requirements for disaster recovery or if there is a compliance risk for not meeting certain BCDR objectives. This would indicate that there is still a need to improve e�ective communication and align the objectives of business leaders and information technology professionals in meeting regulatory requirements. In addition, there would appear to be a percentage of the business community that is not taking the compliance risks seriously or does not fully understand the risks. At the end of the day, the cost of downtime to an organization may not solely be the easily identi�ed operational losses. It may also include penalties from compliance, regulatory oversight, and covenant obligations that were unmet.

Techniques for Disaster Recovery are Many and VariedResponses to the NTT Communications Disaster Recovery and Business Continuity Readiness survey make it abundantly clear that many organizations are not making e�ective use of the variety of disaster recovery techniques available to them. A large percentage (50%) rely on a strategy

The Majority of Businesses Still Rely on Backup and RecoveryProviding adequate BCDR protection requires a well-coordinated mix of backup, replication, and application-aware high-availability technologies. There are many di�erent business critical applications within the enterprise; only with a robust array of BCDR solutions will organizations be able to meet the varying rates in which di�erent applications must be recovered (RTO) and the window of data loss that is acceptable to the business (RPO) from each. Organizations that rely on a single recovery technique cannot provide the

ocused solely on periodic backups for data protection. Other BCDR techniques being used include replication to a backup site (50%), hosted backup site (20%), combined public, private, and hybrid cloud for a backup site (12%), and subscription disaster recovery as a service (DRaaS) (5%).

�exibility needed to ensure adequate protection. This puts them at risk of signi�cant data loss and downtime from an outage event. One possible reason organizations continue to emphasize a single BCDR approach is lack of oversight. When asked whether a full review of all line of business applications had been conducted by management, with priorities established for recovery during an outage event, more than 40% of respondents answered “no” or “unsure.”

THE NTT COMMUNICATIONS DISASTER RECOVERY & BUSINESS CONTINUITY READINESS SURVEY

companies surveyedREQUIRED TO COMPLYWITH BUSINESSRECOVERY REGULATIONS

total respondents inIT MANAGERS that areUNSURE if there was aCOMPLIANCE RISK fortheir company

Alarmingly, Most BCDR Plans are Rarely - If Ever - Tested

Of further cause for concern is the �nding that, although 58% of respondents indicatedthat a written BCDR plan exists, 55% do not conduct regular BCDR testing and 23% have never conducted testing. For those organizations that regularly test their BCDR plan, only 26% indicated that they hit their target objectives.

Many Organizations Are Not Well Prepared for an Extended Outage

The NTT Communications Disaster Recovery and Business Continuity Readiness survey provides invaluable insight into the business continuity and disaster recovery preparedness of a broad range oforganizations. The results shed a harsh light on BCDR practices and show that many organizations are ill prepared for an extended outage to critical business systems.Disaster used to be reserved for catastrophic events a�ecting the entire organization, but

Greater Alignment Between Businesses and IT is Necessary

The BCDR readiness survey clearly identi�es the need for greater alignment between business andIT decision makers. While many organizations appear to have robust BCDR plans in place and use a combination of recovery techniques tailored to the needs of individual applications, just as many organizations do not. Over reliance on single recovery solutions, like tape-based backup, is a telltale sign that business leaders within the organization are not being involved in BCDR planning decision-making. For the health and longevity of the organization, it is essential that these practices change. Business leaders can bring a much needed dose of market realism to the discussion of disasterrecovery, identifying which IT systems are critical to the survival of the organization following a disaster.

The responses to the survey underscore the gap that still exists for many companies in BCDR planning. What was not clear was whether the gaps were due to lack of �nancial resources, lack of expertise or time, lack of business and technology alignment, or a combination of these reasons

can now be applied to almost any occurrence that knocks critical systems o�ine for even a short period of time. This includes mishandled software upgrades,hardware failures, and data breaches that cause systems to be locked down to prevent further exposure. Common daily disasters that plague IT environments cause many hours of downtime annually. BCDR planning has to take these into account along with the anticipation of conventional cataclysmic events.

Together, key stakeholders from IT and business can identify the RTO and RPO metrics for critical apps. Thesemetrics are essential for marshaling scarce IT manpower, budget, and technology resources in protection of the organizations assets. While the BCDR readiness survey makes it clear that a healthy percentage of businesses look to service providers for help bridging the �nancial, technical, and recovery time gaps in their disaster preparedness coverage, many more organizations still have an opportunity to leverage this option. Through the use utility infrastructure, highly available platforms, automation, and DRaaS o�erings, IT organizations can augment their existing BCDR solutions to deliver signi�cantly higher levels of availability, and shorter recovery and testing windows, at a fraction of the cost.

THE NTT COMMUNICATIONS DISASTER RECOVERY & BUSINESS CONTINUITY READINESS SURVEY

NTT Communications is a true global company with 140 data centers worldwide, enabling multi-national enterprises to reap the �nancial and operational bene�ts from single sourcing their telecom and IT needs.

Recovery as a service (RaaS) is a key operational component of our Cloud Vision strategy.

NTT Communications Cloud Recovery ServiceNTT Communication’s Cloud Recovery service protects business operations by performing nearreal-time replication of all operating systems, applications and data to a secure environment in NTT Communication’s Enterprise Cloud. Cloud Recovery is a managed service that provides secure server replication, with automated failover and failback. The service requires no capital investment and can be deployed within hours. Cloud Recovery consists of two o�erings that can operate independently or together:

Cloud-to-Cloud server replication between NTT Communication data centers for organizations currently using NTT services and applications.

NTT Communications Data and Application ContinuityNTT Communication’s Cloud Backup, powered by Asigra, is an agent-less architecture that continuously backs up business data to an NTT Communication data center. Cloud Backup supports compression and de-duplication and only copies changed data, reducing network bandwidth requirements.

Backup data is hosted on enterprise-class storage in the NTT Communication data center and is fully encrypted in compliance with Federal Information Processing Standard (FIPS) 140-2. Virtual disaster recovery and application restoration ensure mission critical data and applications are easily recovered in the event of an outage

NTT Communications Recovery as a Service (RaaS)

THE NTT COMMUNICATIONS DISASTER RECOVERY & BUSINESS CONTINUITY READINESS SURVEY

Premises-to-Cloud server replication between your private IT infrastructure and an NTT Communications data center

NTT Communications provides consultancy, architecture, security, and cloud services to optimize the information and communications technology (ICT) environments of enterprises. These o�erings are backed by the company’s worldwide infrastructure, including the leading global tier-1 IP network, Arcstar Universal One™ VPN network reaching 196 countries/regions and 140 secure data centers worldwide.

NTT Communications’ solutions leverage the globalresources of the NTT Group: the #1 data center provider in the world. The NTT Group companies include Dimension Data, NTT DOCOMO, NTT DATA and other leading technology companies.

NTT America’s Cloud Archiving service provides a cloud-based archival solution that satis�es mandated regulations for the long-term storage of a business data, �les and applications. Establishing the end-to-end chain of custody is critical for many archives. Cloud Archiving satis�es this requirement through monitoring and tracking who has access to certain types of information and when. The end-to-end chain of custody document generated by the Cloud Archiving service enables an organization to prove in a court of law that data was not changed or manipulated while archived. When archived data is changed, a SAS 70 continuous archive auditing system notes the time, person, and change made to the archive. Cloud Archiving ensures data preservation, integrity, and compliance while dramatically reducing archiving costs.

THE NTT COMMUNICATIONS DISASTER RECOVERY & BUSINESS CONTINUITY READINESS SURVEY

These o�erings are backed by NTT Communications Worldwide Infrastructure

THE LEADING GLOBAL TIER-1 IP NETWORK

ARCSTAR UNIVERSAL ONE VPN NETWORKREACHING 196 COUNTRIES/REGIONS

140 SECURE DATA CENTERS WORLDWIDE

For more information on NTT Communications Disaster Recovery solutions, visit these links:Top 10 Disaster Recovery Pitfalls Disaster Recovery Self Assessment

visit our website: www.us.ntt.comInfographic with Survey HighlightsNTT COMMUNICATIONS

For more information on services from

THE NTT COMMUNICATIONS DISASTER RECOVERY & BUSINESS CONTINUITY READINESS SURVEY

NTT COMMUNICATIONSCLOUD RECOVERY SERVICE

NTT COMMUNICATIONSCLOUD BACKUP

NTT COMMUNICATIONSCLOUD ARCHIVING

Real-time replicationof all operatingsystems, applicationsand data to a secureenvironment

Provides continuous, fullyencrypted backup incompliance with FederalInformation ProcessingStandard (FIPS), whilereducing network bandwith

Long term datapreservation that enablesan organization to prove in a court of law that data was not changed or manipulated while archived