There’s good news and bad news when it comes to downtime in the IT world. On the upside, because of developing technology, IT systems are stronger and more reliable than they have ever been. Unfortunately, this hasn’t translated to a significant dip in the amount of unplanned downtime occurring globally.

Why hasn’t downtime become less common in response to technological progress? Looking closely at some of the disaster recovery statistics from 2021 can help make sense of these seemingly contradictory facts.

How Serious Is the Risk of Downtime?

For now, let’s limit the discussion to only one cause of downtime: ransomware. Although it is only one of many potential contributors to downtime, the number of highly publicized attacks makes it one of the easiest to examine and quantify.

Ransomware attacks have exploded since 2020. Recently, the frequency appears to have leveled off, but experts believe that this is not because attackers have lost interest. Rather, they have improved their techniques and are more focused. As a result, the prominence of the targets and the effects of the attacks have both escalated. Consider some of these specific examples that occurred throughout 2021.

• Acer: In March, the REvil/Sodinokibi ransomware gang demanded $50 million, breaking the record for the highest ransom by a cyberattacker.
• Colonial Pipeline: DarkSide effectively shut down a pipeline serving the East Coast in May, with Colonial opting to pay the $5 million ransom only one day after the attack.
• Planned Parenthood: The data of 400,000 users was stolen in a ransomware attack against the Los Angeles Planned Parenthood organization in October.
• Various victims: In July, REvil launched an attack against thousands of organizations worldwide, paralyzing grocery chains, IT services, software companies, and medical services, among others.

REvil’s July attack was in many ways a harbinger of things to come, as many cybercriminals have chosen to shift their interest to smaller businesses and organizations that are less likely to draw the protection of the United States government. Similar motivations were at play in April 2022 when the ransomware gang known as Conti launched an attack against the government of Costa Rica, demanding a $20 million payment. Offices throughout the country, including tax and customs, utilities, and public health services, were taken offline, and President Cheves Robles declared a state of emergency in response.

All of these examples help illustrate two key points. First, organizations of every size, location, and kind are vulnerable to attacks and at risk of experiencing extended downtime. Second, the effects of downtime can be devastating on multiple fronts. In the case of Colonial, a temporary outage led to gas shortages and hoarding. The Planned Parenthood attack exposed sensitive information of patients. In Costa Rica, teachers and other public employees missed paychecks, and important health services were delayed.

This is just a glimpse of what the world faces when it comes to the threat of disasters and downtime. To get a broader perspective on this critical issue, let’s dive into some of the most notable statistics from the past year.

What Are the Common Causes of Downtime?

There are many possible causes of unscheduled downtime. Some can be prevented with proper planning and execution, while others are unavoidable forces of nature. There are a few causes that tend to dominate the IT landscape.

Failures & Outages

When a system fails, it can be catastrophic for a data center. The downside of technology, of course, is that its ability to function is reliant on many factors, like hardware and software, power, and climate control. According to the Uptime Institute, these kinds of outages and breakdowns are responsible for a large portion of incidents that result in downtime.

• Networking issues are the most common cause of IT downtime.
• Power problems are responsible for 43% of outages classified as significant. The most common cause of these power issues is the failure of uninterruptible power supplies (UPS).
• Hardware and software failures account for approximately 14% of IT downtime.

Having readily available backup sites and reliable data backup solutions can help ease the pain when a system fails.

Cyberattacks

While they aren’t the most common cause, ransomware attacks often get a large share of the attention when it comes to IT downtime, and not without good reason. They are dramatic events with significant sums of money in play.

However, the media focus is typically on incidents within large organizations, which sometimes eclipses the astounding regularity of cyberattacks and the high likelihood that every business will experience them at some stage.

• There were over 600 million ransomware attacks in 2021, more than double the previous year.
• In the first half of 2022, there were 2.8 billion malware attacks worldwide.
• According to a 2022 ransomware report by Veeam, 44% of survey respondents worldwide who were infected by ransomware were exposed when users accidentally clicked malicious links, visited insecure websites, or engaged with phishing emails.
• On average, over 75% of malware is received over email.
• Despite the incredibly high risk of data exposure, nearly two-thirds of companies have more than 1,000 sensitive files open to all employees.

While the current cyberattack statistics are deeply troubling, predictions for the future are practically nightmarish. Some experts estimate that ransomware will cost victims approximately $265 billion by the year 2031. Others argue that this number may be too conservative, with ransomware attacks growing exponentially over the next decade.

How Many Companies Experience Downtime?

It’s difficult to identify a specific number of organizations that experience downtime. Some businesses may not report outages or cyberattacks, and others may try to understate the severity of an event. Overall, however, studies show that most data centers experience outages at some point.

• The percentage of data centers experiencing outages has remained relatively steady, with 80% of data center managers reporting that they experienced some type of outage in the last three years.
• One in five managers reports experiencing a serious outage that caused severe damage to the organization’s finances, reputation, or compliance.
• Acronis reports that 76% of organizations experienced downtime due to data loss in 2021.

Business owners who have not yet experienced downtime should not let their guard down. The numbers reflect that most organizations will experience an outage at one point or another, and it is critical to prepare in advance to reduce the negative effects that occur as a result.

What Is the Cost of Unplanned Downtime?

It’s clear at this point that downtime is a reality for many organizations, but why does that matter? To put it simply, downtime is extremely costly. According to IDC’s Worldwide State of Data Protection & DR Survey, outages lead to major negative outcomes for organizations:

• Direct revenue loss is a result of more than 30% of outages.
• Productivity is lost in almost 50% of incidents.
• Approximately 40% of outages cause damage to a brand’s reputation.
• Among organizations that experience outages, 43% lose data.

A closer look at specific financial losses underscores how severe these risks can be, particularly for small or medium-sized organizations that lack the financial capital of larger businesses.

• In 2021, over 60% of outages resulted in a minimum of $100,000 in total losses, a startling increase from 39% in 2019.
• In that same time frame, outages that cost $1 million or more increased from 11% in 2019 to 15% in 2021.
• Almost two of every three midsize organizations experienced a ransomware attack in the past 18 months, and 20% of them spent at least $250,000 to recover from it.
• A recent study found that one hour of server downtime costs $300,000 or more for 91% of mid-sized and large enterprises.
• Of those enterprises, 44% of corporations said that hourly outage costs range from $1 million to over $5 million.

For many organizations, it’s impossible to recover from this degree of financial damage. FEMA has spent several years emphasizing this point by explaining that around 25% of businesses that experience a disaster never reopen.

Which Organizations Are Most Vulnerable to Downtime?

Every type of organization could potentially experience significant downtime. However, there are certain industries that are more frequently targeted by cyber attackers, increasing the likelihood that downtime will occur.

• During the first quarter of 2022, bad actors directed 23.6% of global phishing attacks toward financial institutions.
• According to “The State of Ransomware 2021” by Sophos, 44% of retail businesses reported experiencing a ransomware attack.
• Likewise, 44% of education organizations said that they had been targeted by ransomware.
• Attackers have increased their attention on smaller businesses, with 70% of the attacks in 2021 targeting businesses with fewer than 500 employees.

Although organizations in these areas may face heightened risk, other businesses are by no means safe. As recent history has shown, medical offices, local and national governments, and major corporations are all among the many potential victims of disasters.

How Does Disaster Recovery Planning Help Reduce the Damage of Downtime?

The threat of downtime is very real, which means that it’s vital for organizations to protect themselves. Yet, despite the flashing signs warning that businesses are at risk, many organizations have left themselves exposed by either not developing a plan or failing to follow through on the plan that they have.

Building & Testing a Plan

An effective disaster recovery plan is the foundation of business continuity, ensuring that a company can keep its doors open in spite of an outage. It’s thus rather distressing to know that, in 2021, only 54% of organizations reported having a documented, company-wide disaster recovery plan in place. To be fair, this is an improvement over prior years, but it is still woefully inadequate when considering what’s at stake.

Even companies who have documented their disaster responses are not always well-prepared. The most carefully considered recovery plan will inevitably fall short without proper testing. Of the organizations with a developed plan, the majority test it no more than once a year, and 7% conduct no testing at all. When asked, the majority of organizations with infrequent testing acknowledged that their discovery plans may be inadequate.

Creating & Following Effective Practices

Not every period of downtime is preventable. There is no way to control whether a tornado or hurricane knocks out power. However, many incidents are a result of human error, and according to Uptime, nearly 80% of operators view their downtime incidents as preventable.

Developing sound practices and offering thorough training to ensure that employees follow them could be all that stands between a business and disaster. Even if it’s not possible to prevent every incident, making them less frequent is an attainable goal that can save considerable money over time. In fact, companies with frequent outages experience costs that are 16 times higher than companies with fewer instances.

Data Backup & Protection

Data is one of the foremost concerns of organizations that experience a disaster. Data breaches can expose customers’ and employees’ sensitive information, and lost data can permanently hinder a business’s operations. Having regular and secure data backups is key to self-preservation.

• Approximately 78% of organizations worldwide rely on up to 10 different solutions for data security, yet cyberattacks and downtime remain steady, indicating that the quality of protective measures is far more important than the number.
• Even when data is successfully backed up, it may not be safe, with almost 70% of ransomware victims reporting that the attack affected some or all of their backup repositories.
• Although 32% of organizations paid a ransom to restore their data in 2021, on average, only 65% of the data was ultimately recovered.
• In contrast, 57% of organizations used backups to restore data and achieved higher success rates.

Investing in a high-quality data storage system or turning to a reliable data recovery service is essential for businesses that are trying to survive a crisis.

How Can Businesses Successfully Respond to Disasters?

It’s impossible for any organization to prevent every possible disaster, and, despite their best efforts, businesses will continue to experience unexpected downtime. Prevention is important, but it can only offer a certain degree of protection from external and internal elements that can suddenly upend a well-constructed system.

The question then becomes not only how to prevent downtime but also how to mitigate the effects. We began by discussing ransomware, and this seems like a good time to return to it. Ransomware attacks offer a great opportunity to outline some steps that businesses can take to protect themselves.

• Implement advanced BCDR solutions: When businesses have the right measures in place, recovery is almost instant, virtually eliminating downtime and disruptions in customer-facing services.
• Set a more aggressive Recovery Point Objective: With the appropriate technology, businesses can back up data as often as every five minutes without draining their system resources, minimizing data loss in the event of a disaster.
• Isolate infections immediately: While shutting down systems may interrupt customer access, it will also prevent infections from spreading and worsening the severity of the attack.
• Think twice before paying a ransom: As the numbers reflect, paying a ransom doesn’t guarantee that a business will have full data recovery, and negotiations can encourage hackers to go public and continue their efforts.
• Make appropriate contacts: Ransomware attacks can create significant problems when it comes to compliance, so businesses must follow the proper guidelines for contacting the pertinent regulatory bodies and, when necessary, law enforcement agencies.

Developing a rigorous process for preventing and responding to an attack, and outlining it in a disaster recovery plan, can help reduce both the frequency and duration of downtime. That way, when disaster does strike, customers will hardly notice, effectively protecting both your finances and your reputation.

Where Can Businesses Turn for More Support?

These disaster recovery statistics demonstrate the importance of building a viable plan, but for many organizations, this is no small feat. It requires thoughtful analysis and the selection of the best possible technology and services, not to mention an investment of time and money. Businesses that feel overwhelmed by this process might default to creating no disaster plan at all or one that is so basic that it offers little benefit in the face of an actual crisis.

Fortunately, there are valuable resources available for organizations that want to learn more about practical and effective business continuity solutions. If you want to create an effective disaster recovery plan or strengthen the one you already have, reach out to the experts at Invenio IT.