FREEDOM OF INFORMATION ACT
FalconStor FOIA Research Report
‘Could Disaster Recovery Become A Technology Blind Spot For UK Local Authorities?’
Data protection and security are big news, and serious incidents frequently grab the headlines across public and private sector organisations alike. Yet the inability to protect data is often only part of the story. How well do public sector organisations in particular react when human error, IT failure, cyber attack or some other unforeseen event, cause disaster? How seriously do they take their responsibilities to retrieve data in the event of loss? And how quickly can they recover?
By necessity, the UK public sector holds large amounts of personal, often confidential data for large sections of the population. Local authorities are among those public sector bodies that have a special set of responsibilities to safeguard data that the general public must provide. This study sets out to understand how well local authorities in particular are placed to respond to, and recover from, a data breach.
The data was gathered via a Freedom of Information Act (FOIA) request, responded to by 429 local authorities in England, Wales, Scotland and Northern Ireland. It asked to what extent authorities protect data via Disaster Recovery (DR) plans, how quickly they aim to recover in the event of an incident and how often these DR plans are called upon.
In addition, local authorities were also asked about their DR investment planning for the next year.
The lack of a DR plan could mean that should councils be affected by a cyber attack, equipment failure or human error, personal data could be permanently lost or fall into criminal hands.
But where is the risk? The research revealed that personal data held by local authorities for over 3.5 million UK citizens is not protected by any DR plan. That figure represents a group bigger than the populations of Manchester and Birmingham combined (or 6% of respondents as a whole).
This is a significant figure, despite numerous examples of public sector data loss and the perennial risks posed by issues such as ransomware and human error hitting the headlines. But despite growing awareness of the need for effective DR, over 50% of councils will make no further investment in DR this year, and 4% will decrease.
Additionally, the research highlighted that in the past 12 months, 85% of councils have not had to use their DR plan, making it difficult to know whether or not the plan is effective or how long it takes to recover data. Despite this, nearly two-thirds of councils (63%) have a minimum target time in which to recover lost data. 5% of those respondents aim to have data back in one to two hours, 10% in half a day and the remainder in ‘a day or more’.
Specific question areas
Question 1: Do you have a Disaster Recovery plan in place to protect data?
While 93% of respondents reported that they have a DR plan in place, 6% do not. The final 1% of the 429 authorities surveyed were unable to say whether they had a plan in place or not.
Question 2: Have you got a set time in which you have to recover lost data by?
63% of respondents reported that they do have a set time in which to recover data, whereas 34% do not.
Question 3: If yes, how long is this period?
16% of local authorities aim to recover lost data in half a day or less, with only 5% aiming for a recovery time of 1-2 hours, and less than 1% (0.68) aiming for less than one hour.
For the remaining 50%, recovery times vary according to a range of factors including the nature of the system and department affected, type of data lost and when the incident occurred.
Question 4: In the last 12 months, how many times have you had to use a Disaster Recovery plan and how long did it take you to recover data?
85% of respondents have not used their DR plan in the last 12 months. Nearly 10% (9.91) have used it once, 3% twice and 1.65% three times or more.
Question 5: How long did it take to recover your data?
In these circumstances, nearly 34% (33.9) of respondents recovered data in 1-2 hours, 32% in half a day and 27% in one day or more. Nearly 7% (6.8) were not able to say how long data recovery took having activated their DR plan.
Question 6: In the next 12 months, does your council plan to increase, decrease or not change spending on Disaster Recovery?
Nearly 52% (51.9) of respondents plan to make no changes to their DR spending in the next 12 months, while 22% do not know whether spending will increase or not. For the remainder, 22% plan to increase DR spend and nearly 5% (4.7) plan to decrease.
Question 6: Do you have a central resource to manage your Disaster Recovery across multiple departments?
88% operate a central resource to manage DR across multiple departments, just over 10% do not, and just over 2% (2.4) were unable to say.
While the majority of councils have realised the importance of having DR plans in place, the research highlights that more work needs to be done both in implementing plans and testing them thoroughly.
Cyber threats are continuing to evolve, while human error and natural disasters are always likely to present significant risks, so it is important that public bodies and organisations alike don’t stand still when it comes to protecting data. Having a central resource to manage DR plan across multiple departments is key to protecting public information, if DR is not to become a significant blind spot for UK local authorities.
If data is lost, fines are likely to be handed out by the Information Commissioner’s Office. With key information, such as payment details and personal data, as well as services at risk, it is important that councils plan ahead in order to protect their data – it is certainly better to prepare for the worst, rather than being caught off-guard.
But just having a DR plan does not mean the organisation in question is prepared. The research demonstrates that although there are plans in place, not all of them have been used, and IT teams need to test their solutions regularly so that if disaster strikes, they are prepared to get back up and running as soon as possible.
The FalconStor Approach to Disaster Recovery
Today’s challenges require a new, software-defined approach that eliminates vendor lock-in, proprietary platform silos, increased complexity, and lack of hardware and software compatibility. Only FreeStor addresses those challenges head on and delivers real value to help organisations reduce costs and eliminate silos, while providing real flexibility and freedom.
FreeStor gives customers the power to seamlessly migrate, recover, protect, and optimise data – on or off the cloud – without tying their business to specific hardware, networks, or protocols. Whether you are an Enterprise deploying a Private Cloud, or you are an MSP or CSP offering hosted /hybrid cloud services, FreeStor is optimised to deliver common data services at a lower cost to own, implement and manage.
FreeStor consists of the FreeStor Management Server centralised database, FreeStor Storage Servers and the FreeStor Global Dedupe Repository. The FreeStor Management Server handles storage virtualisation through FreeStor’s Intelligent Abstraction® layer. Storage administrators can use the FreeStor GUI from any browser, smartphone or tablet. The high-availability platform includes Active-Active I/O clusters and REST APIs to enable Enterprises, MSP’s and Cloud Providers to integrate FreeStor in existing management consoles.
FreeStor connects robust yet flexible data protection and Disaster Recovery to the cloud. It enables organisations to seamlessly migrate, protect and recover data in the cloud without being tied to specific hardware, networks or protocols. This makes it an ideal solution for businesses that are looking to cut costs and recovery time, as well as enabling Managed Service Providers (MSPs) to offer Backup-as-a-Service (BaaS) or Disaster-Recovery-as-a-Service (DRaaS) offerings.
FreeStor can move any workload – running on a physical server or virtual machine – from an on-premise environment to a public cloud infrastructure, such as Amazon Web Services (AWS) or Microsoft Azure, to provide solutions for DR, backup, and optimised storage infrastructure.
Using FreeStor, MSPs and Cloud Service Providers (CSPs) can offer consistent on-premise and cloud-based services more readily, as well as incorporate public cloud offerings at lower costs. They can also offer both secondary and tertiary site alternatives to on-premise and hosted facilities. In addition to eliminating hardware vendor lock-in, FreeStor eliminates MSP and CSP lock-in with the ability to enable "cloud hopping" should the need arise to change cloud or MSP vendors. Users do not find their data trapped in proprietary formats or hindered by the lack of tools to move data quickly in a cost-optimised manner.