Why a Disaster Recovery Plan is Crucial for All Businesses

Are there businesses that have some inherent or acquired immunity from cyberattacks? There are none. Are there foolproof or absolutely effective cybersecurity solutions or strategies? Similarly, none.

These should be compelling enough reasons to come up with a disaster recovery plan. It does not matter how big or small a business is. Cyberattacks do not discriminate based on business size or type. The overwhelming majority of attacks do not target specific businesses. They are deployed indiscriminately and cybercriminals only pursue those that show weaknesses or vulnerabilities in their cyber defenses after conducting reconnaissance.

For businesses that need more reasons to start having a solid disaster recovery strategy, the following points should offer even more convincing insights.

Downtimes are extremely costly

How much do businesses lose when they are forced to have downtimes after a cyber attack? According to one study about the cost of downtimes, it can go as high as $50,000 per hour. The bigger the company is, the higher the downtime cost gets. Another report cites an even higher number, up to $1 million per hour.

Take note that downtime costs do not include the expenses for mitigation and remediation, which can also reach stratospheric levels depending on the damages incurred. Downtime costs only refer to the revenues lost as well as opportunity costs incurred by a company for going offline.

Through disaster recovery and business continuity planning, businesses can anticipate possible adverse events and come up with viable courses of action to make sure that the impact of disasters is mitigated and recovery is expedited. Downtime costs may not be completely eliminated, but they can be radically minimized and enable business continuity.

Recovery is generally slow

Businesses hit by cyberattacks usually take some time to recover. Data storage solutions provider DataCore says that only 2 percent of organizations recovered from a security incident within an hour and 54 percent of companies experienced downtimes that spanned over 8 hours or one business day.

Even with a very speedy rate of recovery, it is inevitable for businesses to lose thousands of dollars. There’s just no reason to allow the cost of downtime to grow any further. To emphasize, disaster recovery plans do not guarantee zero losses after a successful cyberattack. They do not equate to instant recovery. However, they help speed up recovery significantly. There’s no question that they serve a purpose and that it is indubitably better to have them than to have no recovery plan at all.

Up to 60 percent of small businesses never reopen after a disaster

To be clear, disaster recovery planning is not only intended for cyberattacks. It is also undertaken to be ready for disasters per se. These include floods, earthquakes, storms, fire, terror attacks, and other man-made calamitous events.

According to the Federal Emergency Management Agency (FEMA), 40 to 60 percent of businesses do not reopen after getting badly hit by disasters. They end up filing for bankruptcy because of the severe losses. For companies that encounter a major cyberattack, even if they manage to restore their operations sooner than later, the security incident can have other lasting consequences.

Companies may struggle to continue operating because of reputational damage. Even if they manage to restore their business activities sooner than later, customers may start hesitating to rely on their products or services because of the lost confidence in their security.

SaaS provider Code Spaces, for example, was forced to shut down after a multi-stage attack disrupted its operations and cast doubt on the company’s capability to protect the accounts or data of its customers.

Code Spaces previously touted its ability to weather cyber attacks. “Backing up data is one thing, but it is meaningless without a recovery plan … Code Spaces has a full recovery plan that has been proven to work and is, in fact, practiced,” the company once claimed on its website, which has since been deleted.

The speed of reopening affects recovery success

Data from FEMA also show that around 90 percent of businesses fail or close down within the following year if they fail to bring back their operations within five days after a disaster struck. This alarmingly high rate of failure suggests that slow reopening is not the way to success.

Although most companies can only manage to slowly recover and reopen their business establishments after a disaster, study findings point to the need for more agile responses to unexpected events. The longer it takes for a business to recover, the greater the risk of permanently closing down

Without a disaster recovery plan, companies will be grasping at straws to deal with the consequences of a disaster, let alone return to normal operations. Slow recovery creates opportunities for competitors to fill the void created by the downtime and temporary shutdown of operations.

Wrong to blame nature

Some businesses may have the mindset that it is acceptable if they fail to recover quickly because it is almost impossible to overcome the wrath of nature. However, according to data compiled by Seagate, only 5 percent of downtimes can be attributed to natural disasters. The leading causes are hardware failure (55 percent), software failure (18 percent), and human error (22 percent).

Examples of hardware failures are firmware errors, device configuration modifications, network congestion, and server hardware problems. The human errors include user-based accidents and the accidental deletion of critical files. Meanwhile, software failures include the ineffectiveness of software security controls, firmware and hardware incompatibility, and the failure to patch or update software to address recent vulnerabilities.

Disaster recovery plans help

While there are no authoritative expansive studies yet that quantify the benefits of having a  disaster recovery plan, there have been surveys that demonstrate the real impact of disaster recovery plans.

A study by independent automation manufacturer Aveco found that 80 percent of companies that do not have a disaster recovery plan tend to fail within a year after the attack. Meanwhile, 43 percent do not re-open at all, and 93 percent of those experienced significant data losses. Disaster recovery and business continuity plans deliver real-world benefits, but it is important to remember that there is no one-size-fits-all plan. Companies need to carefully craft disaster recovery and business continuity strategies based on their specific circumstances. As inferred in the points discussed above, these plans should make it fast and easy to recover and return to


Dee is a well-respected business journalist with a deep understanding of global financial markets and a talent for uncovering the stories behind the numbers. With over 20 years of experience covering the business beat, Dee is known for his in-depth reporting and analysis of industry trends, as well as his ability to make complex financial concepts understandable to a wide audience.