The 2010 Symantec Disaster Recovery Study surveyed 1,700 enterprises, revealing that virtualization and cloud adoption complicate disaster recovery (DR) planning, with only 20% of virtual environments protected adequately. Key challenges include resource constraints, a lack of proper testing, and heightened concerns about cloud security, as organizations struggle with downtime averaging 5 hours, exceeding the expected 2-hour recovery time. Recommendations emphasize treating mission-critical data uniformly across environments, employing integrated toolsets, and prioritizing low-impact backup solutions to minimize downtime.

1. 2010 Symantec Disaster Recovery Study
Global Results

2. Methodology
• Applied Research performed survey
• 1,700 enterprises worldwide
• 5,000 employees or more
• Cross-industry
2

3. Key Findings
• Virtualization and Cloud Make DR Complex
• The Downtime Recovery Gap
• Impact of Disaster Recovery Testing
• Recommendations
3

4. Virtualization and Cloud Make DR Complex
4

5. Virtual Environments Protected Properly?
• 56% of data on virtual systems is regularly backed up
• Only 20% of virtual environments protected by replication or
failover technologies
5

6. Lack of Tools, Decrease of Virtual Protection
• 58% report different tools for virtual and physical environments
is a challenge
• Virtualization led 84% to reevaluate DR plans in 2010
• 60% of virtualized environments not covered in DR plans
6

7. Storage and Resource Constraints an Issue
• 59% identified resource constraints (people, budget, and space)
as the top challenge when backing up virtual machines
• 57% state that the lack of primary and 60% state that lack of
backup storage hampers protecting mission critical data
7

8. Cloud Causes Security and Control Issues
• Organizations put 50% of applications in the cloud
• 66% say security is main concern of cloud
• 55% say control is biggest challenge of cloud
8

9. The Downtime Recovery Gap
9

10. Downtime Recovery Gap
• Expectation of downtime for outage = 2 hours
• Actual downtime in last 12 months = 5 hours
• Median of 4 incidents in past 12 months
10

11. Major Causes of Downtime
• 72% experience downtime from
system upgrades (50.9 hours)
• 70% experience downtime from
power outages and failures (11.3
hours)
• 26% conducted a power outage
and failure impact assessment
• 63% experience cyber attacks
(52.7 hours)
11

12. Impact of Disaster Recovery Testing
12

13. Improvement In Testing Frequency and Success
• 82% test more frequently than once a year
• Significant increase from 66% who reported same in 2009
• 40% of tests fail to meet RTO/RPOs
13

14. Reasons for not testing
• Budget (60%)
• Disruption to employees (59%)
• Disruption to customers, sales & revenue stream (24%)
• Lack of people’s time (26%)
• Cost of testing: $606,948
14

15. Symantec Recommendations
15

16. Recommendations
• Ensure that mission-critical data and applications are treated the
same across environments (virtual, cloud, physical) in terms of DR
assessments and planning
• Use integrated tool sets for managing physical, virtual and cloud
environments to save time, training costs and help better automate
processes.
• Embrace low-impact backup methods and deduplication to ensure
that mission-critical data in virtual environments is backed up,
efficiently replicated off campus
• Prioritize planning activities and tools that automate and perform
processes which minimize downtime during system upgrades
• Implement solutions that detect issues, reduce downtime and recover
faster to be more in line with expectations
• Don’t cut corners on basic technologies and processes that protect in
case of an outage

17. Appendix
All questions included
17

18. Demographics

19. Company titles
D: What is your title?
0% 10% 20% 30% 40% 50%
Chief Information Officer (CIO) / Chief Technology Officer (CTO) 24%
VP / SVP 43%
Data Center Maanger or Data Center Director 7%
IT Manager 17%
IT Staff 7%
Other (Please specify) 2%

20. Industries
E: What is your market?
0% 5% 10% 15% 20% 25%
Financial 10%
Manufacturing 10%
Technology 10%
Telecommunications 9%
Healthcare 8%
Automotive 7%
Consumer 7%
Insurance 7%
Retail 7%
Education 4%
Energy 4%
Media 3%
Online 3%
Public sector 3%
Transportation 3%
Real estate 2%
Other (Please specify) 2%
Hospitality 1%

21. Data Center Questions

22. Downtime
Q1: How many of each of the following has caused your organization to
experience downtime in the past five years?
(Mark all that apply.)
0% 20% 40% 60% 80% 100%
System upgrades 72%
Power outage / failure / issues 70%
Fire 69%
Vonfiguration change management issues 64%
Cyber attacks 63%
Malicious employee behavior 63%
Data leakage or loss 63%
Flood 48%
Hurricane 47%
Earthquake 46%
Tornado 46%
Terrorism 45%
Tsunami 44%
Volcano 42%
War 42%
Other (Please specify) 1%

23. Downtime
Q2: How many hours of downtime has your organization experienced in
the past 12 months for each of the following?
(Means shown)
0.0 10.0 20.0 30.0 40.0 50.0 60.0
Cyber attacks 52.7
System upgrades 50.9
Configuration change management issues 15.1
Fire 15.0
Power outage / failure / issues 11.3
Malicious employee behavior 10.4
Terrorism 9.6
Earthquake 9.3
Data leakage or loss 9.1
Flood 8.3
Hurricane 7.8
Tornado 7.4
War 7.2
Volcano 6.9
Tsunami 6.9
Other (Please specify) 1.6

24. Downtime
Q3: As measured by hours of downtime, what is your number one cause
of downtime?
0% 10% 20% 30% 40% 50%
System upgrades 48%
Cyber attacks 13%
Power outage / failure / issues 8%
Fire 6%
Flood 4%
Configuration change management issues 4%
Data leakage or loss 4%
Earthquake 2%
Malicious employee behavior 2%
Tsunami 2%
Volcano 2%
Terrorism 2%
Hurricane 1%
Tornado 1%
War 1%
Other (Please specify) 1%

25. Threat assessments
Q4: Which of the following threats has your organization conducted an
impact assessment?
0% 20% 40% 60% 80% 100%
Cyber attacks 69%
System upgrades 67%
Earthquake 48%
Terrorism 48%
Hurricane 44%
Power outage / failure / issues 26%
Data leakage or loss 26%
Configuration change management issues 25%
Fire 24%
Malicious employee behavior 23%
Flood 16%
Tsunami 6%
Tornado 6%
Volcano 5%
War 4%
Other (Please specify) 1%

26. DR responsibility
Q5: Which person in your organization has the ultimate responsibility
for managing the disaster recovery plan?
0% 20% 40% 60% 80% 100%
Chief Information Officer (CIO) / Chief Technology Officer (CTO) 61%
IT Manager 12%
Disaster Recovery Manager (DRM) 9%
Data Center Manager or Data Center Director 6%
VP / SVP 4%
Business Continuity Manager (BCM) 3%
IT Staff 2%
External consultant / outsourcer 1%
None - we do not have a disaster recovery committee 1%
Other (Please specify) 0%
Don't know 0%

27. DR committees
Q6: Which of the following people are on your organization's disaster
recovery committee?
(Mark all that apply.)
0% 20% 40% 60% 80% 100%
Disaster Recovery Manager (DRM) 65%
Systems / infrastructure manager 56%
Chief Information Officer (CIO) / Chief Technology Officer (CTO) / IT Director 32%
Chief Executive Officer (CEO) 25%
Chief Security Officer (CSO) 25%
Divisional / Departmental IT manager 21%
Chief Financial Officer (CFO) 18%
Business Continuity Manager (BCM) 15%
Line of business executives / managers 11%
Other directors 8%
External consultant 8%
Non-IT senior managers 7%
None - we do not have a disaster recovery committee 1%
Other (Please specify) 1%
Don't know 1%

28. DR plans
Q9: What of the following are covered by your DR plan?
(Mark all that apply.)
0% 20% 40% 60% 80% 100%
HP-UX 55%
AIX 50%
Windows 40%
Solaris 23%
RedHat 18%
VMware 16%
SUSE Linux 11%

29. Replication
Q10a: Do you replicate critical applications between data centers?
No
8%
Yes
92%

30. Replication
Q10b: What replication technologies are used?
(Only asked of those who replicate critical applications between data centers)
(Mark all that apply.)
0% 20% 40% 60% 80% 100%
Database-based replication 69%
Application-based replication 68%
Array-based replication 65%
Host-based replication 34%
Other (please specify) 0%

31. Replication challenges
Q11: What is your primary challenge with storage array-based
replication?
0% 20% 40% 60% 80% 100%
Complexity of replication solutions 55%
Cost 25%
Limited WAN bandwidth (too much data) 17%
Hardware lock-in 3%

32. Disaster impact
Q13: How would you rate the potential impact that could results from a
disaster your organization is concerned about?
1 - Absolutely no impact 2 - Low impact 3 - Neutral 4 - Somewhat high impact 5 - Extremely high impact
100%
11% 13% 11% 14% 10% 10%
14% 14% 15%
90% 19%
80%
70% 40% 37%
44% 41% 39% 42% 37% 36%
42%
60% 41%
50%
40%
31%
32% 34%
30% 33% 32% 32%
32% 32% 34%
29%
20%
10%
10% 11% 10%
10% 7% 7% 8% 9% 7%
6% 12%
4% 5% 5% 5% 5% 6% 6% 7% 6%
0%
Data loss Cost of Reduction in Reduction in Damage to Configuration Damage to Damage to Damage to Decreased
downtime profits revenue competitive drift issues brand customer supplier employee
standing in the reputation loyalty relationships productivity
marketplace

33. Downtime costs
Q14: What would you estimate is the cost of an hour of downtime for
each of the following in your organization?
(Means shown)
$0 $10,000 $20,000 $30,000 $40,000 $50,000 $60,000 $70,000
Web servers $62,063
Custom line of business applications $55,324
Databases $47,769
ERPs / CRMs $42,265
Web commerce applications $41,117
Application servers $39,590
Messaging applications $24,571
Collaboration software $21,748
Email $18,409
Other (Please specify) $10,523

34. Outages
Q15: How many outages did you have in the past 12 months?
Mean 13.8

35. Downtime
Q16: In your estimation, how long was the average time of
downtime per incident in hours?
Mean 20.4

36. Disaster recovery budget
Q17: What is your annual disaster recovery budget?
Mean $964,599

37. Disaster recovery budget
Q18: In your opinion, which of the following best describes your
disaster recovery budget?
1 - Increasing 2 - Staying the same 3 - Decreasing
100% 3%
90%
80% 43%
70%
67%
60%
50%
26%
40%
30%
20%
31% 31%
10%
0%
Over the past 12 months In the next 12 months

38. Recession impact
Q19: How has the global recession impacted the resources available for
your disaster recovery planning?
0% 10% 20% 30% 40% 50%
Extremely negative impact 12%
Some negative impact 23%
No impact whatsoever 17%
Some positive impact 46%
Extremely positive impact 2%

39. Annual IT budget
Q20: What is your total annual IT budget?
Mean $13,573,258

40. IT budget allocation
Q21: What percentage of your IT budget is allocated towards
disaster recovery initiatives including backup, recovery,
clustering, archiving, spare servers, replication, tape, services,
DR plan development and offsite costs, etc.?
Median 26%

41. DR site status
Q23: What is the status of your disaster recovery site?
(Mark all that apply.)
0% 20% 40% 60% 80% 100%
It is hot standby 72%
It is managed by an outside vendor 63%
It is cold standby 17%
We don't have a disaster recovery site 3%

42. Failover / recoveries
Q24: What percentage of your failover / recoveries you perform is each
of the following types?
(Means shown)
0% 10% 20% 30% 40% 50%
Same-site failover / recovery 31%
Cloud failover / recovery 29%
Campus failover / recovery 22%
Global failover / recovery 18%

43. Recovery time
Q25: If a significant disaster were to occur at your organization that
destroyed the main data center, how soon would the organization be
able to do each of the following?
(In hours)
(Means shown)
2.5
2.4
2.4
2.3
2.2
2.2
2.2
2.1 2.1
2.0
1.9
1.8
Skeleton operations Mostly back up and running 100 percent up and running Operations would be able to continue
as normal despite the disaster

44. Recovery objectives
Q26: for the Tier 1 applications in your disaster recovery plan,
what are your recovery time objectives? What are your
recovery point objectives? (Medians shown)
Recovery Time Objectives 4
Recovery Point Objectives 5

45. Recovery objectives
Q27: For virtualized applications in your disaster recovery
plan, what are your recovery time objectives? What are your
recovery point objectives? (Medians shown)
Recovery Time Objectives 4.0
Recovery Point Objectives 5.0

46. Reevaluation
Q28: How often do you reevaluate your TO / RPO requirements or
change them for new applications?
0% 20% 40% 60% 80% 100%
Monthly 14%
Quarterly 16%
Every 6 months 52%
Once a year 10%
Every 1 - 2 years 4%
Every 2 - 3 years 1%
Less frequently than every 3 years 1%
On an ad-hoc basis 1%
Never 1%

47. Full scenario testing
Q29: How frequently does your organization carry out full scenario
testing of its disaster recovery plan, involving relevant people,
processes, and technologies?
0% 20% 40% 60% 80% 100%
Monthly 16%
Quarterly 15%
Every 6 months 51%
Once a year 11%
Every 1 - 2 years 3%
Every 2 - 3 years 1%
Less frequently than every 3 years 1%
On an ad-hoc basis 1%
Never 1%

48. DR testing cost
Q30: How much did you spend in the past year on DR testing?
Mean $606,948

49. DR testing cost
Q31: What was the cost of testing your disaster recovery plans
in the past year?
Mean $769,686

50. Successful tests
Q32: What percentage of disaster recovery tests successfully
recovered critical data and applications within RTOs / RPOs?
Median 70%

51. Recovery barriers
Q33: How many times did each of the following challenges prevent you
from recovery within the RPOs / RTOs?
(Medians shown)
0 1 2 3 4
Insufficient IT infrastructure at the DR site 3
Configuration issues 3
Discovery that the plan has become out of date 3
People do not do as they are supposed to 3
Processes turn out to be inappropriate 3
Technology does not do what it is supposed to 2
Other (Please specify) 0

52. Testing barriers
Q34: Which of the following do you consider to be barriers to running a
full scenario test on your disaster recovery plan?
(Mark all that apply.)
0% 20% 40% 60% 80% 100%
Resources, in terms of budget 60%
Disruption to employees 59%
Resources, in terms of people's time 26%
Disruption to customers 16%
Lack the technology to run the test 15%
Disruption to sales and the revenue stream 14%
Other IT projects taking a higher priority 13%
Not seen as a priority by top management 4%
None 3%
Other (Please specify) 0%

53. Deduplication
Q35: How far along are you in implementing deduplication?
0% 10% 20% 30% 40% 50%
Considering / planning, but have not yet purchased capabilities 20%
Purchased capabilities, but have not yet implemented 19%
Implemented, but have not been able to see ROI 10%
Implemented, able to demonstrate ROI 48%
Implemented, fell short of ROI 1%
Implemented, but too soon to demonstrate ROI 1%

54. Deduplication
Q36: How much budget would you estimate you save / would
save by implementing deduplication?
Mean $893,405

55. Deduplication
Q37: How much storage space, in terms of gigabytes, would
you estimate you save / would save by implementing
deduplication?
Mean 45,735 GB

56. Appliance form vs. Software model
Q38: Do you prefer an appliance form factor with software for
deduplication or a software delivery model built into existing backup
software that lets you use commodity hardware?
Appliance with software
44%
Software delivery model
56%

57. Reevaluating
Q39: Has implementing server virtualization caused you to reevaluate
your disaster recovery plan?
No
16%
Yes
85%

58. Virtual servers
Q40: What percentage of virtual servers is covered in your
disaster recovery plan?
Median 40%

59. Virtual applications
Q41: What percentage of the following applications are being put into
virtual environments at present?
(Medians shown)
0% 10% 20% 30% 40% 50%
Databases 26%
Application servers 25%
Web servers 25%
Messaging applications 23%
ERPs / CRMs 23%
Custom line of business applications 22%
Other (Please specify) 0%

60. Virtual applications
Q42: What percentage of each of the following applications will be put
into virtual environments 12 months from now?
(Medians shown)
0% 10% 20% 30% 40% 50%
Databases 26%
Application servers 25%
Web servers 25%
ERPs / CRMs 24%
Custom line of business applications 22%
Messaging applications 22%
Other (Please specify) 0%

61. Virtual servers
Q43: What percentage of the servers in your data centers are being
virtualized in each of the following?
(Medians shown)
0% 10% 20% 30% 40% 50%
Application test environment 30%
Patch testing environment 30%
Application development environment 30%
Production environment 30%

62. Backing up virtual environments
Q44: How do you back up virtual environments?
(Medians shown)
0% 20% 40% 60% 80% 100%
We utilize off-host technology (e.g., VMware VCB / v-Storage API) for "client-
50%
less" backups of VMs
Like a physical machine - standard Client (non deduplication) inside each
30%
virtual machine
Like a physical machine - except with deduplication client inside each virtual
30%
machine
Not backing up virtual machines 24%

63. Virtualization
Q45: What are the main reasons you have not virtualized more
applications?
(Mark all that apply.)
0% 20% 40% 60% 80% 100%
Performance 60%
Manpower / human resources 60%
Application vendor support issues 53%
Cost 29%
Skills 25%
Storage inefficiencies / storage costs too high 13%
Inability to meet service levels / availability requirements of the business 10%
Ability to recover and manage virtual environments 8%
Haven't though much about it 2%

64. Virtual server testing
Q46: How often do you test virtual servers as part of your disaster
recovery plan?
0% 20% 40% 60% 80% 100%
Daily 9%
Weekly 50%
Monthly 14%
Quarterly 13%
Semi-annually 7%
Yearly 5%
Less than once a year 2%
Never 2%

65. Challenges
Q47: What challenges have you faced in protecting mission critical data
and applications in virtual environments?
(Mark all that apply.)
0% 20% 40% 60% 80% 100%
Lack of available backup storage capacity 60%
Lack of primary storage capacity 57%
Lack of automated recovery 55%
Insufficient backup tools 39%
Lack of enterprise high availability 37%
Lack of enterprise storage management 19%
Different tools for physical and virtual environments 15%
Lack of scalability 7%
Other (Please specify) 1%

66. Challenges
Q48: How much of a challenge do each of the following present in
protecting mission critical data and applications in virtual
environments?
1 - Small Challenge 2 - Neutral 3 - Large Challenge
100%
90% 19%
30%
34% 36% 36%
80% 40% 40%
58% 54%
70%
60% 21% 44%
50% 28% 29%
30%
30% 30%
40%
30% 23% 30%
49%
20% 38% 38%
35% 35%
30% 30%
10% 20% 16%
0%
Lack of available Lack of primary Lack of Insufficient Lack of Lack of Different tools Lack of Other (Please
backup storage storage capacity automated backup tools enterprise high enterprise for physical and scalability specify)
capacity recovery availability storage virtual
management environments

67. Virtual applications
Q49: What percentage of your organization's data and mission critical
applications in virtual environments are protected by each of the
following?
(Medians shown)
0% 10% 20% 30% 40% 50%
Disk backup 25%
Continuous data protection 23%
Tape backup 22%
Online / cloud storage (ie online) 21%
Optical removable media (CDs, DVDs, Blu-ray, etc.) 20%
Data replication 20%
High availability failover 20%
Global or wide area failover 20%

68. Data backup
Q50: What percentage of the data on your virtual systems is
regularly backed up?
Median 56%

69. Virtual backup
Q51: How often do you back up the data on your virtual systems?
0% 20% 40% 60% 80% 100%
Daily 18%
Weekly 54%
Monthly 12%
Quarterly 9%
Semi-annually 4%
Yearly 2%
Less than once a year 0%
Never 1%

70. Virtual backup challenges
Q52: What is the top challenge with backing up virtual machines as
opposed to physical ones?
0% 20% 40% 60% 80% 100%
Resource constraints (people, budgets, and space) 59%
Application-consistent backups 16%
Lack of efficient technology / hardware / software 16%
Lack of efficient restore options 5%
Too much time required 4%

71. Email recovery
Q53: In terms of email or Exchange, which of the following is your
primary disaster recovery strategy?
0% 10% 20% 30% 40% 50%
Continuous data protection 34%
Email as a service 26%
Global failover 16%
Local failover 14%
Regular backup 5%
Cloud-based hosting 4%
Protecting data with snapshots 1%

72. Multi-tiered services
Q54: What challenges does your organization have with managing high
availability and disaster recovery for multi-tiered IT services?
(Mark all that apply.)
0% 20% 40% 60% 80% 100%
Failure to protect all components of the IT service 62%
Lack of coordination between application and data recovery solutions 57%
Having inconsisten levels of protection for different components of the IT
25%
service
Lack of understanding application dependencies 18%
Using manual recovery of the application, which is slow and increases the risk
14%
of error
Cross-functional teamwork and communication is lacking 9%
Other (Please specify) 2%

73. Multi-tiered services
Q55: How many hours does it take to recover your multi-
tiered services?
Mean 22.8

74. Cloud storage
Q56: How far along are you in implementing cloud storage?
0% 20% 40% 60% 80% 100%
Considering / planning, but have not yet purchased capabilities 61%
Purchased capabilities, but have not yet implemented 23%
Not considering 7%
Already implemented 8%

75. Cloud storage
Q57: Have you been able to measure an ROI for cloud storage?
0% 20% 40% 60% 80% 100%
Have not been able to see ROI 14%
Are able to demonstrate ROI 65%
Fell short of ROI 11%
Too soon to demonstrate 9%

76. Cloud computing
Q58: How are you using cloud computing initiatives to help with your
data center's disaster recovery plan?
0% 20% 40% 60% 80% 100%
Software as a service 57%
Backup to the cloud 17%
Failover to the cloud 11%
Not using cloud computing 6%
Recovery from the cloud 6%
Deploying cloud applications 4%

77. Cloud computing impact
Q59: What has been the impact of cloud computing to your disaster
recovery plan?
0% 20% 40% 60% 80% 100%
Extremely easier 16%
Easier 67%
No change 13%
More difficult 4%
Extremely difficult 0%

78. Cloud computing challenges
Q60: What are the biggest disaster recovery challenges you face when
considering implementing cloud computing / cloud storage?
0% 20% 40% 60% 80% 100%
Control failovers / make resources highly available 55%
Control of management of resources 14%
Ability to backup 14%
Security 12%
Expertise 4%
Other (Please specify) 1%

79. Cloud computing policies
Q61: Do you have written guidelines or policies in place for approving
cloud applications that use business sensitive or confidential
information?
No
15%
Yes
85%

80. Cloud computing
Q62: Who drives cloud computing initiatives?
0% 20% 40% 60% 80% 100%
CEO 55%
CIO / CTO 25%
IT managers 14%
Employee end users / business managers 5%
Employees who implement their own 1%

81. Cloud computing
Q63: What percentages of the following types of applications are you
putting into the cloud?
(Medians shown)
100%
90%
80%
70%
60%
50% 50%
50%
40%
30%
20%
10%
0%
Mission-critical applications Non-mission critical applications

82. Cloud computing concerns
Q64: What is the biggest concern with putting mission-critical
applications in the cloud?
0% 20% 40% 60% 80% 100%
Security 66%
Accessibility 14%
Control 12%
Management 6%
Backup 3%