Industry News

Too Few Companies Prepare For Disaster Recovery. How Does Your Plan Rate?

If you don't prepare ahead and test your plan, disaster might strike and it will all come crumbling down.

When we first published this article in 2017, the world was a very different place and the term ‘disaster recovery’ referred more to the occasional power-outage, or “1-in-100-year” weather events rather than the global pandemics, climate catastrophes or the AI boom we’ve experienced since.

We’ve pulled the stats on best practice in disaster recovery planning in 2026. Is your disaster recovery plan up to date?

Disaster recovery (DR) planning is about making sure your business can get back up and running quickly. When something goes catastrophically wrong, be that a natural disaster, a system outage, or when an employee clicks a dodgy link, a DR plan will minimise the damage and help you recover quicker.

While disaster recovery is often seen as an IT responsibility, the reality is that it affects the entire organisation. DR plans enable role definition, fast decisions, and clear and timely communication to customers, suppliers and regulators. Without a tested disaster recovery plan, these moments are usually marked by confusion, downtime and unnecessary risk.

A global IT survey in 2025 found that 45% of CIOs cited the complexity of planning for cyber recovery as their greatest concern.

If your Disaster Recovery Plan is outdated, untested, or doesn’t exist yet, Computer One’s Managed Services can help you implement a proven, end‑to‑end disaster recovery solution tailored to your business.

Is a Disaster Response Plan Necessary?

A tested disaster recovery plan is essential. Disruption is inevitable and unprepared organisations lose time, data and confidence when it strikes.

Despite this, readiness remains low. 58% of Australian organisations admit they would only improve protection after a serious cyber incident. Regulators, insurers and supply chains increasingly expect proven recovery capability. Resilience has shifted from a “nice to have” to a baseline requirement.

But DR only works if plans are current, exercised and understood before a crisis hits. Yet, less than one in five small businesses regularly audit their cybersecurity practices.

Case study: When a disaster recovery plan exists on paper but not in practice

In 2017, a Queensland Audit Office (QAO) review of four hospital and health services exposed a concerning gap between planning and preparedness.

Despite the size and critical nature of these organisations, three out of four were rated at only a “Basic” level of disaster recovery maturity, scoring just 1 out of 5. Disaster recovery plans existed, but recovery capability was limited, largely untested and unproven.

In response, the Queensland Government invested heavily in modernising health IT environments. More than $135 million was directed toward new systems and digital hospital initiatives, improving availability, resilience and infrastructure redundancy.

By 2019, these investments were delivering measurable improvements, with significant gains in system uptime reported. At the time, this progress suggested the sector was moving in the right direction.

Yet nearly a decade later, the underlying lesson remains relevant. Between 2017 and 2025 Queensland Health made real progress in recognising disaster recovery as critical infrastructure. Though despite introducing stronger cyber controls and increased investment, improvement has not been uniform or complete.

The Queensland Audit Office’s Information Systems 2025 report shows that many of the same structural weaknesses persist. Though controls are in place, untested plans, fragile legacy systems, and inconsistent leadership oversight continue to undermine true resilience.

Key takeaway: disaster recovery only protects you when it is exercised, measured, and continuously improved, not when it exists solely to meet compliance expectations.

What “Good” Disaster Recovery Plan Testing Looks Like

Effective disaster recovery testing is not about complexity. It is about realism and repetition. Testing exposes assumptions that would otherwise only surface during a real incident.

Regular exercises should be a core part of resilience, not an optional extra. To test your response plan before disaster strikes, you should ensure:

1. Blended exercises are used, combining discussion-based scenarios with practical recovery tests.

  • Run role‑based tabletops (exec/board, legal/comms, ops/IT) and technical recovery drills (restore from clean backups, spin up alternates, fail over networking).
  • The ACSC and APRA both expect regular testing and plan reviews.

2. Realistic scenarios are rehearsed, covering both cyber (ransomware, SaaS/API outage, identity compromise) and physical (flood, power, facility loss) disruptions.

  • This should include supply‑chain disruptions and comms outages.
  • Simulations are a core element of DR testing because they expose decision and escalation gaps before a real incident.

3. Meaningful measures are captured; and reported to the board, if applicable.

  • Critical metrics to evaluate are:
    • Mean Time to Detect (MTTD): how long it takes you to discover breaches  
    • Mean Time to Repair/Respond (MTTR): time from detection until your system is fully operational again.
    • Percentage of critical services recovered within the Recovery Time Objective (RTO): your maximum tolerable downtime, i.e. how long systems can be offline
    • How actual data loss compares to Recovery Point Objective (RPO): your maximum tolerable data loss, i.e. how frequent backups should be
    • Ability to meet potential OAIC Notifiable Data Breach (NDB) Scheme deadlines, and
    • Customer communications timeliness.

4. Improvements are tracked, and tests are repeated to confirm issues have been resolved.

Case study: Bundaberg floods (March 2026)

The value of tested recovery plans was clearly demonstrated during the Bundaberg floods in March 2026. Preparedness directly influenced how quickly organisations were able to respond and recover when the Burnett River rose to major flood levels of approximately 7.4 metres.

Local government issued evacuation warnings and closed key bridges, leaving hundreds of businesses across the region disrupted. Significant operational pressure was placed on local services almost overnight. Bundaberg’s worst flood since 2013 serves as a reminder that physical disasters can be just as disruptive as cyber events.

A taskforce, referred to as the Local Disaster Management Group (LDMG) comprised of representatives across SES, Ergon Energy, Maritime Safety Queensland, Transport and Main Roads and other state departments. The LDMG stood up on 9 March to assist with flood response and only stood down as the region shifted to recovery on 16 March. Defined roles, escalation paths and response processes planned and rehearsed in advance made this possible.

The speed of recovery actions reflected this preparedness. Within days of the initial impact:

  • Temporary workspaces were made available to support small businesses.
  • Business recovery information and grant support was communicated.
  • Alternative channels and simplified tools were introduced to keep information flowing as online systems became overloaded.
  • Clean‑up and waste removal efforts were mobilised, allowing many businesses to resume operations sooner than expected.

Key takeaway: The organisations that recovered fastest were not those reacting for the first time. They were the ones that had already rehearsed how to switch communications, operate from alternate locations and restore essential systems under pressure.

How Does Your Disaster Recovery Plan Rate?

Use these six questions as a quick litmus test. If you can’t answer “yes” to all, you’re not ready yet. But fear not, Computer One can help.

  1. Business Impact Assessment (BIA)
    Have you identified critical processes, mapped dependencies and clearly defined recovery priorities under plausible scenarios (flood, power, telecom, malware, SaaS outage)?
  2. Documented DR Plan
    Do you have a clear, practical plan that covers people, systems, suppliers and workarounds, and aligns with broader continuity and communication plans?
  3. Clear roles and awareness
    Do you know who does what during a disruption, and who has authority to make key decisions?
  4. Regular testing and leadership visibility
    Do you run annual (at a minimum) exercises? Have outcomes been reviewed by leadership or the board?
  5. Currency with tech stack
    Has the plan kept pace with changes in technology, suppliers, and working arrangements (cloud workloads, SaaS, identity, voice/UC, remote work, third parties)?
  6. Independent annual review
    Has an external specialist reviewed your readiness and evidence from tests (not just the document)?

If you fall short

It takes time and forensic detail to design, test and iterate a credible DR plan, but you’ll be glad you did when a cyber incident or flood hits.

As an interim solution, ACSC’s Business Continuity in a Box can help you build a baseline DR response to keep communication flowing during an incident and protect your core applications.

When you’re ready to build your bespoke DR Plan, Computer One can help you assess your security posture, understand your needs and produce a tailored document, ready for regular testing.

Other News

The Computer One logo with blue background
6 time winner of the
Channel Futures MSP 501 Winner logo white | Computer One
Local Government Procurement Approved Contractor logo | Computer One
Menu
close
Menu
close
Q-Mark ISO 9001 certified logo | Computer OneQ-Mark ISO 27001 certified logo | Computer One
Menu
close
© 2026 Computer One Australia.
arrow-right linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram