At the Storage Decisions 2004 conference late last month, Microsoft announced that it would enter the backup and recovery market next year with the Microsoft Data Protection Server (DPS), a low-cost, disk-based continuous backup and recovery solution. The timing of the announcement couldn't have been better. The four hurricanes that have battered Florida so far this year underscore the need for disaster recovery plans, and two new research reports indicate that although many companies give lip service to developing disaster recovery plans, a frightening percentage of enterprises are completely unprepared for major disruptions in their IT infrastructures.

Even more worrisome, the cost of downtime is escalating sharply, as is the number of business-critical applications companies must support. And to add an exclamation point to these findings, the percentage of companies that have had to execute their disaster recovery plans has increased in the past year.

Here are the numbers. A study sponsored by VERITAS Software and conducted by Dynamic Markets, a United Kingdom-based market research company, found that only 38 percent of the 1259 IT professionals polled around the world had in place a comprehensive, integrated disaster recovery and business continuity plan. Only 44 percent of the respondents use backup software for disaster recovery purposes. Effective backup is generally considered a basic component of any disaster recovery program.

These findings are echoed by a study that industry analyst Tom Coughlin, of Atascadero, California-based Coughlin Associates, conducted earlier this year in conjunction with Peripheral Concepts, a market research company specializing in storage and storage management topics. In a survey of 1000 companies of all sizes, Coughlin found that only 30 percent of respondents mirror their data in a remote site. Although 35 percent of the companies polled said that they plan to implement remote mirroring, 26 percent don't intend even to store critical data offsite.

IT professionals realize the risks they take by not having a disaster recovery plan. In the Dynamic Markets survey, 92 percent of respondents acknowledged that their organizations would face serious consequences if there were a major disruption of their IT infrastructures. Nonetheless, 40 percent had no idea how long it would take to restore even skeletal operations if a natural disaster destroyed their primary data center. A minuscule 3 percent believe that they could restore operations immediately, and only 28 percent think they could restore very basic operations with 12 hours.

Meanwhile, the cost of downtime is growing dramatically, according to the study that Coughlin conducted. Nine percent of the respondents to his survey indicated that every hour of downtime would cost them $1 million or more in lost business. More than half the respondents place the cost of downtime at more than $10,000 an hour.

That cost is growing, Coughlin found, because the number of mission-critical applications is growing. Interestingly, customer relationship management (CRM) applications top the list of critical applications, followed by email and Web transactions. Accounts receivable grabbed only the fourth spot. This ranking reveals a fundamental shift in the value of IT from its historical role of managing back office operations to its current responsibility of providing customer-facing applications as well as internal and external communications.

As IT has become more pervasive throughout the enterprise, companies that have disaster recovery plans have needed to put them into action more frequently than in the past. More than half (54 percent) of the respondents in the Dynamic Markets study had to execute their disaster recovery plan last year, up from 35 percent the year before. The most common trigger for the disaster recovery plan was software and hardware failure (37 percent), followed by external causes such as viruses and attacks (26 percent), natural disasters such as floods and fires (14 percent), and internal causes such as accidents or malicious employee behavior (13 percent).

If the risks of not having a disaster recovery plan are so great and IT professionals understand those risks, why do so many companies leave themselves exposed? The answer is complexity and cost. Establishing and maintaining remote data centers isn't a trivial undertaking--the task takes time, expertise, and money at a time when IT costs remain under intense scrutiny. Moreover, like insurance, disaster recovery is an investment in technology that people hope they'll never have to use.

That's why the Microsoft entry into the field is so intriguing. Microsoft frequently makes complex enterprise applications available and more affordable to a much broader spectrum of the business community. But the question is, can companies afford to wait? Microsoft’s DPS won't be available until the second half of 2005.