Quest Survey: 75% of Firms Neglect DR Testing
A new survey from Quest Software found that over 75% of global organizations are not testing their identity disaster recovery (ITDR) plans frequently enough. Worse, 24% of the 650 IT and security leaders surveyed admit they never practice their DR plans at all, leaving them highly vulnerable to outages.
The survey's findings arrive as identity has become the primary entry point for modern attacks, with threats now including AI-driven campaigns and a massive sprawl of non-human identities. The complexity of hybrid Active Directory and Entra ID environments has expanded the identity attack surface faster than most security teams can manage. Industry frameworks, cyber insurers, and regulatory guidance widely consider biannual testing the minimum acceptable frequency for identity disaster recovery. For highly regulated sectors like finance and healthcare, or for mission-critical applications, testing is often required quarterly or even more frequently, especially after significant infrastructure changes. Recovering a compromised Active Directory is uniquely complex, with Microsoft's own documentation outlining dozens of high-level steps. Traditional backups often prove insufficient, as they can reintroduce malware or attacker persistence mechanisms, leading to reinfection upon restoration and prolonging the outage. The financial stakes of a failed identity recovery are immense, with downtime costs potentially exceeding $1 million per hour. The 2021 Colonial Pipeline attack, which shut down 45% of the U.S. East Coast's fuel supply, originated from a single compromised VPN password, demonstrating how a single identity failure can cause widespread operational disruption. While ITDR adoption has grown—with 57% of organizations now having a practice, up from 48% the prior year—recovery readiness remains a major blind spot. Experts note that organizations often overestimate their security posture by focusing heavily on threat prevention and detection while underinvesting in the ability to respond and recover. Key obstacles preventing more frequent testing include budget constraints, the complexity of integrating with existing systems, and a lack of specialized internal expertise. Many recovery plans are developed on paper but are rarely executed outside of highly controlled exercises, if at all. Reflecting the current threat landscape, both Gartner and the National Institute of Standards and Technology (NIST) have broadened their guidance to explicitly recognize recovery as a critical and necessary component of identity security, on par with identification, protection, detection, and response.
