Only One in Four Organisations Test Identity Recovery

New research from Quest Software reveals a critical blind spot in UK business continuity planning: only 25% of organisations regularly test their ability to recover identities after a cyber attack. This gap transforms manageable security incidents into extended business disasters, as companies struggle to restore employee access to essential systems.

Whilst most businesses invest heavily in multi-factor authentication and endpoint protection, they overlook the fundamental question: what happens when attackers compromise your Active Directory or identity provider? The answer, for three-quarters of organisations, is an expensive lesson learned during a real incident.

The Identity Recovery Paradox

Modern security architecture creates an identity dependency paradox. Organisations deploy sophisticated security tools requiring authenticated access to manage and restore systems, yet these same tools become inaccessible when identity systems fail. During ransomware attacks targeting domain controllers or cloud identity providers, IT teams often discover they cannot access the very security platforms needed to assess and remediate the breach.

The research highlights this disconnect: whilst 89% of organisations conduct disaster recovery testing, only one quarter specifically test identity system restoration. This leaves a dangerous gap between theoretical recovery plans and practical execution under pressure.

The UK Regulatory Reality

For UK businesses, this oversight carries regulatory implications beyond operational disruption. Under GDPR, organisations must demonstrate appropriate technical and organisational measures, including the ability to restore data availability after incidents. The ICO expects businesses to recover "in a timely manner" – difficult to achieve when identity systems remain compromised.

Similarly, firms subject to operational resilience requirements from the FCA or PRA must prove they can maintain critical services during severe disruption. Identity system failure represents a single point of failure that can cascade across all business operations, making recovery testing essential for regulatory compliance.

Beyond Technical Recovery

Identity recovery extends beyond restoring servers and databases. Modern attacks target privileged accounts, service accounts, and federated trust relationships that underpin cloud services and third-party integrations. Without comprehensive testing, organisations cannot validate their ability to rebuild these complex authentication chains whilst maintaining security boundaries.

The research indicates that organisations with mature Identity Threat Detection and Response (ITDR) capabilities recover 40% faster from identity-related incidents. This translates directly to reduced business impact: every hour of extended downtime costs UK SMEs an average of £8,500 in lost productivity and revenue.

Building Resilient Identity Recovery

Effective identity recovery testing requires moving beyond annual exercises toward regular validation of specific scenarios. Organisations should test restoration from offline backups whilst maintaining proper segregation of privileged accounts. This includes validating emergency access procedures that bypass compromised identity providers whilst preserving audit trails.

Successful programmes integrate identity recovery into broader business continuity testing, ensuring communication plans account for scenarios where standard collaboration tools remain inaccessible. They also validate dependencies between identity systems and critical business applications, identifying recovery sequence requirements often overlooked in theoretical planning.

The Board-Level Imperative

Boards should mandate quarterly identity recovery testing as a standard governance requirement, not an IT afterthought. This testing must simulate realistic attack scenarios, including simultaneous compromise of primary and backup identity systems. The results should inform board risk discussions with the same weight given to financial or operational resilience testing, because identity failure can disable both within hours of an incident.