In today’s threat landscape, a single ransomware attack can cripple a business for weeks, underscoring the critical importance of cyber resiliency. Attacks are becoming more common and more sophisticated, leaving businesses struggling with staggering costs and devastating downtime. Here’s a concerning reality: many organizations currently believe their recovery strategies will protect them in the event of a cyberattack. But will they? Operational Recovery, Disaster Recovery, and Cyber Recovery are all fundamentally different, and relying on the wrong approach can have serious consequences.

According to Michael Stempf, senior director of product and ecosystem strategy at Commvault, Operational Recovery is straightforward – it’s a basic restore of a deleted folder or email that typically comes from your primary copy of data. Disaster Recovery (DR) is well understood and deals with large-scale events like natural disasters or major outages that take down entire data centers. The priority is getting core systems back online quickly, even with potential data loss. 

Stempf noted that neither of those scenarios involve malicious intent, but the third one – Cyber Recovery – does. “…in a cyberattack, you cannot trust anything. It’s not just about getting systems back online; it’s about ensuring the data itself is clean. That’s the most crucial thing.

Stempf further explained, “As a best practice, Cyber Recovery requires a third copy of data to be stored off-site, ideally within another company’s infrastructure. This data must be both immutable and indelible, similar to the protection offered by Commvault Air Gap Protect.”

Beyond Traditional DR: Why You Need a Cyber Recovery Plan

Disaster Recovery used to be simpler. Think two data centers mirroring each other, with occasional tests to make sure everything was in sync. But the cloud changed everything. Now, companies might have their data spread across different cloud providers like AWS and Azure, use online services like Microsoft 365, and still have their own data centers scattered around the globe. This creates a complex web of data, making disaster recovery much trickier. As Stempf points out, “Imagine trying to test your recovery plan in this scenario. It’s like managing rush-hour traffic across a sprawling city with multiple interweaving highways and intersections. How do you ensure a smooth and efficient flow of data when it’s traveling between clouds, physical servers, and online applications?”

Businesses, unfortunately, still cling to outdated Disaster Recovery plans, which is a dangerous gamble in today’s world. Why? Because companies think they’re prepared for a cyberattack since they have a DR plan, but when it happens, they are totally blindsided. Cyberattacks require a dedicated strategy that accounts for their unique characteristics – the stealth, the cunning, and the intent to exploit hidden vulnerabilities. Simply put, Disaster Recovery is structured and methodical, while Cyber Recovery is chaotic and unpredictable, demanding a specialized approach to ensure business continuity in the face of evolving threats. That’s why a dedicated Cyber Recovery Plan is crucial, one that is continuously tested and updated to stay ahead of evolving threats.

To eliminate this complexity, Commvault created Cleanroom Recovery, a secure, isolated recovery environment in the cloud. This allows customers to take those immutable and indelible copies of data they have and move it to a clean environment that no bad actors have ever breached. Customers test recovery plans frequently, gain valuable feedback, and conduct tabletop exercises to ensure their business is truly prepared for any cyberattack.

Stempf also highlighted that everything Commvault does is CIS (Center for Internet Security) hardened, and that the company offers the only data protection product that is FedRAMP (Federal Risk and Authorization Management Program) High certified.

When a breach occurs, a new subscription ID or tenant is spun up in Microsoft Azure, where Commvault does a restore of the data by converting, for example, AWS to the Azure format, or converting physical machines to virtual and then to the Azure format, so testing can begin.

The big problem? 24 days

The average time to recover critical systems after a cyberattack is a staggering 24 days – and that’s just to get essential operations back online. Stempf attributes this lengthy recovery time to two key factors: a lack of preparedness in the form of testing and a reluctance to share best practices or cyber incident experiences.

“I remember 20 years ago, the Joplin, Missouri, hospital got hit by an EF-5 tornado. They told us everything about the experience,” Stempf said. ” ‘This is what we screwed up. This is what we got right, and this is how we were able to recover,’ and everybody was able to learn about it.”

But, he said, no one wants to talk about a cyber event, because it’s a brand hit. “So we have no best practices” for stopping attacks, and no one can leverage the work someone else has done. “And so that’s why we’re at 24 days now.”

That is about to change, though, as the SEC has mandated that if you have a material breach, you must do a full debrief of everything that’s going on every four days. “Now, we’re able to finally learn what people have done, how they were attacked, and how it impacted them. What were things that they learned on the recovery?,” Stempf said. “I think we’re about to see an era where if you ingest the time and energy, that 24 days is going to dramatically shrink.”

If you’re not testing, he said, that 24 days isn’t going to be reduced. That’s why a cleanroom is so important. Stempf said about 17% of all attacks are destructive, where the attackers destroy the hardware that they hit. “So how fast can you get a whole ton of servers delivered? It’s going to take weeks,” he said. “So a cleanroom, dynamically scaling, can become your new production immediately.” 

This article was created by ITOps Times and Commvault.