Disaster Recovery Vs. Cyber Recovery – What’s the Difference?

I’ve had several conversations in the past few weeks discussing the differences between Cyber Recovery and a traditional Disaster Recovery (DR) program, so I figured it was a good time to go ahead and write a little about it.

Traditional Disaster Recovery

Just about everybody is familiar with traditional Disaster Recovery, and it’s the sort of recovery method that has been available to businesses for decades.  It definitely has its place in the business world, and it has a tremendous value when you find yourself up against the type of problems that are traditional Disaster Recovery program was designed to solve – some sort of physical disruption of the business.

If you find yourself in a position where your primary data center is unavailable and you need to restore your data from a backup copy, or if you want to be prepared for natural disasters, widespread hardware failures, or power outages, then a traditional Disaster Recovery program is the ticket.  You take a recent copy of your data from your archive, restore it onto fresh hardware, and point your users to your freshly recovered system.  If you want to test your Disaster Recovery plans, you just restore a copy of your data and see if everything is there.  Because this sort of Disaster Recovery process has existed for a very long time, most everyone is familiar with it, and regulators and auditors alike will ask for evidence of planning, testing, and all the other trappings of a mature, well-managed, program.  

Cyber Recovery

So, how is that different from Cyber Recovery? Well, Cyber Recovery is the process of recovering from data breaches, ransomware and other sorts of malicious digital attacks.

Cyber Recovery has its own set of unique challenges. For the past several years, Cyberattacks have generally involved some type of intentional data corruption, so data integrity issues present problems in Cyber Recovery far beyond what you might find in a traditional Disaster Recovery situation.  Cyberattacks often have the potential for ongoing threats to your business as well, since backdoors to make future attacks easier are often left by attackers. There is also the added problem of determining the scope and impact of data recovery, which often requires some sort of forensic investigation to ascertain.  Incident response is handled differently for Cyberattacks, because considerations need to be made for containing the attack in addition to determining its scope and impact prior to data recovery As if that wasn’t complicated enough, it’s generally advisable to have a secure isolated recovery environment available so that systems can be restored and tested for integrity prior to putting them back into production.  If you’re going to all the trouble to restore your systems, you don’t want to be restoring corrupted data that can reinfect your environment.

Here are some key differences between the two approaches to help illustrate:

1. The Nature of the Threat – Traditional DR is aimed at recovering from natural or accidental disruptions.  Cyber Recovery is aimed at recovering from intentional, evolving threats.
2. The Speed of Detection – Physical disasters tend to be immediately apparent.  Cyberattacks are sometimes left undetected for weeks or months as bad actors wait for the worst possible time to inform you that they’ve infected your systems.
3. The Complexity of Recovery – Traditional DR involves restoring trustworthy archival backups to an alternative site and/or activating secondary systems to take over the workload.  Cyber Recovery requires data integrity validations, and may involve the removal of malware.
4. The Teams Involved – Traditional Disaster Recovery primarily falls on the shoulders of IT and facilities teams.  Cyber Recovery will require collaboration between IT and information security at a minimum, and may even involve legal and executive leadership.
5. The Documentation and Reporting – Traditional Disaster Recovery will generally focus on operational reporting once systems are recovered.  Cyber Recovery will generally require much more detailed forensic reports, and will likely require regulatory and audit disclosures once the business has recovered from the attack.
6. The Recovery Timeframes – Traditional Disaster Recovery programs often have a higher tolerance for data loss and system downtime; Recovery Point Objectives (RPO’s) Are often measured in hours and Recovery Time Objectives (RTO’s) are often measured in days.  Given the nature of Cyberattacks and the way that they can move through an environment, robust Cyber Recovery programs generally deal in much shorter timeframes; RPO’s are often measured in minutes, and RTO’s are generally measured in hours.
7. The Implementation – A traditional Disaster Recovery program could be started on a shoestring budget, and the tools involved are simplistic enough these days to be handled by any competent System Administrator (or you can learn the basics in under 4 hours).  Traditional DR Plans are also fairly static.  Cyber Recovery tools, particularly those that support secure isolated recovery environments and automated recovery testing, are much more complex to implement and configure, and recovery plans are accordingly more complex.  Generally speaking, Cyber Recovery tools are also going need more storage (and faster storage) if you want to unlock their highest capabilities.

Challenges and Pitfalls

With those differences in mind then, I think it’s good to mention the challenges and pitfalls that businesses often run into in managing either a traditional Disaster Recovery program, or a Cyber Recovery program.  Traditional Disaster Recovery programs often don’t give timely attention to keeping their plans or infrastructure up to date.  Many Disaster Recovery programs also put too much faith in the adequacy of their plans, underestimating the scale and time involved in recovery efforts, and not testing plans adequately or consistently.  (This article mentions how 58% of survey respondents test their plans once a year, or less.)

Plan adequacy and consistency is also an issue for Cyber Recovery, but additional steps need to be taken to plan for how the business will respond to the incident as a whole. Cyber Recovery is a more complex process than a traditional Disaster Recovery, and incident management planning is more critical for good results.  Additionally, backups are almost universally targeted as a part of cyber-attacks, so backup copies of data need to be stored in some sort of disconnected or immutable manner so they will be available for use in recovery.

I’m not going to say that there is an “one size fits all” approach to handle all the needs of both traditional Disaster Recovery and Cyber Recovery.  However, a well-run Resiliency Program that has taken appropriate measures to respond to a cyber-attack should have no problem responding to the type of physical incident that a traditional DR is able to recover from.  Accommodating your Cyber Recovery strategy to include some of the features inherent in traditional Disaster Recovery programs (such as data archiving and long term data retention) is fairly simple to do and will make the Cyber Recovery solution that much more valuable.

Worried if your current Disaster Recovery solution will stand up to the rigors of a Cyber Recovery? Not sure if you’re getting everything you can out of your current data recovery solution? Sayers is here to help.  Our team has helped dozens of companies improve their Cyber Recovery readiness, and we can help your business too.