Disaster recovery vs ransomware recovery: Why CISOs need to plan for both

On the morning of August 30, 2023, a fire broke out at a data center operated by Belgian telecom giant Proximus. Soon, emergency numbers 112, 101, and 100, which are used to call the ambulance, the firefighters, and the police, became unreachable. The situation lasted for almost half an hour before these essential services were restored.

Every minute an organization is offline can be expensive and can even cost human lives. And while ransomware attacks get most of the headlines, natural disasters can be devastating too. 

Fires, electrical failures, earthquakes, hurricanes, and even missile strikes in war-torn places like Ukraine can knock down data centers. Often, there’s no way of predicting when such events will occur, yet some risks can be mitigated if the right plans are in place. Preparing for natural disasters, however, is different compared to dealing with ransomware attacks, because the type of damage and the priorities are different.

The difference between disaster and ransomware recoveries

Disaster recovery typically focuses on physical infrastructure such as hard drives and network equipment, whereas ransomware recovery deals with data integrity and protection against cyber threats.

“In a disaster, it’s quite possible that you need to replace hardware. In a cyber incident, it’s likely that you can recover the hardware, you just need to reset the device,” says Amar Ramakrishnan, vice president of product management at BackBox.

Since natural disasters can affect data centers in multiple ways, organizations must develop several plans and clearly establish their priorities. “Understanding and documenting which of the scenarios you’ll be equipped for and which will be out of scope is an important part of the disaster recovery planning process,” Ramakrishnan tells CSO.

Both natural disasters and ransomware attacks can create massive problems for companies. “While each type of attack differs, all can result in catastrophic losses that can cause businesses to shut down for a significant amount of time or cease operations completely,” says Steve Butterfield, VP of sales for EMEA at Arcserve.

Resilience should go beyond checking boxes

Many organizations approach disaster recovery and cyber incident response measures from a compliance perspective. They want to check all the required boxes, which means that sometimes, “they do the bare minimum,” says Igor Volovich, vice president of compliance strategy at Qmulos.

While doing this is necessary, it is not sufficient. The better approach, he suggests, would be to treat compliance requirements as a detailed guide and adopt a more holistic view based on data that is automatically collected, analyzed, and reported in real time. This involves, of course, strengthening the security posture, as well as developing or updating a thorough disaster recovery plan.

“Your plan should include your data backup strategy — including your recovery point objectives (RPOs) and recovery time objective (RTOs) — and detailed procedures for data restoration, system recovery, and business continuity,” Butterfield says.

An effective backup solution is a must, says Butterfield, who recommends following the 3-2-1-1 strategy: Keep three copies of your data (one primary and two backups), with copies stored locally in two formats, and one copy stored offsite in the cloud or secure storage. The last one stands for immutable storage, where your backups are saved in a write-once-read-many-times format that can’t be altered or deleted. “Immutability differs from encryption in that there is no key, so there should be no way to read or reverse the immutability,” he says. “That gives you a last line of defense against any disaster.”

Butterfield advocates for cloud storage, which offers “unmatched scalability and flexibility.” Some cloud solutions offer rapid recovery with automated backups and replication to multiple data centers so that, even if a local disaster strikes, the data remains accessible.

But, in addition to cloud, organizations can consider tape backup, which can be reliable and affordable. “Tape is an excellent option for long-term data archiving and is especially effective for offsite, air-gapped storage — whether you use a virtual or physical air gap,” Butterfield says. “Tape is also very cost-effective for large volumes of data.”

When it comes to creating the resilience strategy, Ramakrishnan recommends having separate plans for different potential crises and storing them in physical folders in the network operations center, in addition to electronic copies. “While electronic access is crucial, physical documentation provides a tangible backup and is easily accessible in situations where digital systems may be compromised,” he says.

Downtime can also be reduced if engineers are well prepared to manage incidents, whether they are natural disasters or ransomware attacks. “Make sure that the network team is involved in company disaster recovery conversations,” Ramakrishnan says. In less mature organizations, these conversations sometimes happen without a network team member present.

Priorities during an incident

The response strategy for disasters and ransomware attacks focuses on bringing systems back online and minimizing downtime. 

In a natural and other type of disasters impacting IT systems, hardware and connectivity may be lost, which makes the process of recovery more challenging. In such situations, “it’s common for an affected organization’s production site to be partially or completely disabled,” says Sergei Serdyuk, vice president of product management at NAKIVO. 

When a disaster strikes, organizations should focus on restoring physical infrastructure, relocating operations, ensuring team safety, and re-establishing operational continuity. They should utilize logistics management and communication tools to coordinate response efforts. “Standard procedure invokes a failover to a dedicated disaster recovery site, which continues to support core operations until the primary site is fully recovered,” Serdyuk tells CSO.

By contrast, it’s uncommon in ransomware attacks for the targeted organization to lose its infrastructure. Instead, the damage occurs at the level of applications and data, and data recovery and cybersecurity measures should be prioritized. “In such cases, a disaster recovery site may be necessary but only with the goal of setting up an isolated recovery environment, which serves to protect data integrity, prevent ransomware reinfection, and speed up containment,” Serdyuk says.

Volovich adds that organizations should use decryption tools, forensic analysis tools, and threat intelligence platforms. They should also communicate with stakeholders about the breach and the steps taken. A mature backup and recovery strategy with reliable backups will allow for faster recovery.

Have an asset inventory and a disaster leader

Preparing for disasters requires time, resources, and attention to detail. That said, it’s not unusual for organizations to overlook certain things or underestimate others.

It is essential to have a thorough inventory of all IT assets — hardware, software, data, and network resources. “This is a critical starting point for an effective disaster recovery plan, and without knowing exactly what needs to be protected, there is a potential risk of not recovering all the essential data if a disaster strikes,” Butterfield says.

His advice is to rank assets based on importance to business functions and start the risk assessment process from there. The risk assessment should be meticulous and should be seen as an ongoing process that accounts for new threats and new technologies that keep emerging.

Ramakrishnan goes a step further and recommends appointing a disaster recovery leader, a person tasked with overseeing the planning process. “The leader needs an IT background to understand the challenges, they need solid project management skills and strong business acumen,” he says. Part of their mission is to assemble a team that includes experts from each IT department as well as key stakeholders from critical business units.

The disaster recovery leader can push for robust backup and recovery procedures. “Too many companies try to restore from backup only to find that, for one reason or another, the backup hasn’t been working in a while,” Ramakrishnan says. “If there’s one thing I’d like readers to take away from this, it’s that testing your ability to restore in an emergency is a critical part of any backup strategy. If you don’t test your backups and your team’s process for restoring, you’re setting yourself up for failure.”

Serdyuk agrees that robust backup and recovery procedures are a must and that more testing should be done, in general. “They [businesses] often conduct irregular or superficial tests, missing broader scenarios like simultaneous cyberattacks, natural disasters, or power outages,” Serdyuk says. These drills should involve participants from all departments, and insights gained from each session should be used to enhance preparedness.

Ultimately, whether there is a CISO, CIO or IT manager leading, the people who are part of the process have a crucial role in improving and executing those plans. That is why they should work well together. Ramakrishnan also recommends devising an internal communication plan that “will ensure that minimal time is lost due to the confusion that likely comes when a disaster strikes.”