Your company most probably can't recover from a cyberattack and doesn't know it
Many organizations are probably overestimating their ability to recover from cyberattacks. Researchers from Dell have highlighted the “resilience debt,” the gap between how ready to recover from a cyberattack companies think they are, and their actual readiness. It’s bigger than most companies think and creates an extra layer of risk.
-
99% of organizations claim to have cyber resilience strategies, but 63% of IT leaders believe executives are overconfident about their actual preparedness to recover from cyberattacks.
-
More than half of organizations did not recover as effectively as planned during their most recent incident.
Resilience debt accumulates when companies heavily focus on preventing attacks but fail to test and update their recovery processes. While this might sound like a problem on paper only, it can result in huge damages and financial losses.
Dell’s survey found that 99% of organizations claim to have a formal cyber resilience strategy, but 63% of IT leaders believe that executives are overconfident about their preparedness.
“That gap has a cost,” claim the researchers.
Fifty-seven percent of organizations did not recover as effectively as planned during their most recent incident or drill.
“Resilience debt is more deceptive [than security debt], because it remains hidden until the worst possible moment: when the organization actually needs to recover,” claims the study.
As per their report, recovery readiness decays unless it’s actively refreshed.
Three patterns that create resilience debt
1. As testing frequency declines, risk increases.
The more the company tests, the fewer risks it has. That’s why infrequent testing, aging backups, dependence on legacy code or outdated playbooks contribute to security risk.
Companies that test potential recovery after cyber incidents on a monthly basis or more reach a 55% success rate, compared with just 35% for the ones who test less often.
2. Hack prevention overshadows a good recovery plan
“Prevention-only strategies don’t eliminate resilience debt; they accelerate it,” claims the study.
The survey found that 78% of global organizations believe that cyberattacks will be prevented and thus invest less in preparing to recover from them. This creates situations in which recovery plans are underfunded, untested, and not prioritized enough, even during times when “attackers shift upstream to compromise recovery paths directly.”
3. Backups age into “assumed trust”
The survey shows that, even though companies do tend to have data backups, over time, they age into “assumed trust.” Attackers are increasingly targeting backup systems: corrupting snapshots, manipulating catalogs, and exploiting configuration drift.
“Yet many organizations still treat backups as sacred and immutable, rather than as assets requiring the same types of protection from cyber threats as production systems,” claim the researchers.
What can companies do better?
The researchers suggest that cyber resilience is a competitive advantage, arguing that organizations with more mature resilience programs not only recover more quickly but also operate with greater confidence.
“They innovate more freely. They embrace transformation more aggressively. They trust their infrastructure because they’ve validated it. That’s the ultimate promise,” they claim.
In order to minimize resilience debt, organizations should take the following five steps:
- Run frequent recovery tests
- Build isolated cyber vaults
- Use automated validation and AI/ML-driven clean restore techniques
- Treat resilience as a board-level initiative
- Balance out investments between cyber prevention and recovery
Unlock more exclusive Cybernews content on YouTube.
