Logo - Pure Storage

Cyber Recovery vs. Disaster Recovery

This article explores the differences between disaster recovery and cyber recovery to help you understand their causes, impacts, and how to prepare for each.

Disaster Recovery

image_pdfimage_print

Data infrastructures aren’t just built for storage, performance, and scale—they’re designed for resilience. This means having the right technology and response plans in place to minimize data loss and downtime from any type of event—cyberattack, natural disaster, or otherwise. Two key areas of concern include disaster recovery in general, and, more specifically, cyber recovery. 

In this article, you’ll learn the differences between disaster recovery and cyber recovery so you can understand their causes, impacts, how to prepare for each, and what you need from a data storage solution to help you respond to disaster with speed and simplicity.

Differences Between Cyber Recovery and Disaster Recovery

The primary difference between cyber recovery and disaster recovery is what (or who) causes each and the presence or lack of purpose and intent

Cyber attacks are disasters, too, but they’re targeted, engineered disasters that require planning and purpose to pull off. With the right technology and knowledge of cyberattack methods and trends, it’s possible to prevent or detect them. Natural disasters, on the other hand, are often unintentional and can’t always be prevented or predicted. 

Cyber Recovery vs. Disaster Recovery: Cause and Scope

This key difference of intent also means how they occur and their impact on the business are different, requiring different measures and technologies to investigate, respond, and recover in a way that is efficient and effective. For example, a targeted ransomware attack on an ecommerce site’s third-party payment portal wouldn’t need to trigger a system-wide recovery effort for the entire application and every database.

What Sort of Data Needs to Be Recovered?

In general, any data that is sensitive in nature or required for operations to resume will need to be recovered. Whether it’s sensitive information being held for ransom or a database that was accidentally deleted, data that is lost and subjects an organization to compliance fines or downtime will need to be recovered.

In a cyberattack, the types of data that need to be recovered can include:

  • Personally identifiable information (PII)
  • Proprietary information, intellectual property (IP), trade secrets, financial data, etc.
  • System backups, if targeted or encrypted during the attack

In a natural disaster, the types of data that need to be recovered can include:

  • Business data
  • Systems or system configuration data
  • Application data that powers critical, day-to-day operations so an organization can get back up and running after a physical data center outage

Preventing Attacks and Disasters in Advance

All of this translates to a final difference: how to go about preventing cyberattacks and disasters in advance. In general, there’s not much that can be done to prevent a natural disaster. In addition, data stored with public cloud providers is subject to failures and providers’ SLAs. But there are actions that can be taken in advance to help head off certain disasters and attacks and prevent these disasters from increasing in scope:

  • Anomaly detection—with AI and intrusion detection systems (e.g., SIEM and SOAR) that note abnormal or suspicious behavior
  • Log analytics—to both monitor network activity and the performance of key systems and equipment to anticipate mean time to failure (MTTF), degradation, or issues in advance
  • Network segmentation—techniques such as air gaps that isolate systems to prevent a “domino effect” if one system is breached or suffers a failure
  • Encryption—to make any compromised data or backups unusable to hackers
  • Access controls—zero trust, multi-factor authentication, and advanced permissions to ensure systems and data are only accessible to critical personnel
  • Data deletion policies—to ensure data that’s no longer needed is being stored on systems unnecessarily

What Is Disaster Recovery?

Disaster recovery is how an organization regains operational status after a disaster event. In general, disaster recovery is business continuity. It’s primarily concerned with getting mission-critical data and IT infrastructure recovered and restored so operations can continue with minimal interruption, revenue loss, or reputational damage.

What Are Examples of Natural Disasters for Data Centers?

Examples of natural disasters for data centers include any event that either physically destroys the data center and its contents or disrupts the power supply required to keep systems running. These can include:

  • Environmental events such as earthquakes, floods, hurricanes, and tornadoes
  • Power grid failures
  • Equipment failures, such as rack failures
  • Cooling unit failures

Are There Man-made Disasters?

There can be man-made (or human-caused) disasters that could take out a data center or its power supply. These can include any physical accident within the data center such as: 

  • Industrial accidents such as a fire or an electrical wiring issue
  • Vehicular collisions
  • Technical disasters caused by human error such as an accidental deletion or corrupted code (malware or ransomware can also fall under this category)

How Long Does It Take to Recover from a Disaster?

How long it takes to recover from a disaster can depend on:

  • How quickly the event itself is resolved (e.g., how quickly power is restored)
  • If the organization has a backup environment to recover to and resume operations
  • Mean time to discovery (MTTD)

Note: Recovery times are often measured in recovery time objectives (RTOs) which dictate the maximum time that a system can be offline. These can adjust based on scope and scale of the disaster and can also vary depending on the disaster and systems that are affected. 

What Is Cyber Recovery?

Cyber recovery is how an organization identifies, isolates, and recovers from a malicious cyberattack such as ransomware or a data breach. Cyber recovery is a specialized area of disaster recovery, leveraging many best practices of disaster recovery but with additional, advanced measures to proactively monitor for and head off attacks. 

Cyber recovery may also include additional follow-up steps than disaster recovery, which is mostly concerned with getting infrastructure and operations back online. In cyber recovery, organizations are often required to undergo forensic analysis, public relations and other communications with customers and law enforcement, and regulatory steps such as isolation and quarantine of affected infrastructure.

Related reading: Hit by ransomware? What to do next >>

What Are Examples of Cyber Attacks on Data Centers?

Examples of cyberattacks on data centers include:

  • Hacking, which can lead to a data breach (leaking sensitive data or PII)
  • Inside security threats or attacks, such as a rogue administrator, backdoors, etc.
  • Social engineering, to gain access to a physical data center or obtain login information
  • Ransomware attacks, using malware to extort an organization for a ransom
  • Distributed Denial of Service (DDoS) attacks, which overwhelm a data center with illegitimate requests and traffic so it cannot process legitimate requests
  • Third-party vendor or supply chain attacks, targeting vendors or partners to access a data center for attack
  • Cyber espionage, often done via advanced persistent threats (APTs), multi-pronged attacks that allow for long-term surveillance and data theft

What Are the 3 Major Types of Cybersecurity?

The three major types of cybersecurity aim to address:

How Long Does It Take to Recover from a Cyberattack?

How long it takes to recover from a cyberattack varies, but it can range from hours (if your organization has immutable snapshots and a clean recovery environment) to months. Some organizations never recover because their data was not recoverable or the cost of the attack was too high.

The time to recover from a cyberattack depends on: 

  • How quickly the attack is detected and isolated, or mean time to discovery (MTTD)
  • How far-reaching the attack was on business operations
  • How fast your restore times are—based on the speed of your underlying storage systems and backup capabilities
  • The availability of your data post-attack—were you able to quickly restore from immutable backups?
  • How quickly you can get clean storage arrays to restore to (infected arrays will likely be quarantined and off-limits for forensic investigation)

Read more: How to Harden Your Infrastructure against Ransomware Attacks

3 Things to Do Immediately After a Cyberattack

Immediately after an attack has been initiated, three things to do right away include:

  1. Contain the attack and lock down the environment.
  2. Launch your external communications and response plans. Don’t have one nailed down yet? Here’s a guide to working with your CISO to create one.
  3. Begin recovery to a clean, staged environment. Prioritize what should be recovered first to get operational.

Read more: 5 Ransomware Recovery Steps to Take After a Breach

Assess Your Risks and Cybersecurity Needs

As with all threats—cyber threats or natural disasters—the key is building resiliency into your architecture. First, assess your data storage environment’s risks and defenses against cyber threats. With Pure Storage, you use the Pure1 Data Protection Assessment Tool and download the Ransomware Survival Kit

The best way to ensure fast recovery times is with fast, immutable SafeMode™ snapshots by Pure Storage. This, along with our backup and restore partners and ransomware recovery SLA can ensure your data is secure and accessible—so you can recover in days, not weeks.

Beyond the Firewall: Insights and Strategies from Leading CISOs

Written By: