Disaster recovery (DR) is a broad approach to restoring IT systems and data after a major disruption, such as a power failure or technical fault. Cyber recovery is a specialised approach to restoring systems and data after cyber attacks, including ransomware and insider threats.
Disaster recovery has been a core part of IT strategy since the 1980s and 90s. Cyber recovery, by contrast, is a newer discipline. It was once considered a subset of disaster recovery, but as cyber threats have become the most significant risk to organisations, it has grown into a distinct area of focus in its own right.
We now recommend that organisations prioritise cyber recovery as the foundation of their IT resilience. If you have the people, processes and technology to recover from a cyber attack, you’ll be equipped to handle the broader range of technology and geographic risks too.
What is disaster recovery?
Disaster recovery (DR) is a broad approach to restoring IT systems and data after a major disruption. It covers events like power failures, natural disasters or technical faults. Whatever the cause, the aim is to recover quickly and keep the business running.
The disruption triggers a predefined disaster recovery plan. This sets out how and when systems will be restored, based on recovery time objectives (RTOs) – the maximum acceptable downtime – and recovery point objectives (RPOs), which define how much data you can afford to lose. Recovery typically involves failing over to a secondary environment – such as a cloud platform or standby infrastructure – where critical systems can be brought back online.
Disaster recovery is designed to protect against a wide range of non-malicious threats – from human error and hardware failure to environmental events. But it doesn’t account for targeted attacks: deliberate efforts to compromise your data, disable your systems or prevent recovery altogether. That’s where cyber recovery comes in.
What is cyber recovery?
Cyber recovery is a specialised approach to restoring systems and data after cyber attacks. These aren’t accidental outages – they’re deliberate attempts to cause disruption and undermine your ability to recover, such as ransomware and insider threats.
The aim of cyber recovery is to restore safe access to systems and data after an attack – without reintroducing the threat that compromised them.
Cyber recovery must assume the worst: that attackers will go after your backups to prevent you recovering at all. If those backups are stored on the same infrastructure as production systems, a breach can expose both – allowing attackers to encrypt, delete or tamper with your backups and put your recovery at risk.
A core principle of cyber recovery is to prevent this by isolating backups from production systems – keeping them air-gapped – and protecting them through immutability and regular testing to guarantee their integrity.
Cyber recovery is widely recognised as more complex and time-consuming than disaster recovery – not due to slower restoration, but because it involves additional safeguards, including backup validation, malware scanning, isolated recovery environments and cross-functional coordination to ensure recovery is secure and reliable.