Why Cyber Risk Spikes During Disasters and How to Build Resilience by Design

Disaster recovery planning has traditionally focused on infrastructure. Systems fail, environments go offline, and IT teams restore operations as quickly as possible.

But that model no longer reflects the reality organizations face today.

In a recent webinar with NetApp and Elastio, Brittney Bell (NetApp), Mike Fiorella (NetApp), and Eswar Nalamuru (Elastio) explored an increasingly common pattern. When organizations experience a disruption, whether it is a natural disaster, infrastructure outage, or operational crisis, cyber risk often increases at the exact same time.

Attackers understand that recovery periods create vulnerability. Systems are under pressure, teams are focused on restoration, and normal controls may be temporarily bypassed. The result is that disaster scenarios frequently become cyber incidents as well.

This shift is forcing organizations to rethink how resilience is designed.

Instead of treating disaster recovery and cybersecurity as separate functions, organizations are beginning to design recovery strategies that assume both types of events may occur simultaneously.

When crises collide

Brittney Bell described this challenge using the concept of a “polycrisis,” where multiple forms of disruption occur together rather than in isolation.

Natural disasters alone can cause widespread operational impact. Infrastructure damage, power outages, and supply chain disruptions can force organizations into emergency recovery mode. But during those same moments, cyber attackers may also exploit the chaos.

In fact, research shows that a large percentage of organizations affected by natural disasters also experience cyber attacks at the same time.

Examples from recent history illustrate the scale of impact that disasters can have on infrastructure and digital operations:

• Major hurricanes that disrupted utilities and transportation infrastructure for weeks
• Flooding events that took critical systems offline
• Storms that impacted data centers and shut down major digital services

These events demonstrate why resilience cannot be limited to infrastructure recovery. Organizations must also assume that security threats will emerge when systems are already under stress.

As Bell emphasized, resilience today is not just an IT concern. It is a business survival strategy.

Disaster recovery and cyber recovery are not the same

A key theme of the discussion was the difference between traditional disaster recovery and cyber recovery.

Eswar Nalamuru explained that many organizations still approach both scenarios using the same framework. In practice, the two require very different assumptions.

In a traditional disaster recovery scenario, the failure is usually clear. Systems may be offline or infrastructure may be unavailable, but organizations generally trust their backup data and recovery points.

Cyber recovery introduces uncertainty.

Security teams may not know whether attackers still have access to the environment, whether backups have been compromised, or which recovery point is actually safe to restore.

This changes how recovery must be executed.

Traditional disaster recovery prioritizes speed and service restoration. Cyber recovery requires precision. Teams must identify a clean recovery point and ensure that restoring data will not reintroduce the threat.

That investigation step is what often slows recovery efforts during ransomware incidents.

Without confidence in backup integrity, organizations may spend days or weeks determining which recovery point can be trusted.

The three pillars of modern resilience

The speakers outlined a simple framework that organizations can use to bridge the gap between disaster recovery and cyber recovery.

Effective resilience strategies now require three capabilities working together.

Availability

Systems and data must remain accessible even during disruption. High availability architectures and geographic redundancy ensure that applications can continue operating if a primary location fails.

Isolation and immutability

Backup data must be protected from tampering or deletion. Features such as immutable storage and write-once policies help ensure attackers cannot alter or destroy recovery data.

Integrity

Organizations must be able to verify that their backups are clean and recoverable. Without validation, backups may contain encrypted or corrupted data that will fail during recovery.

While many organizations already invest heavily in availability and immutability, integrity validation is often the missing layer.

The storage foundation for resilient recovery

Mike Fiorella discussed how many organizations are using Amazon FSx for NetApp ONTAP as a foundation for modern recovery strategies.

FSx for NetApp ONTAP, often referred to as FSxN, is a managed storage service in AWS that incorporates NetApp’s ONTAP data management platform.

Several capabilities make it well suited for resilient architectures.

High availability deployments allow data to remain accessible even if a failure occurs within a single availability zone.

Snapshot technology enables fast, space efficient point-in-time recovery of data.

SnapMirror replication allows organizations to maintain synchronized copies of data in secondary AWS regions, enabling rapid failover if a primary region becomes unavailable.

SnapLock adds immutability by allowing organizations to enforce write-once retention policies that prevent modification or deletion of protected data.

Together, these capabilities allow organizations to create layered recovery strategies that include local snapshots, cross-region replication, and long-term protected backups.

The integrity challenge in ransomware recovery

Even with strong storage and backup protections in place, a critical question often remains unanswered during ransomware incidents.

Is the data clean?

Eswar Nalamuru explained that modern ransomware campaigns increasingly target backup infrastructure. If attackers can encrypt both production systems and backups, they remove the organization’s ability to recover independently.

Attack techniques have also become far more sophisticated. Many modern ransomware variants use approaches designed to evade traditional detection tools.

Examples include:

• Fileless attacks that operate entirely in memory
• Encryption techniques that modify only portions of files
• Obfuscation techniques that preserve file metadata
• Polymorphic malware variants that continuously change signatures

These techniques make it difficult for traditional security tools to detect encryption activity before damage occurs.

To address this challenge, Elastio focuses on validating the integrity of backup data. Its platform scans stored data to detect ransomware encryption patterns and identify clean recovery points that organizations can safely restore.

The goal is simple but critical. When a crisis occurs, recovery teams should know exactly where to recover from.

Designing resilience for the real world

The central lesson from the webinar is that recovery planning must evolve.

Organizations can no longer assume that disasters and cyber attacks occur independently. Real world disruptions often combine both.

Building resilient architectures requires integrating infrastructure availability, immutable data protection, and backup integrity validation into a single strategy.

When these elements work together, organizations can recover faster and with greater confidence, even under the most challenging conditions.

Join us for the “Building for the Breach” workshops

To continue the conversation, Elastio, NetApp, and AWS are hosting a series of in-person workshops focused on ransomware resilience and recovery readiness.

The Building for the Breach workshops explore how organizations can prepare for ransomware attacks before they occur.

Each session includes:

• An executive discussion on modern cyber resilience strategies
• A technical walkthrough of ransomware attack and recovery scenarios
• Hands-on demonstrations of technologies that help validate recovery points and accelerate recovery

Upcoming workshops are scheduled in cities including New York, Boston, Chicago, and Toronto.

If you are responsible for disaster recovery, cybersecurity, or infrastructure resilience, these sessions provide an opportunity to see how modern recovery strategies work in practice and how organizations can strengthen their readiness for future disruptions.

You can learn more about the workshops and upcoming dates through the Elastio events page.