--- title: "Cyber Resilience vs. IT Security: Why Both Are Necessary" date: 2026-05-08T14:25:00+02:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/cyber-resilienz-vs-it-sicherheit-warum-beides-nötig-ist" section: "Entries: Articles" --- ### 3 Principles of Cyber Resilience [\#](#3-principles-of-cyber-resilience "3 Principles of Cyber Resilience") A sound cyber resilience strategy rests on three principles: #### 1. Assume Breach [\#](#1-assume-breach "1. Assume Breach") **The concept:** ​“Not if, but when will we be attacked?” This is not pessimism. It is realism. Roughly 7 in 10 organizations report at least one ransomware attack per year (Veeam 2025). Every preventive measure matters, but no single measure provides 100% protection. Assume Breach means: build your architecture as if your network is already compromised. This has consequences: - **Zero Trust:** No implicit trust based on network position. Every authentication is verified, every authorisation is granular. - **Micro-segmentation:** Network zones isolated from one another. An intruder in Zone A cannot simply move to Zone B. - **Air gap:** Backup infrastructure physically or galvanically separated from production infrastructure. - **Separate admin contexts:** Admin accounts have access only to their own systems, not to all. #### 2. Isolated Recovery Capability [\#](#2-isolated-recovery-capability "2. Isolated Recovery Capability") **The concept:** ​“We can restore systems from a known-clean state without the attacker re-compromising them.” This is technically far more demanding than it sounds. If you bring a server back from an online backup into your production network and that network is still compromised, your recovery is worthless: the attacker will re-infect the server before you can use it. Isolated recovery means: - **Tier 2 (air gap):** A backup tier with physical or galvanic isolation from the production network. Not continuously synchronised. On a defined schedule, a copy is taken offline. - **Isolated recovery environment:** A separate network segment where you can restore, scan, and verify systems before returning them to production. - **No return connection:** During recovery, the restored server does not automatically communicate with production AD or file servers. It remains isolated until verified. #### 3. Verified Recoverability [\#](#3-verified-recoverability "3. Verified Recoverability") **The concept:** ​“We test not just the theory, but the reality.” This is where many organisations fail. They say ​“We have a backup system” but they have never run a real recovery drill. When a crisis arrives, they discover: - The backup hardware is damaged - The recovery software is incompatible with the current version - The recovery runbook is outdated - Admin credentials no longer work Verified recoverability means: - **Quarterly recovery tests:** At minimum 4 times per year, run a real recovery (or a simulation where production cannot be disrupted). - **RTO measurement:** Measure actual recovery time at every test. Not estimated, tested. - **Integrity verification:** After recovery, not just ​“system boots” but ​“data is intact, no corruption, applications function.” - **Auditable:** Document test results. This is later your proof, including under NIS2 and DORA, that you can actually recover. DORA (Regulation (EU) 2022⁄2554) makes regular digital operational resilience testing an explicit legal requirement for financial entities. ### Architecture Implications [\#](#architecture-implications "Architecture Implications") These three principles raise the bar compared with general IT resilience: - **Backup tiers:** General resilience often works with 2 to 3 tiers (online plus archive). Cyber resilience needs an architecture with an online tier, an air gap tier, an immutable WORM archive tier, and a geo-redundant copy. - **Backup synchronisation:** Continuous, automated replication is fine for availability, but the air gap tier must be separated from the network on a schedule, not permanently connected. - **Recovery environment:** General DR restores into the production network. Cyber resilience restores into an isolated recovery environment first. - **Admin segmentation:** One universal admin context is replaced by multiple segregated admin contexts, including a dedicated backup admin identity. - **Recovery testing:** Annual tests become quarterly, documented tests. - **Identity and access:** Directory-based trust gives way to Zero Trust with continuous verification. ### Cyber Resilience Is Not Cheaper Than IT Security [\#](#cyber-resilience-is-not-cheaper-than-it-security "Cyber Resilience Is Not Cheaper Than IT Security") An important point: cyber resilience costs real money. A sound cyber resilience infrastructure costs noticeably more than standard IT resilience, because it adds dedicated components: - Air-gapped secondary storage for backups (Silent Brick System, with the SB Pro variant for a physical air gap or SB Max Air for galvanic separation) - Hardware WORM archive for immutable long-term retention (Silent Cubes) - A separate recovery environment - Recovery testing effort and documentation - Training This is not wasted money. It is insurance against ransomware. The alternative is starker: in the Sophos State of Ransomware 2025 report, 49% of organizations whose data was encrypted paid a ransom, and the average recovery cost excluding any ransom was about USD 1.5 million. A working cyber resilience architecture takes both numbers off the table for your organization. ### Frequently Asked Questions [\#](#frequently-asked-questions "Frequently Asked Questions") **Can cyber resilience function without IT security?** No. Without prevention, you will be attacked so frequently that even strong cyber resilience is overwhelmed. Both are necessary. **Is cyber resilience only for large enterprises?** No. An SME with 100 employees and critical data should also implement cyber resilience, scaled to size. NIS2 explicitly covers mid-sized essential and important entities. **How does a cyber resilience architecture differ from disaster recovery?** DR treats all failures equally. Cyber resilience assumes the attacker acts intelligently and attempts to sabotage recovery. --- ### Further Resources [\#](#further-resources "Further Resources") → IT Resilience Guide (/en/blog/it-resilienz-leitfaden/) → Assume Breach Architecture Principle (/en/blog/assume-breach-architekturprinzip/) → Isolated Recovery Environment (/en/blog/isolated-recovery-environment/) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### IT Resilience IT resilience is the ability of an IT infrastructure to remain functional under adverse conditions — from cyber attacks through hardware failures to natural disasters — or to restore functionality within a defined timeframe so that critical business processes are maintained. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/it-resilience) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### IT Resilience IT resilience is the ability of an IT infrastructure to remain functional under adverse conditions — from cyber attacks through hardware failures to natural disasters — or to restore functionality within a defined timeframe so that critical business processes are maintained. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/it-resilience) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### IT Resilience IT resilience is the ability of an IT infrastructure to remain functional under adverse conditions — from cyber attacks through hardware failures to natural disasters — or to restore functionality within a defined timeframe so that critical business processes are maintained. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/it-resilience) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### IT Resilience IT resilience is the ability of an IT infrastructure to remain functional under adverse conditions — from cyber attacks through hardware failures to natural disasters — or to restore functionality within a defined timeframe so that critical business processes are maintained. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/it-resilience) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)