IT Resilience

1. What does IT resilience mean? #

IT resilience is the ability of an IT infrastructure to remain operational under adverse conditions, or to restore operability within a defined timeframe. The concept goes beyond classical high availability: availability protects against individual component failures. Resilience protects against scenarios where entire systems, locations, or infrastructure layers fail simultaneously.

Resilience vs. availability vs. security #

The critical insight: Availability and security can fail. Resilience must not fail — it is the last safety net when all other layers have been breached.

Why IT resilience is now a board-level priority #

Three developments make IT resilience an executive responsibility:

1. Ransomware as an existential threat: A successful attack can cause weeks to months of operational downtime. Organizations that cannot recover do not survive.

2. Regulatory pressure: NIS2, the KRITIS umbrella law, and sector-specific regulation (BAIT, DORA) make resilience a legal obligation — with personal liability for management.

3. Supply chain dependencies: A failure at a critical supplier or cloud provider can interrupt entire value chains. Resilience must be considered beyond the organization’s own boundaries.

2. The five pillars of IT resilience #

IT resilience is not a single product or a single measure — it is an architectural principle resting on five pillars.

Pillar 1: Prevention #

Preventing attacks and failures where possible.

• Patch management and vulnerability management
• Endpoint Detection and Response (EDR)
• Network segmentation
• Zero-trust architecture
• Security awareness training

Reality check: Prevention reduces risk but does not eliminate it. Attackers often remain undetected in networks for weeks, sometimes months — many attacks are only discovered after the damage has already been done.

Pillar 2: Detection #

Identifying attacks and anomalies before maximum damage occurs.

• SIEM (Security Information and Event Management)
• Network Detection and Response (NDR)
• Anomaly detection in backup systems
• Log analysis and correlation
• ²⁴⁄₇ Security Operations Center (SOC)

Pillar 3: Response (incident response) #

Acting quickly and in a structured way when an incident occurs.

• Incident response plan with defined roles and escalation steps
• Communication plan (internal and external)
• Forensic analysis capability
• Coordination with authorities (BSI, state criminal offices)
• Documentation obligations under NIS2

Pillar 4: Recovery #

The most critical pillar: restoring systems and data within an acceptable timeframe.

• Multi-tier backup architecture with air-gap layer
• Documented Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
• Recovery runbooks for all critical systems
• Regular recovery tests (quarterly)
• Prioritized recovery sequence

Why recovery is the decisive pillar: Prevention, detection, and response can fail. Recovery is the point where it is decided whether an organization survives or not. And recovery only works when the data from which you are recovering has not also been compromised.

Pillar 5: Adaptation #

Learning from incidents and continuously improving resilience.

• Post-incident reviews (lessons learned)
• Adapting architecture to new threats
• Tabletop exercises and simulations
• Annual architecture reviews
• Exchange in sector CERTs and ISACs

3. Cyber resilience: When prevention is not enough #

Cyber resilience is the specialization of IT resilience for cyberattacks. It addresses a specific problem: cyberattacks — in particular ransomware — are designed not only to disrupt individual systems but to destroy the entire recovery capability.

The ransomware dilemma #

Modern ransomware specifically targets backup infrastructure. This means: the classical disaster recovery plan, which assumes that backups are intact, no longer works.

The scenario that cyber resilience must solve:

• Production systems: encrypted ✗
• Active Directory: compromised ✗
• Online backup: deleted ✗
• Cloud backup: deleted via compromised IAM credentials ✗
• Air-gap backup: intact ✓ — was physically unreachable

Cyber resilience means: even in the absolute worst case — where an attacker had domain administrator rights and went undetected for weeks — at least one recovery path remains intact.

The three principles of cyber resilience #

Principle 1: Assume breach Assume your network will be compromised. Build your recovery architecture to work even then.

Principle 2: Isolated recovery capability At least one recovery path must be physically separated from the production network — not just logically, not just through software policies, but physically unreachable.

Principle 3: Verified recoverability A backup that has never been tested is not a recovery plan — it is an assumption. Quarterly recovery tests are the minimum.

Cyber resilience architecture: Three zones #

Zone 1: Production zone
├── Servers, VMs, databases, applications
├── Network-connected systems
└── Attack surface: HIGH

Zone 2: Backup zone (network-connected)
├── Primary backup repository
├── Snapshot immutability (supplementary)
└── Attack surface: MEDIUM (credentials-reachable)

Zone 3: Isolated recovery zone (air gap)
├── Hardware air gap system
├── Only reachable during backup windows
├── No network interface when offline
└── Attack surface: MINIMAL

Zone 3 is the cyber resilience insurance: Even if Zone 1 and Zone 2 are fully compromised, data in Zone 3 remains intact.

→ How the hardware air gap works

4. Business continuity and disaster recovery #

Business Continuity Management (BCM) #

Business Continuity Management is the organizational framework within which IT resilience operates. BCM defines:

• Critical business processes: Which processes must be restored first?
• Maximum Tolerable Downtime (MTD): How long can a process be unavailable before the organization suffers existentially threatening damage?
• Business Impact Analysis (BIA): What financial, operational, and reputational damage occurs per hour of downtime?

RTO and RPO: The two metrics that determine everything #

The most common mistake: RTO and RPO are defined but never tested against the actual backup architecture. An RTO of 4 hours is worthless if an actual restore takes 48 hours.

Disaster recovery: The plan for worst case #

A disaster recovery plan documents exactly how systems are restored after a total failure. It must contain the following elements:

1. Trigger criteria: When is the DR plan activated?
2. Roles and responsibilities: Who decides, who acts?
3. Recovery sequence: Which systems first?
4. Technical recovery steps: Step-by-step instructions per system
5. Communication plan: Who is informed when and how?
6. Success criteria: How do we know recovery is complete?

Critical: The DR plan must be available offline — printed, in a safe. If your IT infrastructure is compromised, your SharePoint folder with the DR plan may not be accessible either.

Typical RTO values by backup architecture #

*Online backup: RTO only achievable if backup was not compromised — no guarantee in a ransomware attack.

5. The role of backup architecture #

Backup as the foundation of resilience #

The backup architecture is the technical foundation of every resilience strategy. Without intact backups, there is no recovery — and without recovery, there is no resilience.

The multi-tier reference architecture #

A resilient backup architecture works in tiers — each tier addresses a different risk scenario:

Tier 1 — Primary backup (online)

• Network-connected backup repository
• Function: Fast recovery of individual files and VMs
• RPO: 1 – 4 hours | RTO: < 1 hour
• Risk: Credentials-reachable — potentially compromised by ransomware

Tier 2 — Air-gap layer (physically isolated)

• Hardware air gap system (e.g. Silent Brick System)
• Function: Ransomware-resistant recovery of entire systems
• RPO: 24 hours | RTO: 4 – 8 hours
• Risk: Minimal — physically unreachable outside backup windows

Tier 3 — Long-term archive (WORM)

• Immutable archive (e.g. Silent Cubes)
• Function: Audit-proof long-term retention, historical recovery
• RPO: 7 days | RTO: 8 – 24 hours
• Risk: Very low — written data physically immutable

Tier 4 — Geographic redundancy

• Off-site replication to a second location
• Function: Protection against site-wide disasters
• RPO: 4 – 24 hours | RTO: 4 – 24 hours

Why the air-gap layer is decisive #

In a ransomware situation, Tier 1 (online backup) and Tier 4 (cloud replication) are potentially compromised — both are network-reachable. Tier 3 (WORM) protects archive data but not necessarily current backup generations.

Tier 2 — the air-gap layer — is the resilience insurance: It contains current backup data that was physically unattackable.

→ Silent Brick System: Air-gap backup → Silent Cubes: WORM archiving

6. NIS2 and critical infrastructure: Resilience as a legal obligation #

NIS2 Directive: Resilience is no longer a recommendation #

The NIS2 Directive and the NIS2 transposition law make IT resilience a legal obligation for thousands of organizations. §30 BSIG-new specifically requires:

Personal liability of management #

NIS2 tightens liability: managing directors and board members are personally liable for ensuring that appropriate risk management measures are implemented. ​“We did not know” is not a defense — the NIS2 transposition law requires management to inform themselves regularly about the cybersecurity situation and to approve measures.

KRITIS umbrella law: Physical and IT resilience converge #

The KRITIS umbrella law extends the resilience concept to physical security. For critical infrastructure operators, this means: IT resilience and physical resilience must be planned together. A data center requires not only ransomware protection but also protection against power failure, flooding, and physical access.

What auditors will check #

Affected entities must expect audits. Typical checkpoints in the area of resilience:

• [ ] Is a documented data backup concept in place? (BSI CON.3)
• [ ] Are RTO/RPO documented per system and verified through tests?
• [ ] Is a physically separated (air-gapped) backup in place?
• [ ] Are recovery tests conducted regularly and documented?
• [ ] Is a DR plan with defined roles and communication paths in place?
• [ ] Is the DR plan available offline (printed, in a safe)?
• [ ] Are backup systems managed with separate administrator accounts?
• [ ] Is management informed about the resilience measures?

7. Resilience maturity: Where does your organization stand? #

The resilience maturity model #

Use this model for self-assessment. Where does your organization fit?

Level 1 — Reactive (unprepared)

• No documented DR plan
• Backups exist but are never tested
• RTO/RPO not defined
• No incident response process
• Risk: Existentially threatening in a ransomware attack

Level 2 — Basic (partially prepared)

• DR plan exists but is outdated
• Backups run, but recovery tests are rare
• RTO/RPO defined but not verified
• Backup systems managed with production credentials
• Risk: Weeks to months of downtime possible

Level 3 — Defined (structured preparation)

• Current DR plan with defined roles
• Regular backups with occasional recovery tests
• RTO/RPO documented and reflected in backup architecture
• Network segmentation in place
• Risk: Days to weeks of downtime in a ransomware attack

Level 4 — Managed (resilient)

• Multi-tier backup architecture with air-gap layer
• Quarterly recovery tests with documented results
• Separate administrator accounts for backup systems
• Incident response plan with regular exercises
• DR plan available offline
• Risk: Hours to days of downtime — controllable

Level 5 — Optimized (cyber-resilient)

• Automated hardware air gap with verified recovery
• Cyber resilience architecture with isolated recovery zone
• Annual tabletop exercises and red team tests
• Continuous improvement after every incident
• NIS2/KRITIS-compliant with full documentation
• Risk: Controlled — recovery within defined timeframes demonstrated

Where most organizations stand #

Based on our experience from over 2,500 installations, most German organizations are at Level 2 or 3 — they have backups and basic processes, but no demonstrated recovery capability when a ransomware attack also hits the backup infrastructure.

The jump from Level 3 to Level 4 — introducing an air-gap layer and regular recovery tests — is the single most impactful step to increase IT resilience.

8. Building a resilient IT architecture #

The 10-point plan for IT resilience #

Quick wins: What you can do this week #

1. Create a backup inventory: List all backup systems. For each: could an attacker with admin credentials delete it? If yes — it is at risk.
2. Find out when the last recovery test was: When was the last complete restore tested? If the answer is ​“never” or ​“over a year ago” — critical gap.
3. Print the DR plan: If your DR plan only exists digitally, print the most critical sections and place them in a safe.
4. Request a resilience assessment: Have your architecture assessed by an outside perspective — fresh eyes see gaps that routine overlooks.

→ Request a free resilience assessment → View reference architecture