Commvault Cyber ResilienceApplied AICyber ResilienceCommvaultData Protection & Cyber RecoveryCybersecurity Risk & StrategyAI & DataData CenterSecurity
Article19 minute read

Why Good Backups Don't Equal Cyber Resilience: The Case for Minimum Viability

AI-driven cyber attacks challenge traditional disaster recovery by targeting backups, forcing organizations to redefine resilience. As attackers grow more sophisticated, businesses must identify their "minimum viable company" to prioritize recovery. Cross-functional coordination, AI-enabled defenses, and regular practice in consequence-free environments are essential for effective cyber resilience.

In this article

  1. What Is Minimum Viability - And Why It Matters Now 
  2. The Forensic Imperative: Why You Can't Trust What You're Restoring 
  3. The AI Arms Race: How Automation Amplifies Both Attacks and Recovery 
  4. It's a Team Sport: Breaking Down Silos 
  5. Practice Builds Confidence and Creates Consistency: Why Testing in a Consequence-Free Environment Matters 
  6. Six Common Pitfalls and How to Avoid Them 
  7. Your Next Steps 
  8. The WWT and Commvault Solution: From Testing to Recovery 

Article written by Michael Ambruso of WWT and David Langley of Commvault. 

Cyber attacks powered by artificial intelligence (AI) have broken the fundamental assumption behind disaster recovery: trust. 

Previously, traditional disaster recovery operated on a fundamental assumption: after a disaster, whatever systems remained operational could be trusted. A hurricane takes out your data center, you restore to your backup site and move forward. Even early ransomware attacks often left backup systems intact, making recovery straightforward once the threat was contained. 

Not anymore. Today's attackers, empowered by AI automation, don't just encrypt production data—they hunt down and destroy your backups first. According to Sophos research, 94% of ransomware victims had their backups targeted in 2024. This isn't collateral damage. It's the strategy. Eliminating your ability to recover independently forces an impossible choice: pay the ransom or face extended downtime with no guaranteed path back. 

Consider Jaguar Land Rover's August 2025 breach—the most economically devastating cyber attack in British history. The attack forced a complete shutdown of global manufacturing for nearly a month, burning through $12.7 million daily, roughly $9,000 per minute. The impact was so severe that the Bank of England cited it as a factor in the UK's reduced GDP growth. The fallout extended beyond the automaker itself; their entire parts ecosystem went dark. Supply chain workers, hundreds laid off, were told to apply for government assistance. This wasn't just a company failure—it was an ecosystem collapse with $2.4 billion in economic damage. 

The reality is stark: traditional disaster recovery plans were built for a different threat model—one where the attacker's goal was to encrypt data and move on, not to systematically eliminate every recovery option. When attackers successfully compromise backups or the victim's coverage was incomplete, the consequences are severe: organizations become nearly twice as likely to pay the ransom, and recovery costs increase. 

This removes the organization's ability to recover independently, leaving ransom payment as the only apparent option. But even capitulation offers little relief. Recent industry analysis shows only 32% of organizations that paid ransoms in 2024 successfully recovered their data, down from 54% in prior years. The promise of decryption keys often rings hollow, and attackers have no incentive to honor their agreements. 

This new reality requires a fundamentally different approach - one that goes beyond traditional backup to comprehensive cyber resilience. Organizations need to define their "minimum viable company," the essential systems required to remain relevant to customers and build tested recovery capabilities before attacks strike.  

WWT's Recovery Range and Commvault's cyber resilience platform provide the framework and tools to make this shift, enabling organizations to practice recovery in consequence-free environments and maintain operational resilience when trust disappears. 

But what does cyber resilience actually look like in practice? It starts with a deceptively simple question that most organizations have never answered. 

 What Is Minimum Viability - And Why It Matters Now 

Here's the question every organization needs to answer: What do you do for customers that constitutes your relevance to them? 

Your minimum viable company is the essential systems, processes, and people required to remain relevant to customers during a crisis. The answer varies by industry, but the concept is universal: 

  • A postage meter company: The ability to fill customer meters with postage—without this, customers can't send mail
  • An aquarium: Functional HVAC systems that maintain water temperature—when the water gets too hot, the fish die
  • A hospital system: Access to patient records and the ability to dispense medications—core functions that keep patients alive
  • An online retailer: The ability to process orders and fulfill shipments—revenue stops without these capabilities
  • A financial services firm: Transaction processing and account access—customers can't conduct business if these systems are down
  • An automotive manufacturer: Production line operations and supply chain coordination—vehicles can't be built without both functioning

 

 

A screenshot of a computer screen AI-generated content may be incorrect.

 

The challenge becomes apparent when organizations attempt to identify their critical systems. When you poll different departments about what's "important" to the business, IT will provide one list, operations another, and executives yet another. These lists are typically 80-90% longer than what actually impacts customer relevance—filled with systems that support efficiency but aren't essential to maintaining customer relationships during a crisis. 

During a cyber attack, when recovery timelines extend from days to weeks, this distinction becomes the difference between business continuity and business failure. Organizations that haven't clearly defined their minimum viable company find themselves attempting to restore everything simultaneously, burning through limited recovery resources on systems that don't contribute to customer relevance while critical capabilities remain offline. This is precisely why defining your minimum viable company before an attack is essential—it provides the decision-making framework needed when every hour of downtime costs millions. 

The concept goes beyond traditional disaster recovery planning. When you're operating under fire, you need to know exactly which systems to prioritize for recovery. You'll be verifying and cleaning data through multiple restoration iterations—a forensic process that doesn't exist in traditional DR. And if attackers have been in your systems for months, which is increasingly common, you'll need to sanitize data that extends beyond what your backup retention policies even cover.  

The minimum viable company framework ensures you're investing recovery efforts where they matter most: 

  • Restoring systems that directly maintain customer relationships and revenue
  • Ensuring compliance with external governance, regulatory, and legal data requirements
  • Focusing on what keeps the business operational, not simply what eventually needs restoration
  • Recovering in order of business impact, not in the sequence systems failed

Defining your minimum viable company establishes what to recover. But modern cyber attacks introduce a challenge traditional DR never contemplated: forensic verification. Before restoring a single system, you must prove it hasn't been weaponized against you. 

 The Forensic Imperative: Why You Can't Trust What You're Restoring 

Traditional disaster recovery assumes a straightforward process: identify the failure, restore from backup, and resume operations. Cyber recovery operates under fundamentally different constraints. Every system must be forensically validated before restoration—data integrity verified, identity management systems examined for backdoors, infrastructure checked for compromised firmware. Security operations teams must clear each component before it touches production. 

Time pressure intensifies the challenge. Attackers now move from initial access to ransom demand in an average of 24 hours. What organizations once measured in days now unfolds in hours. There's no time during an active attack to develop procedures, map dependencies, or establish decision criteria. These capabilities must exist before the breach occurs. 

The infrastructure itself may be compromised beyond repair. Microsoft research shows 80% of enterprise organizations have experienced at least one firmware attack in the past two years. When attackers corrupt the firmware of production machines, restoring to the original infrastructure becomes impossible. Organizations must rebuild in isolated clean room environments, verify system integrity, sanitize compromised components, then—and only then—move systems to production.  

This verification process has no parallel in traditional disaster recovery. Organizations typically cycle through multiple restore-and-sanitize iterations before achieving a confirmed clean state. Each cycle adds days to recovery timelines. Each delay compounds financial losses. 

Identity management systems present the highest risk. Active Directory, Microsoft Entra, Okta—these platforms control access to everything. Applications won't launch without them. Communications systems remain dark. Business operations stop entirely. Yet organizations routinely silo these critical systems.  

The forensic and coordination challenges described above are difficult enough. They're becoming exponentially harder due to a technology that's transforming both attack and defense capabilities. 

 The AI Arms Race: How Automation Amplifies Both Attacks and Recovery 

Artificial intelligence has fundamentally altered the cyber resilience equation, amplifying capabilities on both sides of the conflict. 

On the attack side, AI enables a level of sophistication that renders traditional detection methods obsolete. Phishing emails that once revealed themselves through poor grammar or crude graphics now arrive pixel-perfect, indistinguishable from legitimate communications. An email warning about suspicious American Express activity displays flawless branding, proper formatting, professional language—the only indicator might be a single character substitution in the URL, "Americαn" using a Greek alpha instead of a Latin 'a'. 

The personalization capabilities escalate the threat further. AI-powered attacks can reference recent purchases, customize messaging based on social media activity, and adapt tone to match communication patterns. What previously required days of reconnaissance now happens in minutes. Attackers can industrialize these personalized campaigns at scale, targeting thousands of employees with individually crafted messages. 

But AI's impact extends beyond attack vectors. Emerging solutions leverage AI to compress response timelines and improve decision quality during crises. AI systems can triangulate attack origins across multiple data sources, map blast radius in real-time, and guide recovery teams through complex scenarios, even when responders lack direct experience with specific attack patterns. Instead of making critical decisions based on incomplete information and time pressure, teams can analyze comprehensive data and receive AI-assisted recommendations. 

The critical difference: AI accelerates both attack and defense, but organizations must actively deploy defensive AI capabilities. Attackers gain AI advantages by default—automated tools proliferate across the dark web. Defense requires intentional investment in AI-enabled security operations, threat detection, and recovery orchestration. Organizations that fail to adopt these capabilities face AI-powered attacks with pre-AI defenses—a mismatch that makes successful recovery increasingly unlikely. Organizations facing AI-powered attacks with conventional defenses will find recovery timelines extending and success rates declining.  

AI-enabled tools and forensic capabilities are only as effective as the teams deploying them. Which brings us to perhaps the most critical—and most frequently overlooked—element of cyber resilience: organizational structure.  

 It's a Team Sport: Breaking Down Silos 

Organizational silos represent one of the most persistent barriers to effective cyber resilience. Despite widespread recognition of the problem, most enterprise organizations continue to operate with isolated teams: IT manages infrastructure, security operations handles threats, legal addresses compliance, DevOps maintains applications, and executives oversee strategy—each with distinct tools, priorities, and communication channels. 

The shift in priorities is measurable. Gartner's 2024 research on cybersecurity trends reveals that organizations now rank response and recovery as more critical than protection capabilities. Yet the same research identified substantial maturity gaps: while leadership understands these priorities, the organizational structure and cross-team coordination needed to deliver them remain underdeveloped. 

Building cross-functional cyber resilience capabilities requires three fundamental shifts in how teams operate. 

  1. Establish visibility across functions. Security operations and IT teams need regular communication channels with defined escalation paths. Data protection teams must understand security's threat detection capabilities. Legal needs to know recovery timelines to manage regulatory notifications. Each team requires a clear understanding of what other groups can and cannot deliver during a crisis, because the assumption that other departments have their components handled rarely reflects reality.
  2. Plan for prevention failure. Data protection and security teams must align on a difficult premise: preventive security measures will eventually be breached. When that happens, recovery capabilities determine business survival. This requires security leadership to engage with data protection teams before an incident occurs, mapping out forensic requirements, clean room restoration processes, and decision authority during crisis response. The conversation shifts from "if prevention fails" to "when prevention fails, here's the tested recovery process."
  3. Map dependencies comprehensively. Application dependencies prove far more complex than initial assessments reveal. An organization might identify a Spark application as business-critical, but that application typically depends on 10 to 12 supporting workloads—identity management systems, cloud storage, API gateways, database clusters, and monitoring tools. Each dependency creates potential failure points. Mapping these relationships requires cross-functional expertise: architects understand technical dependencies, security teams identify authentication requirements, and business analysts confirm which functions support customer-facing operations.

Third-party dependencies compound this complexity. For example, when AWS East experienced an outage recently, one DNS configuration error disrupted operations for 11,000 companies simultaneously. Most organizations depend on approximately five external providers, where failure at any one creates a direct business impact. Identifying these critical vendors and validating their security postures requires coordination across procurement, IT, security, and business operations—exactly the cross-functional collaboration that organizational silos prevent. 

The teams that succeed in cyber resilience share a common characteristic: they've institutionalized cross-functional coordination before a crisis strikes. They conduct regular tabletop exercises involving all stakeholder groups. They've documented dependencies and tested recovery procedures in environments where failure provides learning rather than business disruption. Most importantly, they've moved beyond the assumption that cyber resilience is IT's problem or security's problem—they've made it an enterprise-wide priority.  

In closing, cross-functional coordination on paper means nothing without practice. The most carefully documented recovery procedures fail when teams execute them for the first time during an actual attack. 

 Practice Builds Confidence and Creates Consistency: Why Testing in a Consequence-Free Environment Matters 

No one wants to build the airplane at 30,000 feet. Yet that's exactly what happens when organizations develop recovery procedures during an active cyber attack. Effective response requires training, practice, and—most critically—controlled failure before the actual event occurs. 

Resource constraints prevent most organizations from maintaining dedicated testing environments. Stretched teams lack the capacity to build lab infrastructure, maintain patch currency, and preserve test environments between exercises. The time investment becomes prohibitive when IT and security teams already operate beyond capacity. 

These resource limitations collide with a recovery landscape that has grown exponentially more complex, especially for those without a minimum viability strategy. A decade ago, backup success meant achieving green status indicators on morning reports—confirmation that the backup completed without errors, with the assumption that recovery would work when needed. Even exceptional organizations typically validated recovery only once during the initial build stage, confirming they could restore the image in pre-production. After that, recovery capabilities went untested until a DR exercise or actual failure forced the issue. 

Today's recovery operations assume multiple restore-and-sanitize cycles—three, four, or five iterations to achieve verified clean state. Each iteration requires forensic validation, clean room isolation, and cross-team coordination. Performance metrics have shifted accordingly. Speed matters less during backup operations than during recovery, when every minute of downtime compounds financial losses and extends business disruption. 

Pre-built testing environments address both constraints simultaneously. When organizations access environments that are 90% configured, teams can focus practice time on executing procedures rather than building infrastructure. Teams test coordination, identify gaps, and refine processes. When they return three months later, they encounter the same pristine environment—no maintenance burden, no configuration drift, no resource drain between exercises. This creates a consequence-free practice space where failures generate learning instead of business impact. 

WWT's Recovery Range exemplifies this approach. The cloud-based platform provides pre-configured testing environments specifically designed for cyber recovery validation. Organizations gain immediate access to infrastructure that mirrors production complexity—identity management systems, multi-cloud components, application dependencies—without the months typically required to build and maintain dedicated labs. Teams practice forensic verification procedures, test cross-functional coordination, and validate recovery playbooks against realistic attack scenarios. Between exercises, environments automatically reset, eliminating the operational overhead that prevents most organizations from conducting regular recovery drills. 

The industry has moved past a simple question: Did backups complete successfully? 

The question now is: Can teams execute mass recovery under actual crisis conditions? 

Answering this requires repeated practice. Organizations that test recovery procedures quarterly build muscle memory across teams, identify dependency gaps before attacks occur, and develop the confidence that recovery capabilities will function when business survival depends on them. 

Even organizations that understand these principles—defining minimum viability, conducting forensic planning, breaking down silos, and practicing recovery—frequently stumble on common implementation mistakes. 

 Six Common Pitfalls and How to Avoid Them 

Mistake #1: Assuming good backups equal cyber resilience 

Comprehensive backup coverage addresses approximately 80% of cyber resilience requirements. The remaining 20%—forensic verification, clean room restoration, multiple sanitization cycles, and cross-team coordination—determines whether organizations achieve recovery or face extended business disruption. Traditional backup strategies lack these capabilities entirely. 

Mistake #2: Operating security and data protection as separate functions 

Data protection plans require security operations involvement. Security teams identify compromised systems and validate forensic cleanliness. Data protection teams manage restoration sequences and verify data integrity. Neither function succeeds independently. Organizations that maintain separate reporting structures, communication channels, and planning processes for these teams create coordination failures that extend recovery timelines by weeks. 

Mistake #3: Lacking a clear minimum viable company definition 

Recovery prioritization requires an explicit understanding of which systems maintain customer relevance. Organizations that cannot articulate this definition attempt to restore everything simultaneously, exhausting limited recovery resources on non-essential systems while critical capabilities remain offline. During extended recovery scenarios, this ambiguity transforms manageable incidents into existential business threats. 

Mistake #4: Underestimating application and infrastructure dependencies 

Business-critical applications rarely operate in isolation. They depend on identity management systems, cloud infrastructure components, API gateways, third-party services, and supporting databases. Organizations that discover these dependencies during recovery face cascading failures as they attempt to restore systems without their required supporting infrastructure. Dependency mapping must occur during planning, not during crisis response. 

Mistake #5: Relying on cyber insurance as primary risk mitigation 

Cyber insurance provides financial recovery for specific losses under specific conditions. It does not guarantee business continuity, expedite technical recovery, or replace preparedness planning. Insurance carriers increasingly identify coverage exclusions when organizations demonstrate inadequate security controls or recovery capabilities. Insurance functions as one component of risk management, not a substitute for operational resilience. 

Mistake #6: Prioritizing restoration speed over forensic verification 

Restoring compromised systems to production environments spreads malware, reintroduces backdoors, and potentially triggers secondary attacks. Forensic verification must precede restoration, regardless of time pressure. Organizations that skip verification to accelerate recovery timelines typically discover they've restored infected systems, forcing complete re-restoration after additional damage occurs. The verification delay is painful but essential—and far shorter than the extended downtime caused by premature restoration. 

Avoiding these six pitfalls requires intentional planning and systematic execution. Organizations at any maturity level can begin strengthening their cyber resilience posture immediately. WWT and Commvault provide the framework to accelerate this journey. WWT's Recovery Range delivers pre-built testing environments where teams practice coordinated recovery without infrastructure maintenance overhead. Commvault's cyber resilience platform—featuring Cloud Rewind for rapid cloud restoration, AI-powered threat detection, and immutable backup repositories—addresses the complete recovery lifecycle from on-premises through multi-cloud deployments. Together, these capabilities enable organizations to move from planning to tested execution. 

 Your Next Steps 

Cyber resilience development doesn't require complete infrastructure replacement or seven-figure investments. Progress comes through deliberate steps that build capabilities incrementally. 

  1. Define your minimum viable company. Identify which systems and processes maintain customer relevance during disruption. Document these capabilities explicitly, including the supporting infrastructure each requires. This definition guides all subsequent recovery prioritization decisions.
  2. Map dependencies comprehensively. Document how critical applications depend on identity management, cloud infrastructure, third-party services, and internal supporting systems. Include both technical dependencies and organizational dependencies—which teams must coordinate for successful restoration. This mapping reveals vulnerability concentrations and coordination requirements that planning documents often miss.
  3. Establish cross-functional coordination. Convene IT, security operations, business leaders, and legal counsel for an honest assessment of current capabilities. Identify gaps between documented procedures and actual execution capacity. These conversations often reveal assumptions about preparedness that don't reflect operational reality.
  4. Test in consequence-free environments. Validate recovery procedures through structured exercises before attacks occur. Testing reveals coordination gaps, dependency oversights, and procedural ambiguities that planning sessions miss. Organizations that practice recovery quarterly develop execution confidence and identify improvement opportunities iteratively.
  5. Implement incrementally. Comprehensive cyber resilience programs develop over time through sustained investment. Organizations that attempt complete transformation simultaneously often stall due to resource constraints and complexity. Focus on the highest-impact capabilities first, establish measurable progress indicators, and expand systematically.

The threat landscape continues evolving. The question isn't whether organizations will face sophisticated attacks. Rather, it is whether they will have tested, coordinated recovery capabilities ready when attacks occur. 

 The WWT and Commvault Solution: From Testing to Recovery 

WWT and Commvault bring decades of combined experience helping organizations navigate these exact challenges. 

WWT's Recovery Range is a pre-built, cloud-based testing environment designed specifically for cyber recovery validation. It provides 90% of the infrastructure setup, which is already complete, allowing teams to focus on practicing coordinated recovery procedures rather than building and maintaining lab environments. Organizations can test forensic verification processes, validate cross-team coordination, and identify dependency gaps in a consequence-free space where failures generate learning instead of business disruption. Between exercises, environments automatically reset to a pristine state—eliminating maintenance burden while ensuring consistent testing conditions. 

Commvault's comprehensive cyber resilience platform delivers what industry practitioners recognize as one of the most complete toolsets available. The platform addresses the full recovery lifecycle across any infrastructure—from common enterprise environments to specialized hypervisors that other solutions don't support. 

Commvault's capabilities include: 

  • Cloud Rewind for rapid restoration of entire cloud environments when attackers compromise cloud infrastructure or configurations
  • AI-powered threat detection and analysis that triangulates attack origins across multiple data sources, maps blast radius in real-time, and guides administrators through recovery processes even when they lack direct experience with specific attack patterns
  • Immutable and air-gapped backup repositories that prevent attackers from modifying or deleting recovery data—built into SaaS offerings by default
  • Automated recovery orchestration that walks teams through complex multi-system restoration sequences while maintaining forensic validation requirements
  • Deception technology that deploys decoy systems (like SQL servers) in production environments to detect lateral movement when attackers trigger tripwires
  • Multi-cloud and hybrid support covering traditional on-premises infrastructure, AWS, Azure, and Google Cloud workloads

The platform's breadth addresses real-world attack complexity. Having responded to hundreds of cyber incidents, both organizations bring experience-based insights to recovery planning—understanding not just which tools matter, but how organizations actually execute under pressure. 

The partnership earned recognition at Commvault's Shift conference, reflecting ongoing collaboration focused on moving organizations beyond backup to operational resilience. Combined certifications—including FedRAMP High for government cloud workloads and AWS Storage Partner of the Year recognition—address cyber resilience requirements across every deployment model. 

Both organizations recognize that cyber resilience extends beyond technology. It requires coordinated people, processes, and systems working together. Advanced tools matter, but the preparatory work—defining minimum viability, mapping dependencies, and establishing cross-functional coordination—determines recovery outcomes when attacks occur. 

Cyber attacks will continue. Attack sophistication increases while time windows for response shrink. Organizations that invest in preparation recover in days. Those that don't face weeks or months of disruption. 

The critical questions aren't about backup completion. They're about trust and execution:  

  • Can you verify your backups haven't been compromised?
  • Do you know which systems to restore first?
  • Have your teams practiced coordinated recovery?
  • Can cross-functional groups execute under pressure?
Assess your current cyber resilience posture and build tested, repeatable recovery capabilities Start Your Journey Today 

Technologies