There are significant gaps in cyber resilience, despite growing confidence in organizational strategies, according to a Cohesity survey of 3,100 IT and security decision-makers across eight countries.

The report found just 2% of respondents could recover data and restore business processes within 24 hours after a cyberattack, far below the 98% who reported a targeted recovery time objective (RTO) of one day or less.

While 18% of respondents claimed they could recover within 1-3 days, the majority face much longer downtimes, with 32% requiring 4-6 days, 31% needing up to two weeks, and 16% stating that their organizations would need over three weeks to recover fully.

There is still widespread confidence in cyber resilience strategies, with 78% of respondents expressing trust in their organization’s ability to manage escalating cyber threats.

However, this confidence is undermined because many organizations are still paying ransoms to regain control of their data and systems.

The survey found that 83% of respondents indicated they would pay a ransom to expedite recovery, even if it meant breaking internal policies against such payments.

Nearly 70% of organizations reported paying a ransom in the past year, with fully three quarters saying they would be willing to pay over $1 million and 22% would be willing to pay over $5 million to recover their data and restore operations.

Ransomware Threats on the Rise

This disparity between targeted and actual recovery times is growing at a time when cyber threats, particularly ransomware, continue to escalate.

The survey found that nearly 7 in 10 organizations (67%) had been victims of a ransomware attack in 2024 alone, and 96% of respondents expect the threat of cyberattacks in their industry to increase or has already increased this year, with 59% predicting a rise of over 50% compared to 2023.

The results also indicated ongoing challenges in implementing zero-trust security principles.

More than half of the respondents (54%) admitted that their centralized visibility of critical data could be improved, and less than half had fully deployed key security measures such as multi-factor authentication (MFA), quorum controls, or role-based access control (RBAC).

Just 52% had implemented MFA, 49% had quorum controls requiring multiple approvals, and 46% had established RBAC.

Julian Brownlow Davies, vice president of advanced services at Bugcrowd, said the findings underscore the urgent need for organizations to close the gap between their cyber resilience goals and their actual capabilities, particularly as the cyber threat landscape continues to evolve.

“Many organizations equate having a robust security framework with being cyber resilient,” he said. “However, resilience is not just about preventing attacks but also about how effectively a company can recover from them. Overconfidence can lead to complacency in developing and testing recovery strategies.”

He explained effective cyber resilience requires collaboration across various departments, including legal, communications, and operations.

“A lack of coordination among these teams can slow down decision-making and recovery efforts,” he said.

Cyber Resilience Efforts May Vary

Patrick Tiquet, vice president of security and architecture at Keeper Security, added the requirements for cyber resilience can vary greatly based on industry and individual information systems.

“For some organizations, cyber resilience is a critical business requirement. For other organizations, it can be challenging for IT organizations to invest in a business process that may rarely be used in a real-world scenario,” he said.

He explained it is important for each organization to understand the risk to their information systems and invest in resilience as is appropriate to mitigate negative impacts on their business and customers.

From the perspective of John Anthony Smith, founder and CSO at Conversant Group, organizations must assess their backup and recovery capabilities against real breach behaviors.

“They must have the means to orchestrate and constantly harden those defenses for survivability, usability and timely recovery,” he said.

Without reliable sources of this data, constant reorchestration to the data, and constant reeducation, most organizations’ backups will not survive, be usable, or enable timely recovery.

“The principles underlying the orchestration must be soundly based in breach realities,” Smith said.