How does AI help with cyber recovery?

AI and machine learning analyse storage I/O behaviour in real time to detect unusual activity such as silent encryption, data corruption or abnormal access patterns. This allows organisations to identify threats faster, protect clean copies of data and start recovery sooner.

Can organisations really recover from a cyber attack in 60 seconds?

Under the right conditions, recovery can begin within minutes when real-time anomaly detection, immutable snapshots and automated recovery workflows work together. Sub-minute detection speeds and isolated copies allow targeted datasets to be restored extremely quickly.

Does this approach replace my backup system?

No. Immutable snapshots support rapid operational recovery, while backups remain essential for long-term data retention and regulatory compliance. Both are needed in a modern cyber resilience strategy.

Where should UK organisations start to improve their cyber resilience?

Begin with a resilience assessment to identify blind spots, define your minimum viable business data, and prioritise automation. Next, implement immutable snapshots, enhance anomaly detection and test your recovery steps to ensure clean data can be restored quickly.

Recovering From Cyber Attacks in 60 Secs: A Guide to Cyber Resilience

Q: What is cyber resilience and how is it different from cybersecurity?

Cyber resilience focuses on an organisation’s ability to continue operating and recover quickly after a cyber incident. While cybersecurity aims to prevent and detect attacks, cyber resilience ensures the business can withstand disruption, restore clean data and resume services with minimal impact.

Q: What do immutable snapshots do that backups do not?

Immutable snapshots cannot be altered, encrypted or deleted once created. They provide a secure, isolated recovery point even when attackers compromise backups. This ensures a trustworthy copy of data is always available for clean recovery.

Article Mar 24, 2026

Cyberattacks have changed shape. Many are quiet, fast and intent on disrupting your business before you notice anything is wrong. Protection alone is not enough. The real question is how quickly you can detect, isolate and recover to clean data so that operations continue with minimal impact. That is the core of cyber resilience today. Insights in this article are drawn from an expert fireside discussion with storage specialists Alex Durkin, from IBM, and James Poole, from Trustmarque and Ultima.

Why speed now defines resilience

Attackers often target backups first, then corrupt data across primary and secondary sites. When that happens, traditional DR plans struggle because they were built for physical outages rather than silent, data-level attacks. You need rapid identification of abnormal behaviour, recovery points that cannot be tampered with, and a tested path to bring clean data back online.

What “60 second recovery” really means

Sixty seconds is not a promise for every incident. It is a target made possible when several capabilities work together. Four pillars stand out:

Detect fast using machine learning that monitors every I/O and flags abnormal patterns in under a minute.
Isolate clean data with immutable, separated copies that cannot be altered.
Recover quickly by automating rollback to known good data.
Test often with a repeatable runbook.

The essentials of a modern cyber recovery strategy

Identify the moment of compromise
Machine learning that continuously profiles normal data behaviour helps you spot silent encryption and destructive changes early.

Create recovery points you can trust
Immutable, isolated snapshots are designed to resist tampering. They provide a clean baseline to restore from when standard backups are suspect.

Design for performance and consistency
Recovery is only useful if the platform can bring services back at speed. Flash‑based, low‑latency storage keeps critical workloads responsive during failover and recovery, including virtualised and hybrid environments.

Meet rising expectations from regulators and boards
Resilience programmes are aligning with global frameworks such as NIST and EU DORA, as highlighted in IBM’s guidance and echoed in our session.

Top 5 Expert‑Backed Steps to Strengthen Your Cyber Resilience and Recovery This Quarter

1. Identify critical systems.

2. Enable immutable copies.

3. Add continuous anomaly detection.

4. Document a runbook.

5. Measure detection and recovery times.

FAQs

What is cyber resilience and how is it different from cybersecurity?

Cybersecurity focuses on preventing and detecting attacks. Cyber resilience adds the ability to continue operating and recover quickly when incidents occur. It brings together detection, isolation, recovery and regular testing, which were emphasised in the expert discussion and supported by IBM content on cyber‑resilient storage.

How does AI actually help with cyber recovery?

AI and machine learning continuously analyse storage I O to spot unusual patterns such as encryption spikes, permission anomalies or data entropy changes. IBM describes sub‑minute anomaly detection that can trigger protective actions and guide recovery to clean copies.

What do immutable snapshots do that backups do not?

Immutable snapshots are designed so they cannot be modified or deleted once created. They are logically separated from production, giving you a trustworthy recovery point even if attackers have reached your backups. This is central to IBM’s cyber resilience approach.

Can I really recover in 60 seconds?

Under the right conditions, you can start serving clean data very quickly. Sub‑minute detection plus isolated, ready‑to‑restore copies and a tested runbook make minute‑level recovery possible for targeted datasets. Your actual time depends on scope, data size and automation maturity, a nuance called out in the session.

Does this replace my backup system?

No. Immutable copies and rapid rollback complement your backup and DR strategy. Think defence in depth. Backups remain vital for long‑term retention and compliance. Immutable snapshots focus on fast, clean operational recovery.

What about RPO and RTO in a modern approach?

Aim to reduce both. Frequent immutable copies shrink RPO. Automated rollback on high‑performance storage reduces RTO. The goal is to cut the window of business disruption to minutes rather than hours.

How do I prove resilience to the board or a regulator?

Map your controls to recognised frameworks such as NIST and DORA and document test evidence that shows how quickly you detect, isolate and recover. IBM’s materials explicitly reference alignment with NIST and DORA.

Where should I start?

Begin with an assessment to find blind spots, define your minimum viable business data, and prioritise automation. Then introduce immutable copies, improve detection, and rehearse your recovery steps. These practical steps were underlined by Alex Durkin and James Poole in the recorded session.