AIX systems are often the IT backbone of medium and large enterprises. They power everything from critical financial systems to supply chain operations to industrial controls. Uptime is non-negotiable. However, while organisations have invested heavily in safeguarding virtualised environments and primary storage snapshots, AIX has often been left behind.
This isn’t an oversight, it’s due to technical hurdles. The proprietary nature of AIX systems combined with their complexity, has made it difficult to perform recovery testing at scale. As a result, many businesses have no choice but to simply hope that their AIX backups will work when disaster strikes.
The AIX myth.
You’ve probably heard this one…
“You don’t need to worry about ransomware on AIX.”
The often-accepted logic suggests that ransomware gangs are most interested in hitting the most widely used platforms like Windows and VMware, and that AIX simply doesn’t have the footprint to be worthwhile for attackers. While there is sense in the logic, it’s not that black and white.
While AIX might not be as prevalent as Windows or VMware; for the businesses that rely on it, AIX often holds the crown jewels of their data. Take down the AIX, and many organisations will be left totally unable to operate. Retail businesses will be unable to transact. Hospitals will be unable to access patients’ medical records. Production lines will grind to a halt.
Attackers want to cause maximum disruption in order to increase the size and likelihood of a ransom payout. When it comes to targets, AIX is a bullseye.
This isn’t just theoretical. There’s a growing trend of ransomware groups creating variants or modules to reach into UNIX-based systems, including AIX. Ransomware families like DarkRadiation and RansomEXX have already been engineered to strike Linux environments, meaning an AIX variant is just a tweak away. And given the potential payout from infiltrating the kind of critical data managed on AIX, it’s only a matter of time before ransomware gangs prioritise this OS.
More than just a good practice
AIX systems tend to be found in industries with high-value, business-critical data like finance, healthcare, and manufacturing. It’s no coincidence that these are the 3 industries most targeted by ransomware attacks, and no coincidence that these are amongst the most highly regulated industries.
With a raft of operational resilience regulations coming into force around the world (DORA, FISMA, PRA, and NIS2 to name a few), proof of effective recovery from AIX is becoming more than just good practice. For lots of organisations – it’ll be mandatory.
IBM and Trend Micro: Fortifying AIX and SAP Environments on Power
IBM’s collaboration with Trend Micro to bring Trend Vision One™ to Power servers reinforces the critical point… AIX isn’t immune to ransomware or cyber threats. Trend Vision One’s SAP Scanner, integrated with SAP NetWeaver and SAP HANA, actively scans for hidden threats, showing IBM’s commitment to securing these high-value environments. If AIX were untouchable, this level of security wouldn’t be necessary. For organisations relying on AIX for sensitive data, IBM’s partnership with Trend Micro validates the importance of a robust, proactive approach to cyber resilience.
Predatar’s Approach to Validating AIX Cyber Resilience
At Predatar, we’ve also taken up the challenge. Our latest product release, R17.3 Viper, brings Predatar’s full Recovery Assurance capability to AIX workloads. Customers heavily invested in IBM storage tech can now validate the cleanliness and recoverability of their Storage Protect/Plus VMs, their FlashSystem Safeguarded Copies and their AIX backups with a single Predatar licence and one Predatar CleanRoom.
AIX customers with multi vendor storage environments benefit from this release too. Predatar supports Veeam, Rubrik and Cohesity backups, and immutable Pure Storage snapshots too.
Our approach leverages the power of Predatar’s Aurora™ AI, to continuously monitor and test backup environments, flagging potential threats and validating recovery workflows. In a world where ransomware attacks are increasingly sophisticated, it’s more important than ever to know that your backups are not just complete – but clean and secure.
The Importance of Scanning Backups
When ransomware strikes, it doesn’t always attack production data first. Sometimes it sneaks into backup data, hiding until an attempted recovery brings the infection back into the environment. Scanning backups of AIX is about making sure that in the worst-case scenario, when an organisation is recovering, it’s truly safe. A comprehensive scan can prevent re-infection, validate the security of recovery copies, and ultimately serve as the final line of defence against sophisticated ransomware strategies.
In short, for those organisations relying on AIX to protect their most valuable data, the stakes are too high to overlook cyber resilience.
Final Thoughts
The risk of ransomware is real and it’s growing. Cybercriminals will increasingly focus on big, critical targets, including AIX environments. By leveraging solutions like Predatar and IBM’s and Trend Micro’s Trend Vision One, organisations can gain confidence in their ability to detect, prevent, and recover from ransomware threats targeting AIX.
Protect your AIX systems like the crown jewels, because to a ransomware gang, that’s exactly what they are.
Visit the Predatar website to find out how Predatar can give you recovery confidence.
Predatar never stops evolving. Over the past 18 months the platform has become truly vendor-agnostic with support for many of the biggest backup and storage solutions on the market. Our roadmap is driven by the changing needs of our customers and the days of businesses relying on a single vendor for backup and recovery are fading fast. As organisations adopt a broad range of solutions to address their challenges, managing and securing data across multiple systems has become more complex than ever.
Predatar has embraced this shift, evolving to give businesses a single, unified view of their recoverability and cyber resilience. Through AI-powered analysis, automated recovery testing, and deep malware scanning of backups, we’ve provided tools that not only simplify this complexity but help organisations continuously verify their readiness to recover from cyber attacks. By listening to our customers and innovating based on their feedback, we’ve ensured Predatar stays ahead in addressing the challenges of a multi-vendor world.
Building on the IBM Legacy
For those that have known about Predatar for a while, you’ll know it all started with IBM. Today our platform supports a wide range of storage vendors, but IBM remains a powerhouse in the data protection space and recent developments show they’re on an exciting journey that complements our own.
Predatar R17.3 introduces a major milestone for IBM users: full support for recovery testing and malware scanning of AIX workloads protected by IBM Storage Protect. This completes our IBM integration story, adding to our existing support for IBM Safe Guarded Copies, Storage Protect Plus, Data Protect, and FlashSystem. For organisations heavily invested in IBM, this means a seamless, end-to-end solution for testing, verifying, and enhancing resilience across critical workloads.
We’re also closely watching IBM’s progress and there’s a lot to be excited about. Over the last 18 months, they’ve accelerated the pace of innovation. From their Data Resiliency Dashboard enhancements and simplified updates to Splunk integration, to governance improvements, IBM is delivering tools that help businesses to strengthen their recovery posture. Features like ransomware detection sensors and MFA security enhancements demonstrate their commitment to evolving in line with their customers’ needs.
Our team is particularly excited by IBM’s developments of their Storage Defender platform. By introducing integrations with other storage vendor’s solutions, it’s clear that IBM is also embracing the reality of a multi-vendor world. This approach aligns with our own mission to help organisations protect and recover their data, no matter how complex their environments become.
A Shared Vision for Resilience
Predatar R17.3: Viper is more than a product release; it’s a testament to our commitment to helping businesses thrive in a multi-vendor world. By continuously enhancing our platform and staying aligned with the latest advancements from partners, we’re ensuring that resilience isn’t just a possibility but a certainty for our customers. Check out R17.3:Viper here.
At this year’s Control24 summit, we heard a range of insightful perspectives on AI in cybersecurity. While IBM‘s Martin Borrettexplored the transformative potential of AI, highlighting its dual role as both a tool and a threat, Steve Kenniston from Dell approached the topic from a different angle, focusing on foundational security practices and the importance of a balanced approach. Together, their insights provide a well-rounded look at AI’s role in today’s cybersecurity landscape.
“For the most part, there’s nothing to talk about right now with Gen AI,” Steve began. “You’ve got a million other workloads in your environment that are mission-critical.”
The 90-10 Rule: Focus on What Works
Steve introduced his ’90-10 philosophy’, which proposes that 90 percent of what’s needed to secure your environment can be achieved through fundamental security practices. The remaining 10 percent accounts for newer, specialised approaches like managing prompt injection risks in Gen AI models. But he cautioned against chasing trends without solid basics in place, urging organisations to keep their focus on what has consistently worked:
Reducing Attack Surface: Steve pointed out that roughly 47 percent of breaches exploit weaknesses in basic defences, threats that don’t necessarily need advanced tech to address. Core measures like multi-factor authentication, role-based access, and regular patching are still the first line of defence, effectively countering nearly half of common attacks.
Detection and Response: Building on Martin’s view of AI as transformative, Steve reframed the conversation, reminding us that traditional AI-driven tools, such as MDR (Managed Detection and Response) have provided critical support for years. “AI and ML tools have been built into security solutions for decades,” he noted, emphasising the value of these existing AI solutions in reducing detection and remediation times.
Recovery Readiness: Steve highlighted the importance of robust, regularly practised recovery strategies, sharing that only 37 percent of organisations currently recover from air-gapped storage, leaving a crucial resilience measure underutilised. “Practise, practise, practise,” he urged, likening it to military drills that prepare teams to respond intuitively in a real incident.
AI: A Piece of the Puzzle, Not the Whole Solution
While Martin’s talk showcased AI’s exciting potential, Steve’s approach underscored the importance of integrating AI alongside established security practices. He sees AI as one component within a broader toolkit that supports, rather than replaces, strong cybersecurity hygiene.
“AI has been in security for years,” Steve explained. “It’s embedded in EDR, XDR, MDR tools. But as you automate, don’t forget the basics.”
Steve advocates balancing automation with oversight – using AI for repetitive tasks, while maintaining human control where it counts.
Building a Unified Strategy
Steve’s advice on viewing cybersecurity as a unified framework added a valuable dimension to the discussion. Rather than compartmentalising attack surface reduction, detection and response, and recovery readiness, he encouraged assessing tools with a holistic perspective. Does a solution reduce the attack surface? Support quick detection and response? Aid recovery? This approach helps organisations avoid tool sprawl and unnecessary complexity.
A Balanced Perspective on AI’s Role
Martin Borrett and Steve Kenniston brought two equally valuable perspectives to Control24. Martin’s talk highlighted the dual nature of AI and its potential to shape the future of security, while Steve reminded us of the enduring importance of strong fundamentals. Together, their messages underscored that a resilient cybersecurity strategy isn’t about choosing between innovation and basics; it’s about finding the balance that fits your organisation.
As Steve put it,
“AI is in your toolkit, but it’s not the whole toolkit.”
Control24 attendees left with both the excitement of AI’s possibilities and the reassurance that foundational principles remain as relevant as ever.
What will 2025 have in store for the world of Backup and Recovery? As ever, Predatar’s CEO Alistair Mackenzie has some thoughts and opinions. History tells us that his predictions are never far off the mark. So, let’s take a look at his perspective on the year ahead…
Author: Alistair Mackenzie
In 2025, the backup and recovery landscape will continue its shift toward becoming a core function of enterprise security operations. This trend, emerging in the mid-market, will accelerate across large enterprises as organisations recognise that data backup is no longer just an IT infrastructure task—it’s a critical line of defence against cyber threats. As backup systems increasingly fall within the domain of Security Operations Centres (SOCs), the industry will see a series of transformative outcomes.
1. A Major Merger Between a Security and Backup Vendor
With backup now a security priority, the stage is set for a significant merger between a security and backup vendor. This groundbreaking partnership will affirm the need for seamless integration between backup and cybersecurity and act as a catalyst to further accelerate the convergence. As a result, enterprises will be able to simplify their stack and their their resilience strategies.
2. New KPIs for Backup and Storage Administrators
The roles of backup and storage administrators will shift rapidly. Security-related key performance indicators (KPIs)—such as anomaly detection, data integrity validation, and ransomware recovery times—will complement traditional metrics like uptime and speed, reflecting the dual mandate of safeguarding and restoring data.
3. Recovery Assurance Cleanrooms Become Ubiquitous
As organisations prioritise recovery assurance, Recovery Cleanroom technology—dedicated environments for validating and recovering clean backups—will become more accessible and affordable. This ubiquity will make cleanrooms a standard feature in IT datacenters, reducing risk and boosting recovery confidence.
This short video explains how a Predatar CleanRoom in your DataCentre or in the Cloud will continually validate backups for recoverability and cleanliness:
4. AI Dominates Backup and Recovery
The competition among vendors will increasingly revolve around artificial intelligence. AI-powered tools will automate backup administration, from anomaly detection to error remediation, dramatically reducing manual intervention and enabling IT teams to focus on strategic tasks.
5. Recovery Automation Embedded in SIEM and SOAR
Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platforms will integrate recovery automation workflows and runbooks directly. This will enable SOC teams to respond to incidents with rapid, automated recovery processes, reducing downtime and improving overall resilience.
Conclusion
As the boundaries between backup, recovery, and cybersecurity blur, organisations must prepare for a future where backup is at the heart of their security strategy. This convergence will drive innovation, reshape roles, and reinforce the critical link between resilience and security in enterprise IT.
Kick-start your convergence
Predatar’s AI-powered Recovery Risk report is a great way to get started. Quickly get insights into the performance of your backup environment from a security perspective, and see practical recommendations to improve your data resilience.
Why the Cohesity & Veritas Merger Will Kick-Start Other Big Moves in the Market
This week’s completion of the big merger between two of the major players in the backup and recovery space, Cohesity and Veritas, has sparked debate. Advocates argue that this move will accelerate innovation and deliver greater value to customers. Critics, on the other hand, foresee financial and organisational challenges leading to customer disruption as product portfolios are inevitably streamlined.
The truth lies somewhere in between. In the short term, legal and financial hurdles will delay noticeable market changes. And yes, customer impact will vary. Some will enjoy competitive pricing, new features, and faster innovation. Others, however, will face the expense and disruption of transitioning to alternative backup solutions.
Yet, this shake-up is ultimately necessary. The backup market has long been in need of transformation, and this merger is likely to be the catalyst.
Why Does the Backup Market Need to Change?
The backup and recovery market is overly fragmented and complex, leaving customers frustrated. With a mix of long established vendors (e.g. IBM, HPE, Dell, Veritas, and Commvault) and newer cloud-native players like Druva, Rubrik, and Cohesity, there’s no single solution that fully meets diverse organisational needs.
Instead of competition driving value, the market forces buyers into lengthy and costly evaluations to identify the right combination of products. Many organisations bring in large consultancy firms for advice, further adding to the expense. Yet, even after all the due diligence, implementation often reveals gaps between expectations and reality, leaving buyers feeling let down, exposed, and significantly out of pocket.
Why More Mergers and Acquisitions Will Follow
This merger positions Cohesity and Veritas to deliver a more comprehensive solution. Other vendors now face a choice: either remain specialised and force customers to integrate multiple products, or combine forces to offer a unified proposition. Those who choose to go it alone may find it increasingly difficult to compete with the simplicity of a ‘one stop shop’ model.
While another merger of this scale may not happen immediately, we expect to see a wave of smaller mergers and acquisitions in the near future. These moves will likely blur the lines between backup, recovery, and security, as vendors aim to offer integrated platforms addressing multiple organisational challenges.
Good to Know
Whether you are already a Predatar customer, or you’re exploring recovery assurance solutions, it’s worth knowing that Predatar supports multiple backup and recovery technologies.
With all the twists and turns that are coming in the market, you can’t be certain which backup and storage products you’ll be using tomorrow, but you can have confidence that your recovery will be assured with Predatar.
At this year’s Control24 summit, we had the pleasure of hosting Martin Borrett, an IBM Distinguished Engineer and IBM Security’s Technical Director for UK&I.
Martin delivered a fascinating keynote, titled ‘AI for Security and Security for AI: Opportunity or Threat?‘ It was one of the highlights of the event, touching on how artificial intelligence is transforming security practices and the tough questions we need to ask as we dive deeper into AI’s capabilities.
Martin’s presentation sparked a new way of thinking about AI in the context of security, and demonstrated that IBM is lifting the curtain on the usual ‘AI will save us’ narrative.
So back to the big question… Is AI an opportunity or a threat? Of course, the reality is that it is both. And that’s exactly the point we’re unpacking in this article.
The Benefits: AI as Our Best Defence?
Martin shared data from IBM’s latest Cost of a Data Breach report, underscoring the financial toll of data breaches, which now sits at an average of nearly $5 million per incident. However, organisations that have invested in AI-driven security saved an impressive $2.2 million on average per breach, thanks to faster detection, triage, and resolution times.
These are big numbers, and they explain why so many companies are increasingly turning to AI to support cyber security operations.
“Organisations using extensive amounts of security AI and automation saw the time to resolve a breach drop by 98 days,” Martin highlighted. That’s three months of headaches gone.
But just as AI helps us manage increasingly sophisticated threats, there’s a flipside we can’t ignore.
The Other Side: Are Cybercriminals Catching Up?
Martin touched on something many are reluctant to discuss. Cyber adversaries are experimenting with AI too. While they haven’t adopted it on a large scale yet, the rise of AI-driven phishing campaigns and retooling efforts are signs that attackers are laying the groundwork for an AI arms race.
“There’s a game of cat and mouse going on”
Martin said, acknowledging the ongoing battle between defenders and adversaries. “For now, the good guys are slightly ahead. But we can’t be complacent.”
In cybersecurity, assuming that we’ll stay one step ahead can be dangerous. Cybercriminals have always been quick to adopt technology, and as the tools they use become more accessible, we’re likely to see AI-driven attacks gain traction. So, the big question becomes: are we truly ahead, or just a step away from an AI-powered wave of cyber threats?
Securing AI: The Hidden Risk
Martin didn’t just talk about using AI to boost security; he pointed out that AI itself is a new risk. As more organisations adopt generative AI models, the integrity of these systems becomes a critical concern. Martin’s advice? Treat AI like any other sensitive asset and secure it from data poisoning, model theft, and unauthorised manipulation.
“As we think about securing AI, it’s important that we consider how to protect the data, the model, and the usage,” he said.
“Without trust and confidence, AI can’t succeed in the Organisation.”
The problem is, these are vulnerabilities many organisations haven’t even begun to address. As companies roll out AI-powered systems, it’s easy to focus on the benefits without fully understanding the risks.
The Takeaway: A Proactive Stance
Martin’s session at Control24 was a wake-up call. Yes, AI has massive potential to boost security and streamline incident response, but it’s a tool—not a silver bullet. As he so rightly pointed out, “AI is both an opportunity and a threat.” And if we aren’t securing it with the same rigour we apply to other systems, we may be inviting new risks into our defences.
So, as we embrace AI, let’s ask ourselves: are we prepared for the new threats it could bring? Because in this game of cat and mouse, we can’t afford to be reactive. We need to think ahead, secure our models, and always stay one step ahead—not just of the attackers, but of our own assumptions. If you want to find out Predatar is using AI to boost Recovery Assurance contact us here.
The emerging cyber resiliency marketplace is evolving fast, and there’s lots of new terms to get to grips with. As a market-leader in cyber recovery cleanroom tech, we often get asked… “What’s the difference between a cyber recovery cleanroom and a cyber vault?” These two terms often get confused, and while they share some similarities, they are fundamentally different.
This article will explain:
What each of these terms mean
How they are different
Which one you need
Before we dive in, it’s worth noting that this article focuses on the concepts and high-level technology. It doesn’t dig into, or promote any technology vendor’s solutions specifically.
What is a Cyber Vault?
A cyber vault is a highly secure, isolated environment designed to protect critical data from cyber threats such as ransomware, insider attacks, and other malicious activities. Its primary purpose is to ensure that organisations have a safe repository for their most sensitive or valuable data, which can be restored in the event of a breach or data corruption.
Think of it like a bank vault. Once your valuables are locked away they can’t be accessed by unauthorised parties. Anything you lock away will remain completely untouched and unchanged until you choose to access it.
To be classed as a cyber vault, a solution should have the following features or characteristics:
• Isolation and Air-Gapping: The cyber vault should be either physically or logically separated from the primary network, ensuring attackers cannot directly access it during a cyberattack. A physical air gap could be created by backing up a copy of your data to tape media and storing the tape in a vault, literally! If using connected storage, the access should be restricted by network segmentation.
• Immutable Backups: Data stored in the vault should be immutable, meaning it cannot be altered or deleted once written, safeguarding it from tampering.
• Multi-Factor Authentication (MFA) and Encryption: Strict access controls and data encryption are essential to protect the vault from unauthorised access.
Here’s the next common question: “Does a cyber vault give me cyber resilience? “
The answer: Not quite.
While immutable backups are a crucial component of cyber resiliency, they do not protect you from all possible events.
Immutable backups are safe from modification once stored, meaning they can’t be tampered with or encrypted by malicious actors once they are stored in your cyber vault. But they don’t protect against an initial infection.
If your primary systems are compromised before a backup is made, your backups will almost certainly become compromised too. This is particularly concerning for ransomware attacks, where the attack might go unnoticed for long periods. Essentially, undetected malware will be replicated into your vault, with the risk of reinfecting your systems if you need to run a restore from your vaulted data.
Restoring from immutable backups can also be a complex process, especially if recovery processes aren’t regularly tested. Some organisations struggle with recovering from an immutable backups due to lack of familiarity with the specific tools or processes required. Therefore, the use of immutable storage may be restricted to a subset of data – usually the most critical assets.
What is a Cyber Recovery Cleanroom?
A cyber recovery cleanroom is also a secure, isolated environment – but its main purpose is to validate the cleanliness and recoverability of backup systems (including immutable snapshots) with the goal of minimising downtime during a data loss incident.
There are a variety of cyber recovery cleanroom solutions on the market and the prevailing trend shifts the emphasis from post-crisis recovery to proactive, automated, daily validation to help prevent attacks, and not just remediate the impacts. This means that a cleanroom is no longer a reactive ‘just in case’ investment – your cleanroom is a proactive weapon for both defence and response.
Unlike a cyber vault, where the whole purpose is that the data remains unchanged, data in your cleanroom is active. Your cleanroom is a location to run validation processes and in some cases, malware removal processes too.
Which Do You Need, A Cyber Vault or a Cyber Recovery Cleanroom?
It shouldn’t be an either/or decision. Both technologies deliver different benefits, and the most robust solutions for cyber resilience should incorporate the characteristics of both cyber vaults and cyber recovery cleanrooms. This customer story explains how a large utilities operator have deployed a cyber recovery cleanroom alongside their cyber vault solution.
For ultimate resiliency, mature organisations build secure storage and backup platforms that incorporate these 5 fundamentals:
Keeping multiple copies of data (preferably three or more)
Keeping an air-gapped copy of data
Encrypting your most sensitive data
Employing immutable copies to prevent corruption of data
Using orchestration to recovery test and scan backup copies
For more information on the 5 fundamentals of cyber resilience check out the Recovery Gap eBook.
Start Your Journey to Greater Resiliency
If you want to boost cyber resilience in your organisation, a Recovery Risk Report is a great place to start. It’s an automated, AI-powered reporting tool, designed to quickly highlight vulnerabilities and uncover recovery risks in your backup environment without the need for costly, intrusive consultancy.
Predatar R17.2: Viper brings practical enhancements designed to strengthen resilience and recovery strategies for customers and partners alike. Building on the foundations of R17.0 and R17.1, this release focuses on expanding Predatar’s AI-driven capabilities and refining operational efficiency in key areas.
Two standout features define this release: expanded support for the Recovery Risk Report and significant improvements to our IBM FlashSystem Safeguarded Copy scanning. These enhancements aim to provide deeper insights, faster workflows, and better outcomes for backup environments.
Recovery Risk Report
The Recovery Risk Report has been extended to include Veeam, adding to the existing support for IBM Storage Protect, Storage Protect Plus, and Rubrik. This feature offers AI-powered analysis of backup environments, helping organisations identify risks such as security gaps, workload vulnerabilities, and architectural complexities. With insights delivered in hours, the report provides clear, vendor-neutral recommendations without requiring intrusive consultancy or significant internal resources.
For partners and managed service providers, the Recovery Risk Report is an invaluable tool. It enables fast and accurate benchmarking of client environments, offering actionable insights that help guide improvements in cyber resilience. This streamlined process delivers high value for clients, giving them clarity on their recovery risks at a fraction of the cost of traditional consultancy engagements. Starting at $999, the Recovery Risk Report provides an affordable, impactful way to engage clients while demonstrating expertise and driving deeper partnerships.
FlashSystem Scanning Enhancements
R17.2: Viper also introduces enhanced processes for IBM FlashSystem Safeguarded Copy scanning. These updates focus on streamlining how snapshots are mounted, tested, and securely removed from the CleanRoom environment after use. These improvements reduce complexity and improve efficiency, ensuring that Safeguarded Copy testing is as seamless and effective as possible.
Together, these features reflect our commitment to simplifying resilience. R17.2: Viper gives organisations the tools to uncover hidden risks, improve recovery confidence, and act decisively—all without unnecessary complexity or cost. For partners, it provides a straightforward way to deliver value and open new opportunities in the backup and resilience space.
Cyber recovery assurance is a relatively new concept, but it’s one that is quickly becoming essential for most organisations. Driven by the rapid evolution of cyber threats and a new generation of operational resilience regulations (including DORA, FISMA, PRA, and NIS2), cyber recovery innovation is thriving.
If you have evaluated the options but are struggling to get stakeholder buy-in or secure the budget for the technology you need, you are not alone. After all, it is not like your business hasn’t already invested extensively in security and business continuity projects.
As the title suggests, the purpose of this article is to help you build a business case for your cyber recovery project. We will quickly explore the ‘why’ of cyber recovery, but the focus will be more on answering the following questions:
Which department should pay for a cyber recovery project – infrastructure, security, or business continuity?
What does this solution replace in my existing security, storage, or disaster recovery arsenal?
How do I justify this expenditure to my financial officer?
Why Cyber Recovery Matters
After the terrorist attack on the World Trade Center in 2001, many companies scrambled to build out mirrored datacenters. Prior to this event, it was mainly the banks who could justify the expense of synchronous replication to a second or third site. As the cost of storage came down, more industries followed suit.
Since then, the threat landscape has grown and morphed, but the methods of defence have not kept pace.
The traditional threats to business continuity haven’t gone away – fires, floods, power outages, and terrorist activity – but now you must plan for cyber incidents too. In a cyber attack scenario, replication only exacerbates the problem. In 2024, ransomware attacks increased both in frequency and sophistication. Cyber criminals have increasingly targeted high-value sectors such as critical infrastructure, healthcare, telecommunications, and financial services.
The Growing Importance of Backups.
The new threat of cyber attacks threw a spotlight on backup. Prior to this development, the backup market had started to move away from tape-based solutions – which were slow and difficult to manage – towards disk solutions. While this meant much faster recovery, it was at the expense of the ultra-safe, air-gapped tape copy – often stored in an off-site vault.
Suddenly, backup became part of the cyber problem. Threat actors were increasingly targeting backup repositories, and despite massive investment in security and disaster recovery, the ability of companies to avoid having to pay a ransom was actually decreasing. This represented a colossal return-on-investment failure of risk management.
While secure backup is critical, so is speed of recovery, so ‘rewinding’ to tape-based solutions, stored in off-site vaults, in underground bunkers, doesn’t solve the problem.
The rise of Recovery Assurance technologies has been driven by the need to guarantee that backups are safe and recoverable, before they are called-on in a crisis.
What is a Cyber Recovery Cleanroom?
Arguably, the cornerstone of any Recovery Assurance solution – a cyber recovery cleanroom is quickly becoming a necessity for operational resilience in many organisations.
A secure, isolated environment designed to proactively recover critical data and systems both before and after a cyber incident – a cleanroom is physically or logically separated from the main IT infrastructure to ensure safety from malware and unauthorised access.
With a cleanroom, users can validate the integrity of data before restoring it, ensuring that only clean, uncompromised data is reintroduced to the network. For a deeper dive into Cyber Recovery Cleanroom solutions, read our guide.
Aligning Cyber Recovery Assurance with Business Goals
According to Sophos, the average ransom in 2024 is $2.73 million. That’s an increase of $1 million from 2023.
On top of the cost of the ransom itself, organisations also face loss of income, and reputational damage. The CrowdStrike outage in July 2024, which wasn’t even a malicious attack, led to a combined loss of $4.5 billion for the Fortune 500 companies. Read the Guardian article.
If the need to recover from backups is increasingly likely, any solution which increases the predictability, while also decreasing the time to recover, will clearly align with the business goals of continuity and operational resilience.
Next, we will start to look at building a business case but before we do, consider that the average cost to run a datacentre for a medium sized company is between $5m and $15m per year (based on a mid-sized Russell 2000 company).
A second datacentre is designed for the old threat landscape of high-impact low probability events. A recovery assurance solution is designed for both new and old threats and costs a fraction of traditional disaster recovery.
Quantifying the Financial Risks of Inaction
Step 1 – Calculate downtime cost
As a rule of thumb, the average cost of an hour of downtime for mid-sized businesses is $84,650, making prevention a high-priority investment. This cost varies dramatically across different industry sectors, so, the first task in building a business case is to catalogue your applications and calculate the cost of an hour of downtime for each one.
Step 2 – Measure restore time
For each application add the time to restore from backup, assuming the backup is validated and safe to restore to production. Don’t know your restore time from backup? You are not alone. Organisations typically restore less than 1% of their data from backup in any given year.
A Recovery Risks Report can quickly give you insights into your backup environment and will help you understand the recovery time for each application.
Step 3 – Calculate Risk Premium
Map as many downtime-creating events as you can for which a recovery from backup might be required. Rank them based on likelihood and severity of impact. Examples include a localised server failure, datacentre power outage, database corruption, cyber or terrorist attack. Calculate the Risk Premium for each event. Here is an example:
Probability (P) is 1:50 in any given year, which is a 2% probability
Cost of event (C) is $1,000,000
The formula for Risk Premium = PxC
In this case the Risk Premium = 0.02 x 1,000,000 = 20,000
You could add more sophisticated techniques such as Quantitative risk analysis (QRA) or use Monte Carlo analysis, which considers many more variables and would be recommended for large projects.
Using this technique, or simply knowing your cyber insurance annual premiums will help to present a business case to a CFO in language they understand. In the example above, if the solutions cost $20,000 or less than you would expect little resistance from executives.
Step 4 – Create a Risk Matrix – Likelihood vs. Impact
Following on from Step 3 present the data in a Risk Matrix such as the one shown below.
Step 5 – Create a Cyber Resilience ROI matrix.
There is no single solution which can eliminate the risk of downtime from either a power outage or a cyber-attack. Building resilience is a journey. It’s about managing risk and taking a pragmatic approach to prioritisation. Some steps will be small, others will be much bigger.
Once you have identified the recovery gaps in your organisation, map them out on a cost vs impact matrix (example below).
In the final assessment, it’s a judgement call. For example, if the cost of a data breach is estimated to cost your company $5 million, is an additional investment of $200,000 in a cyber recovery cleanroom, an appropriate one to dramatically reduce the impact?
Whose budget is it anyway?
According to a Splunk article, since the pandemic, IT security spending has experienced notable growth as organisations adapt to increasing cyber threats and digital transformation challenges. Recent data indicates global year-over-year growth in security and risk management spending of 14.3% in 2024, reaching $215 billion, compared to $188.1 billion in 2023. This expenditure far outweighs the equivalent figures for the backup and recovery market. And yet, the cyber insurance premiums continue to rise – suggesting the return on this investment has been poor.
Where to allocate the budget for a cyber recovery assurance project depends on its primary objectives, who stands to benefit, and who will manage it.
The considerations below are based on implementing a Cyber Recovery Cleanroom. Arguably, the security team stands to benefit the most but here are some options to think about:
Infrastructure team (storage and backup). If the cleanroom will integrate with existing IT systems, ensure robust technical functionality, and automate manual backup administration tasks, assigning the budget to the infrastructure team is ideal. They can manage the hardware, software, and operational aspects efficiently.
Security (CISO). When the cleanroom is aimed at mitigating advanced cyber threats or meeting compliance standards, the security team should oversee the budget. This ensures alignment with threat response and regulatory requirements, making the cleanroom a critical cybersecurity asset.
Business Continuity (CFO / Compliance officer) For minimizing downtime and operational disruptions, the business continuity team is best suited to manage the cleanroom budget. This allocation could also help compliance officers meet regulatory requirements such as NIS2, DORA or GDPR. For a highly regulated business, a fine of 2% of revenue should be factored into any cost benefit analysis.
Ultimately, a cross-departmental approach provides the most comprehensive justification for the budget, ensuring alignment with technical, security, and business objectives.
How to get started?
If you are still struggling to get the commercial buy-in having followed the 5-step approach above, we suggest documenting your current recovery risks to provide additional evidence to support the business case. Predatar’s Recovery Risk Report evaluates vulnerabilities in recovery processes, identifying gaps in backup integrity, disaster readiness, and cyber resilience. This tool quantifies potential risks and impacts, enabling organisations to justify investment in cyber recovery assurance by demonstrating tangible benefits in operational continuity and reduced risk exposure.
Conclusion: Investing in Confidence and Resilience
Building a business case for cyber recovery assurance requires aligning its value with organisational goals like operational resilience, data integrity, and regulatory compliance. By quantifying downtime costs, assessing recovery times, and evaluating risks, buyers can clearly demonstrate the financial and operational benefits. Assigning responsibility—whether to infrastructure, security, or business continuity teams—depends on the project’s primary objectives and impact areas. Ultimately, a collaborative approach ensures the investment supports both technical needs and strategic priorities, reducing risk and enhancing preparedness for evolving cyber threats. Use tools like Predatar’s Recovery Risk Report to strengthen your case with actionable insights.
For the IT Channel, evolution isn’t just a buzzword; it’s the difference between thriving and going out of business. For OneTeam IT, an Australian reseller and MSP, that’s risen to become a Predatar APEX Partner, their journey has been one of resilience, reinvention, and a deep understanding of people and problems.
Predatar Founder & CEO, Alistair Mackenzie managed to speak to Kon as he was high-tailing it out of Brisbane to escape the supercell storms which were threatening to batter the Queensland coast. Not so much the “Sunshine State” that day but it did seem to be an appropriate scenario to be talking about resilience with this 40-year IT industry veteran.
From IBM to OneTeam: Building Credibility from Scratch
Kon’s journey began at IBM, where, at the age of just 21, he was tasked with selling mainframes to senior government officials. Armed with a prestigious business card and good old-fashioned IBM training, he gained firsthand experience in earning credibility without an established track record.
At 25, Kon helped to launch the reseller, Sundata, and found the transition from Big Blue was anything but easy. The memory of that time prompted my first question for Kon “How do you build trust when you’re starting from zero?” Imagine the stress and pressure he faced from his fellow board members, who waited 18 months for him to land his first significant deal. But that was 18 months of building trust with prospects, many of whom are still doing business with him today at OneTeam IT.
Kon explained that making the transition from reseller to service provider sometimes feel like starting again from zero. But it all starts with building trust with prospects and customers.
“Tell Me Where It Hurts”
Kon outlined a fundamental principle of the company’s trust-building approach, starting with the customer’s pain points.
“It’s like going to the doctor,” Kon says. “The first thing you ask is, ‘Where does it hurt?’ People love to talk about their challenges, and if you genuinely listen, you’re halfway to solving the problem.”
This consultative approach isn’t about flashy presentations or sales tricks. It’s about having the courage to delve into areas that might initially seem beyond your expertise. As Kon puts it, “If I don’t know the answer, I’ll go find it. But I’ll always tell the customer honestly whether we can help or not. Wasting their time would be wasting my own.”
This ethos resonates throughout OneTeam’s culture, where fostering meaningful conversations has been the key to building long-term trust with clients.
The IT Industry – Then and Now
Reflecting on the industry’s evolution, Kon notes that the channels for building relationships have changed dramatically. “Forty years ago, you’d pick up the phone, and people answered. Now, we’re competing with voicemail, email filters, and endless distractions,” he explains.
Yet, the core of the business remains the same: understanding the customer’s needs. And while the tools and strategies have evolved, Kon believes that authenticity and persistence are timeless.
Mentoring the Next Generation
One Team’s journey is also about passing the torch. Kon mentors MBA students and aspiring entrepreneurs, many of whom are diving into the world of software-as-a-service startups.
“It’s inspiring to see their passion,” he says. “These young entrepreneurs aren’t necessarily drawn to the infrastructure side of IT like I was—they’re building cloud-based solutions from their garages. It’s a different world, but the same principles apply; solve real problems, build trust, and stay curious.”
Scaling the business with Managed Services
For OneTeam IT, a strategic pivot has been the move toward managed services—a shift driven by the need for sustainable, high-margin revenue. Managed services encompass everything from managing systems to providing backup services and other recurring contracted offerings.
Today, OneTeam is leveraging its partnership with Predatar to scale its backup-as-a-service offering, focusing on recovery assurance. Kon likens it to starting over but with decades of experience as a guide.
“It’s like launching a new business within the business,” he says. “The energy is different, but the lessons learned over 40 years help us avoid the blind alleysand focus on delivering real value.”
Addressing Customer Churn with Proactive Strategies
One of the significant hurdles for managed service providers (MSPs) is contract churn, often caused by customers underestimating the value of services once their IT environments are stabilised. As Kon explains, the phenomenon can feel like “a leaky bucket.” Customers initially approach MSPs to address pressing grievances, but as the provider resolves these issues, the customer may start questioning the necessity of the ongoing relationship.
To counter this, One Team IT employs a two-phase strategy:
1. Proactive Issue Mitigation: Before initiating a Managed Services Agreement (MSA), the company conducts an in-depth “take-on period” to address any major grievances upfront. This establishes a stable foundation for ongoing services, ensuring initial buy-in from the customer.
2. Continuous Optimisation: During the first six months, the team works to improve system efficiency and reliability, automating processes and gaining a deeper understanding of customer needs. This effort reduces costs and reinforces the value of the partnership.
This strategy creates the link between customer value and price, allowing OneTeam to offer a point of differentiation.
Lowering cost or dropping price?
A standout feature of OneTeam IT’s approach is its flexible pricing model. Recognising that customers appreciate transparency and fairness, Kon emphasises a commitment to lowering costs as systems stabilise.
“If you sign an MSA with us, we will commit to a reduction in cost for the same scope if you renew,” Kon says. This anti-inflationary approach not only builds trust but also demonstrates the company’s confidence in its ability to deliver value through automation, efficiency, and process improvements.
Shifting the Perception of Managed Services
Many customers perceive MSPs as expensive when compared to the costs of hiring in-house staff. According to Kon, this perception stems from a lack of understanding of the broader value MSPs provide. Talking data protection, he draws an analogy to a well-maintained house that can withstand storms versus relying on insurance to rebuild a flimsy house after damage, perhaps caused by one of those Queensland cyclones!
In this context, OneTeam IT positions its recovery assurance services not as “insurance” but as an investment in operational resilience. For instance, in backup and disaster recovery services, the emphasis is on ensuring data integrity and recoverability, rather than just selling a policy that covers potential losses. This shift from a cost-focused to a value-focused narrative helps customers appreciate the strategic importance of robust IT systems.
Tell them what you are doing. Then tell them again.
Effective communication is a cornerstone of customer retention for OneTeam IT. Kon highlights the importance of concise and impactful reporting to keep stakeholders informed of the value being delivered. “You don’t want to do it at a systems administrator level; you want to do it at a CIO or CEO level,” he asserts.
OneTeam IT’s service reports include:
Summaries of recovery testing outcomes.
Key performance indicators (KPIs) for metrics such as Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
Visual dashboards that clearly communicate system health and compliance.
Such transparency reassures customers that their IT environments are being managed effectively, addressing concerns from finance leaders who are inclined to question the value of every offering.
Driving Growth with Predatar
Predatar has been instrumental in transforming OneTeam IT’s operations. Its advanced dashboard capabilities allow OneTeam IT to provide customers with clear insights into their IT performance, including cleanroom recovery testing and adherence to SLAs. This level of visibility not only strengthens customer confidence but also aligns with the company’s goal of demonstrating continuous value.
Kon notes that tools like Predatar are particularly effective in illustrating the outcomes of disaster recovery tests and compliance with recovery metrics. These insights provide tangible evidence of the MSP’s effectiveness, helping to counter the misconception that IT services are merely a line item on the budget.
Conclusion
As customer expectations of MSPs continue to increase, OneTeam IT is proving that success lies not just in solving technical problems but in building trust, confidence, and resilience for its customers. With a clear vision and innovative strategies, OneTeam IT is well positioned to lead the industry into the future.
Is Your IT Channel Business Ready To Evolve?
More than 20 exceptional channel businesses are already on an evolution journey with Predatar. If your organisation has an ambition to deliver world-leading cyber resiliency services, get in touch to learn more about the APEX partner program.