Ransomware

Regulations Now Demand Proof You Can Recover – Are You Ready? Lessons from RKON & Elastio

Author

Zeen Rachidi

Date Published

When it comes to ransomware, the question is no longer “if” but “when.” At a recent expert panel hosted by RKON and Elastio, security leaders came together to explore one of the most mission-critical, yet frequently neglected, areas of cybersecurity: ransomware recovery.

The session featured a candid and practical discussion with:

  • Gerard Onorato, CISO at RKON
  • Greg Aligiannis, CISO at Elastio

With decades of frontline experience between them, these two security leaders unpacked what organizations are getting wrong about recovery, how attackers are evolving, and what every business should be doing to prove they can bounce back.

From Protection to Recovery: The Shift in Focus

Traditional cybersecurity strategies focus on preventing ransomware from entering the system. But the reality today is that ransomware actors are already inside – and they’re targeting recovery infrastructure just as much as production systems.

“Attackers are no longer just encrypting data,” explained Greg Aligiannis. “They're going after your backups first – disabling snapshots, exfiltrating encryption keys, and corrupting data quietly before pulling the trigger.”

The Most Dangerous Misconceptions

Gerard Onorato called out three major fallacies he regularly encounters:

  1. “Our SaaS providers cover us.” Companies often assume Microsoft, Google, or Salesforce will protect their data. In reality, those platforms explicitly disclaim responsibility in their contracts.
  2. “We’ll have time to react.” Dwell times have dropped from days to hours. Attackers move quickly and strategically.
  3. “We’ve backed up everything, so we’re safe.” Volume doesn’t matter if backups are corrupted. Clean, current, and tested backups are the accurate benchmark of resilience.

Greg echoed this sentiment: “You're just storing corruption in an immutable vault if you don't know your backups are clean.”

The Three C’s of Recovery Readiness

Gerard shared a framework RKON uses to evaluate recovery maturity:

  • Clean: Are backups continuously scanned for data corruption and ransomware compromise?
  • Current: Are restore points recent, and have they been tested successfully?
  • Controlled: Are credentials secure, backups air-gapped, immutable, and access tightly segmented?

This simple model gives executives and boards an easy way to understand recovery posture.

Why Recovery Belongs in Zero Trust

Zero Trust is more than a buzzword: it’s a necessary mindset shift. Greg and Gerard agreed that Zero Trust must extend to backup environments, not just production systems.

“Backups are often treated as a ‘trusted zone,’” Greg warned. “That’s a huge mistake. The same access controls, segmentation, and monitoring you apply to your apps and users must also apply to recovery infrastructure.”

Compliance + Recovery: The New Reality

Regulators, insurers, and boards are demanding proof of recoverability, not just claims.

  • SEC disclosure rules now require incident reporting within four days.
  • Cyber insurers are inserting escape clauses that void coverage if recovery testing isn’t documented or regularly performed.
  • CISOs are increasingly personally liable for misstatements around ransomware preparedness.

Greg urged companies to automate recovery drills and reporting so compliance is continuous and auditable. “This isn’t about check-the-box exercises. It’s about real resilience.”

Making the Case to the Board

When presenting to the board, both speakers emphasized focusing on business impact over tools:

  • What is the cost per hour of downtime?
  • How many critical assets meet recovery objectives?
  • What percentage of backups are clean and tested?

“If you want board buy-in,” said Gerard, “talk about how many of your critical business functions are covered – and how many aren’t. They will ask why.”

If You Could Start Over. What would you do differently?

When asked what they would do differently if they could build their ransomware programs from scratch, the answers were aligned:

  • Gerard: Start with recovery reliability. Design end-to-end security, telemetry, and identity segmentation, starting at the backup layer.
  • Greg: Make recovery central, not peripheral. Treat it as a primary control, not a safety net. Build with breach assumptions, not blind optimism.

Final Words of Wisdom

To wrap the session, the panelists shared the one lesson they wished they had taken more seriously earlier in their careers:

  • Gerard Onorato: “Assume your controls will fail. Test more. Be less optimistic.”
  • Greg Aligiannis: “Backups are only helpful if you know they’re clean. Treat recovery testing like phishing simulations or red teaming: it’s a first-class security discipline.”

Closing Thoughts

Ransomware is a business risk with real-world consequences for operations, compliance, and reputation.

If your recovery plan hasn’t been validated, stress-tested, and embedded in your Zero Trust framework, it’s not a plan, but it’s a prayer.

Thanks to RKON and Elastio for a candid, practical, and timely conversation on what it takes to truly prove recovery.

Check out the whole recording.Check out the whole recording.