Cyber Resilience: Why Prevention Alone Is Not Enough
Key Takeaways
- 89% of German companies experienced data theft or security incidents in the past three years (PwC Digital Trust Insights 2026) — organisations relying solely on prevention are unprepared
- Cyber resilience requires three equally important pillars: prevention, detection and response, and recovery — neglecting any one creates a critical gap
- An incident response plan must be practised at least twice a year in tabletop exercises — a document filed in a SharePoint folder is not a response capability
- A backup that has never been tested is worthless in an emergency — at minimum one annual full recovery exercise is required
- Microsoft Sentinel offers a low-barrier entry point into centralised security monitoring for organisations already in the Microsoft ecosystem
The idea that all cyberattacks can be prevented is outdated. According to the PwC Digital Trust Insights 2026, 89 percent of German companies have been affected by data theft or other security incidents in the past three years. Companies that rely solely on defence are unprepared for the inevitable.
What cyber resilience means
Cyber resilience describes a company’s ability to withstand security incidents without lasting disruption to business operations. The concept supplements traditional prevention with two additional pillars: detection and response, and recovery.
Prevention remains important. Firewalls, access controls, and hardened systems reduce the attack surface. But no preventive measure offers complete protection. What matters is what happens when an attacker gets through despite your defences.
The three pillars in practice
Prevention covers the measures you are likely already familiar with: multi-factor authentication, endpoint protection, patch management, and employee training. These measures reduce the likelihood of a successful attack.
Detection and response means your company can identify an ongoing attack and contain it. This requires centralised security monitoring (SIEM), defined detection rules, and an incident response plan that specifies who does what in an emergency. For many mid-sized companies, a full Security Operations Centre (SOC) is not economically viable. Managed detection and response services or targeted use of Microsoft Sentinel can be a pragmatic alternative.
Recovery ensures your company remains operational after an incident. This includes tested backup concepts, documented recovery procedures, and crisis communication plans. A backup that has never been tested is worthless in an emergency.
Which measures deliver the greatest impact
For a mid-sized company, we recommend starting with three concrete steps:
First, create an incident response plan. Define who makes decisions during a security incident, who is informed internally and externally, and what immediate technical measures are taken. This plan does not need to be a hundred pages long, but it must exist and be known to all stakeholders.
Second, test your backups. What matters is not the existence of backups but the ability to restore systems within a defined timeframe. Conduct a recovery exercise at least once a year.
Third, establish centralised security monitoring. Without monitoring, you cannot detect an ongoing attack. Microsoft Sentinel offers a low-barrier entry point for companies in the Microsoft ecosystem.
Recommendation
Cyber resilience is not a project with a fixed end date but an ongoing responsibility. The first step is an honest assessment: How quickly would you notice an ongoing attack? How long would it take to restore operations? The answers to these questions reveal where the most urgent action is needed.
Frequently Asked Questions
What is the difference between cyber resilience and traditional IT security?
Traditional IT security focuses primarily on prevention: firewalls, access controls, patch management. Cyber resilience adds the ability to detect an ongoing attack, contain it, and recover business operations afterwards. The critical difference is the question: What do we do when prevention fails?
Do we need a Security Operations Centre (SOC) to achieve cyber resilience?
Not necessarily. A full internal SOC is not economically viable for most mid-sized organisations. Managed Detection and Response (MDR) services or Microsoft Sentinel can fulfil the same detection function at a fraction of the cost without building an in-house analyst team. The key is having some form of continuous monitoring in place.
How often should backup recovery actually be tested?
At minimum once a year, a full recovery exercise should take place — not just a backup verification run, but an actual restoration of critical systems. This exercise often reveals for the first time that defined Recovery Time Objectives are not achievable in practice. Without testing, the RTO is only an estimate.
What must an effective incident response plan include?
An effective plan defines clear roles with named deputies, a severity model with tiered response requirements, communication templates for internal and external audiences, escalation paths, and a binding exercise schedule. Ten to twenty pages is sufficient for most mid-sized organisations — clarity matters more than completeness.