← Back to Newsroom

Cyber resilience lessons from recent attacks

29 September 202523 min read

IncidentManagement

Defining Cyber Resilience in Critical Infrastructure

Cyber resilience is an organization’s ability to prepare for, respond to, and recover from cyberattacks or other disruptions while maintaining essential operations . Unlike traditional cybersecurity, which focuses on preventing breaches, cyber resilience emphasizes continuity of critical services even when defenses are penetrated . This concept is especially vital for critical infrastructure sectors – banking, healthcare, and government services – where a cyber incident can have cascading effects on society. Resilience to cyber attacks is essential to these sectors’ ability to continuously deliver their intended outcomes despite crises . In recent years (2020–2025), high-profile cyber incidents have stress-tested the resilience of banks, hospitals, and public agencies. The following cases illustrate how organizations responded, what went wrong or right, and what lessons cybersecurity professionals can draw about prevention, continuity, recovery, and coordination.

Cyber Resilience Under Pressure

Banks underpin financial stability, so cyber attacks on banking systems are high-stakes. A notable example occurred in Chile: BancoEstado, one of Chile’s largest banks, suffered a ransomware attack over a weekend in September 2020. The malware, attributed to the REvil gang, entered via a malicious Office document opened by an employee . Once inside, the ransomware encrypted the vast majority of internal servers and workstations, effectively paralyzing the bank’s internal network . In response, BancoEstado shut down all branches the next business day as a containment measure . Despite this disruption, the bank’s critical customer-facing services were segmented on separate networks – its website, mobile banking app, ATMs, and online portal remained unaffected and operational during the incident . This network separation limited the attack’s impact and allowed customers to continue accessing basic services even while branch offices stayed offline. BancoEstado promptly alerted law enforcement and regulators; after the bank reported the attack, the Chilean government issued a nationwide cybersecurity alert to other private-sector institutions . This case highlights how segmented networks, clear incident response actions, and coordination with authoritiescan contain damage and preserve continuity in the banking sector.

Other banks have taken different approaches when faced with ransomware. In 2022, the central Bank of Zambia found some of its systems encrypted by the Hive ransomware. Rather than pay the ransom, bank officials were confident their core banking services were uncompromised and backups were intact. In a defiant (if unorthodox) response, a Bank of Zambia representative mocked the attackers in the online negotiation chat – even posting an explicit image – to make it clear they would not be paying . A technical director confirmed the bank had protected its critical systems, so “it was not necessary to engage with the threat actors,” and they “pretty much told them where to get off,” i.e. refused to give in . While this combative response may not suit every organization, it underlines a key aspect of resilience: if robust safeguards and recovery capabilities are in place to keep critical functions running, an organization can avoid capitulating to extortion. Many financial institutions, rather than relying on bravado, invest in proactive resilience measures – for example, global banks have even modeled doomsday ransomware scenarios to rehearse response plans . The banking sector’s takeaway is that preparation and segmentation can keep core services alive under attack, and a well-drilled response (including law enforcement liaison and public communication) is crucial for maintaining customer trust and financial stability.

Life-and-Death Resilience Challenges

In healthcare, cyber resilience is literally a matter of life and death. Modern hospitals and health systems rely on digital records, networked medical devices, and real-time coordination. When those systems go down, patient care can be jeopardized. A sobering example came in September 2020 at University Clinic Düsseldorf in Germany. A ransomware attack crippled the hospital’s IT — all 30 servers were affected and critical systems crashed . Hospital staff could not access digital patient records and had to redirect emergency patients elsewhere. Tragically, one woman in a life-threatening condition was diverted 20 miles away to another hospital, causing a one-hour treatment delay; she later died, in what was reported as the first fatality linked to a ransomware attack on a hospital . German police contacted the hackers and informed them they had hit a hospital (the attackers apparently thought they were targeting a university). The attackers then provided a decryption key for free and disappeared, showing some level of remorse . However, even after getting the decryption tool, the hospital could not instantly resume normal operations – emergency care remained diverted and many services were suspended for at least a week . This incident underscored that even brief downtime can endanger lives, and that recovery is never immediate even if attackers retreat. It also highlighted the importance of having backup plans (like manual workflows or alternate hospitals) when medical IT fails.

A larger healthcare cyber crisis struck Ireland in May 2021, when the Health Service Executive (HSE) – Ireland’s nationwide public health system – suffered a massive Conti ransomware attack. In the early hours of May 14, 2021, ransomware began encrypting servers across HSE’s networks, ultimately hitting about 80% of its IT environment . Out of caution, the HSE took the unprecedented step of shutting down all IT systems nationwide, which forced hospitals to cancel outpatient appointments, delay procedures, and revert to paper records . It was the most significant cyberattack on an Irish state agency in history, disrupting diagnostics, radiology, and other critical services in the middle of the COVID-19 pandemic . The HSE – with backing from the Irish government – refused to pay the ransom. Approximately one week later, the Conti gang unexpectedly provided a decryption key for free, but continued to demand payment to prevent data leaks . Even with the decryption tool, the recovery was painfully slow: it took four months to fully restore 100% of HSE servers and almost all applications . In the meantime, sensitive patient and staff data stolen in the attack did start circulating online . The cleanup and restoration costs ran into hundreds of millions of dollars .

Why was the impact so severe? Post-incident analyses revealed that HSE had major gaps in its cyber preparedness. An independent review found a “very low level of cybersecurity maturity” at HSE: there was no single executive in charge of cybersecurity, no dedicated cyber incident response plan, inadequate network monitoring, outdated systems lacking patches, and over-reliance on one antivirus product that wasn’t even properly updated . In fact, alerts of the attackers’ activity were missed or not acted upon in the weeks before the detonation of ransomware . These failures meant the HSE was unprepared to detect and contain the intrusion early, and once ransomware struck, it had to rely on external experts and improvisation to recover . The HSE case illustrates a brutal lesson: prevention and preparation cannot be neglected. If basic security controls (like timely patching, centralized monitoring, and incident response planning) are lacking, even a large organization can be brought to its knees. Conversely, having robust offline backups, well-practiced contingency plans (such as procedures for manual operation), and a clear chain of command for cyber crises can dramatically improve resilience. Healthcare providers worldwide have taken note; as the U.S. Department of Health and Human Services observed, the HSE attack showed that health systems must prepare for ransomware with strong governance and backups, because without preparation the recovery can be “long and expensive” .

Government Services Under Cyber Fire

Government agencies and public services have also been prime targets of cyber aggression in recent years. Unlike private companies, governments must safeguard critical civic functions – from tax collection to utilities – often under constrained budgets and with legacy technology. A dramatic example unfolded in Costa Rica in 2022, essentially a multi-agency cyber disaster. Starting April 17, 2022, the Conti ransomware gang launched attacks on nearly 30 government institutions, including the Ministry of Finance, the Ministry of Labor, the national health insurance fund, customs and social security systems, and more . The group stole data and demanded multimillion-dollar ransoms(initially around $10 million) under threat of leaking tax records and other sensitive information . Costa Rica’s government, under newly inaugurated President Rodrigo Chaves, flatly declined to pay . As warned, the attackers escalated their campaign – crippling the country’s tax administration platforms and import/export logistics systems. These outages ground cross-border trade to a halt and were estimated to cost the Costa Rican economy on the order of $30 million per day in lost productivity . By May 2022, the situation was so dire that President Chaves declared a national state of emergency, calling the cyberattacks an act of “terrorism” and even saying the country was “in a state of war” digitally . Government websites showed only maintenance messages as agencies scrambled to rebuild systems. Conti, for its part, brazenly called for the overthrow of the government on its leak site while upping its ransom demand to $20 million .

With domestic capacity overwhelmed, Costa Rica turned to international partners for help. Cybersecurity teams from the United States, Spain, Israel, Microsoft and other allies were brought in to assist in incident response and system restoration . The U.S. government, noting that Costa Rica was hit by “some of the worst ransomware attacks any country had experienced,” promptly sent experts from the FBI’s incident response team and later committed $25 million in aid to improve Costa Rica’s cyber defenses and recovery efforts . Law enforcement also stepped in: the U.S. State Department offered bounties (up to $15 million) for information leading to the Conti perpetrators . Despite the chaos, Costa Rica’s refusal to pay held firm. Eventually the Conti group dissolved (partly due to infighting and global pressure after it publicly sided with Russia in the Ukraine conflict ), though not before inflicting serious damage. A second ransomware gang (Hive) even opportunistically struck Costa Rica’s Social Security Fund in late May 2022, forcing that institution to shut down critical systems like its digital health records – compounding the crisis . Costa Rica’s ordeal underscores that government services need robust continuity plans: in this case, tax collection had to revert to manual methods and citizens experienced delays in services for months. It also highlighted the importance of international cooperation in responding to major cyber incidents. No single agency or country can handle a concerted cyber onslaught alone – swift help from foreign CERTs, private tech companies, and global law enforcement was instrumental in Costa Rica’s recovery. Today, Costa Rica is using the lessons learned to build a centralized Security Operations Center and strengthen coordination across agencies , aiming to ensure that future attacks can be detected and contained more rapidly.

Government cyber resilience was also tested in the United States in recent years. A high-profile example in early 2021 was the attempted cyber sabotage of a water treatment plant in Oldsmar, Florida. In February 2021, an unknown intruder gained remote access (via poorly secured TeamViewer software) to the city’s water facility controls. The hacker manipulated the chemical dosing settings, briefly increasing the amount of sodium hydroxide (lye) in the water supply to 100 times the normal level – a dose that could have poisoned residents . Fortunately, a plant operator noticed the mouse cursor moving on his screen in real time and saw the chemical settings being changed. He immediately reversed the command, and other safety mechanisms likely would have caught the change in time as well . No harm was done, but the incident rattled officials. It was a rare case of an attack aiming to directly harm civilians by contaminating infrastructure. The breach was traced to the facility’s IT network and inadequate network separation – the operational controls for the water system were accessible online. The FBI and Secret Service investigated, and the event became a case study in the importance of segmentation and secure remote access for industrial systems. As the local county sheriff summed up, “If you’re connected, you’re vulnerable,” emphasizing that critical control systems should not be exposed to the internet without strict safeguards . In response, the plant removed remote access software and authorities alerted other municipalities to harden their utilities . The Oldsmar incident highlights a unique aspect of public-sector cyber resilience: it’s not just about keeping services running, but also protecting public safety from deliberate digital sabotage. Ensuring that water, energy, and other utilities can fall back to manual control or autonomous safety overrides is a key resilience strategy in this domain.

Strategies for Cyber Resilience

Across these cases in banking, healthcare, and government, clear patterns emerge about what strengthens cyber resilience and what undermines it. Cybersecurity professionals in critical sectors should consider the following key strategies and lessons:

  • Preventative Defense and Vigilance: Strong basic security hygiene can prevent many incidents or limit their impact. Email phishing was the entry point in several incidents (BancoEstado’s malware-laced document , HSE’s malicious Excel file ), highlighting the need for ongoing user training and robust email filtering. Regular patching and updating of systems is critical – the German hospital attack exploited an unpatched software vulnerability , and HSE’s post-mortem found unpatched devices and outdated antivirus signatures that left doors open to attackers . Implementing multi-layered defenses (firewalls, network monitoring, endpoint detection, etc.) and keeping them tuned can help detect intrusions before they escalate. In the HSE case, there actually were alarms (antivirus detecting suspicious tools, hospitals noticing odd activity) days in advance, but lacking a coordinated response, those warnings weren’t effectively acted on . The lesson: early detection and swift response can save enormous pain – invest in SOC monitoring and ensure your team doesn’t ignore alerts. Additionally, segment your networks and apply least privilege principles: BancoEstado’s segmentation saved its consumer-facing systems , and in industrial settings like water plants, isolating operational technology is vital . Proper network architecture can prevent a breach in one area from cascading across an entire enterprise.
  • Continuity Planning and Redundancy: Assume that at some point, defenses will be breached. Resilience means having plans to keep critical functions running even during an incident. Regularly update and test business continuity and disaster recovery plans. This includes maintaining offline, immutable backups of key data (and practicing restoring from them). Organizations should identify their most crucial services and ensure there are redundant ways to deliver them. For example, banks should have fallback communication channels to reach customers if online banking is down, and maybe even manual procedures at branches for critical transactions. Healthcare facilities must prepare “downtime procedures” – many hospitals now conduct drills where staff practice operating on paper forms and offline tools when systems are unavailable. The HSE attack showed the cost of not being ready: without a documented incident plan or an empowered crisis leader, the health service was forced to effectively shut down for days . By contrast, organizations that have thought through worst-case scenarios (like ransomware knocking out all servers) and have pre-planned workarounds will recover faster. Redundancy of infrastructure is also key: for instance, having backup servers on a segmented network, cloud failover systems, or reserve equipment can speed up restoration. In banking, critical transaction systems often have real-time replicas or alternate processing sites to ensure availability. The global financial sector even runs war-game exercises to rehearse operating under cyberattack conditions . The bottom line is to plan for failure so that an incident doesn’t mean total interruption of service.
  • Incident Response and Recovery Capabilities: When an attack does occur, how you respond in the first hours can make all the difference. Every organization should have an incident response (IR) plan that defines roles, communication pathways, and decision authority during a cyber crisis. This plan should be rehearsed via tabletop exercises. As seen in multiple cases, decisive containment actions can limit damage: BancoEstado immediately closed branches to contain the ransomware spread and protect customers ; the Oldsmar plant operator swiftly disconnected the compromised system . Your IR plan might include steps like isolating infected networks, taking critical systems offline to protect them (as HSE did, albeit reactively ), and public communication strategies. Communication is part of response – being transparent yet reassuring can maintain public trust. BancoEstado tweeted updates promptly to inform customers , and officials in Florida held a press conference within days of the water hack to alert other cities . For recovery, backup integrity is king. Organizations that could restore from backups (or decryptors) without paying ransom tended to emerge more quickly and avoid funding criminals – for example, the Irish HSE was able to begin data restoration once they received decryption keys (though the lack of pre-planning slowed them) . In contrast, organizations without viable backups face a terrible dilemma of prolonged outage or paying criminals. The clear lesson: regularly back up critical data and system images offline, and test those backups frequently to ensure they can be restored under pressure. Also, consider contractual relationships with incident response firms or consultants ahead of time – trying to assemble external help in the middle of a crisis wastes precious time. Many victims had to call in third-party experts on the fly; better to have those retainer agreements in place so help is immediate.
  • Organizational Coordination and Leadership: Cyber resilience is not just a technical endeavor – it’s an organizational one. The importance of coordination and clear leadership came through strongly in these incidents. Internally, ensure that all stakeholders (IT, security, operations, executives, communications, legal) know their part in a cyber crisis. The absence of an executive-level cyber owner at HSE meant no one was clearly in charge when the attack hit , leading to chaos. Having a designated crisis manager or cyber resilience officer can provide direction when it’s needed most. Externally, coordination with law enforcement and industry peers can greatly enhance resilience. BancoEstado’s notification to police not only triggered government support , but likely helped in any criminal investigation. Law enforcement agencies (like the FBI, Interpol, etc.) can sometimes assist with threat intel, negotiating tactics, or even recovering funds (as seen when the U.S. FBI later clawed back part of a ransomware payment made by Colonial Pipeline in 2021). Information sharing within industry groups is also crucial: many countries have sectoral ISACs (Information Sharing and Analysis Centers) – e.g., FS-ISAC for financial services, H-ISAC for health – where organizations share threat warnings and best practices. These networks mean that if one bank or hospital is hit by a new malware strain, others can be alerted to shore up defenses. Cross-sector and international cooperation is another facet – the Costa Rica case demonstrated that a national crisis may require a global response coalition . Cyber professionals should build relationships with counterparts in government and other industries before incidents occur. In addition, public-private coordination (such as CISA advisories, joint drills between government agencies and companies) can improve readiness. Lastly, strong leadership commitment is needed to invest in resilience. Cyber professionals must advocate in peacetime for the resources to implement all the above – from training to backups – because when a crisis strikes, those investments pay off in spades.

Recommendations for Sector-Specific Resilience

While the core principles of cyber resilience apply broadly, different sectors have unique challenges and priorities. Here are tailored recommendations for cybersecurity professionals in banking, healthcare, and government sectors:

Banking and Financial Services

  • Bolster Defense in Depth: Ensure rigorous access controls and monitoring on all financial networks. Implement multi-factor authentication for employees and robust endpoint protection to prevent the kind of employee-initiated breach that hit BancoEstado . Regularly simulate phishing and train staff, as social engineering is a top threat to banks.
  • Segment and Protect Critical Systems: Separate consumer-facing services (online banking, ATMs, payment systems) from internal networks and limit connectivity between them . Critical transaction systems should have redundant, isolated backups. If one channel is compromised, others can continue serving customers.
  • Continuity of Operations: Develop and test contingency plans for keeping the bank running during IT outages. For example, outline manual procedures for clearing transactions or offline customer support if digital systems fail. Participate in industry cyber war-game exercises to practice crisis decision-making.
  • Third-Party and Supply Chain Security: Financial institutions rely on many vendors (for payment processing, cloud services, etc.). Vet these partners’ security and include them in resilience planning. The 2020 SolarWinds breach (which impacted banks among others) showed supply chain attacks can bypass even strong internal security. Insist on timely patches and zero-trust principles for vendor connections.
  • Information Sharing and Regulation Compliance: Leverage sector information-sharing groups (like FS-ISAC) to stay ahead of emerging threats and recommended mitigations. Ensure compliance with any regulatory requirements for operational resilience – for instance, many central banks now require financial institutions to meet standards for uptime and have incident response plans. Embrace frameworks like NIST CSF and ISO 22301 (business continuity) to structure your resilience program.

Healthcare Providers and Hospitals

  • Network Segmentation and Device Security: Segment clinical networks (medical devices, diagnostic equipment) away from corporate IT networks to contain malware spread. Implement strict controls and monitoring on connected medical devices – many run outdated software, so use virtual network isolation, up-to-date anti-malware, and frequent vulnerability assessments to reduce risk.
  • Emergency Response Drills: Conduct regular drills for “IT down” scenarios. Train staff on procedures for reverting to paper documentation, alternative communication methods (e.g. radios or phones if email is down), and diverting patients to other facilities. These rehearsals can save lives during a real attack. Develop protocols with regional healthcare partners to accept each other’s patients in an emergency.
  • Backup Clinical Data Frequently: Maintain offline backups of electronic health records, lab systems, pharmacy systems, etc., and test restoring them. Time is critical in healthcare – aim for backups that can be restored within hours, not days. Include configuration data for medical devices in backups so that machines can be quickly re-imaged if wiped.
  • 24/7 Monitoring and Rapid Containment: Given the frequent targeting of hospitals by ransomware gangs, ensure your security operations can detect intrusions at all hours. Use anomaly detection to spot unusual activity (e.g., a spike in file encryption or an admin tool like Cobalt Strike running unexpectedly ). Prepare “safe shutdown” procedures for servers – in some cases, pulling the plug on certain systems may stop malware spread and preserve data in a ransomware attack.
  • Patient Safety Focus: Include clinical leadership in cyber resilience planning. Decisions during an incident (like diverting ambulances or postponing surgeries) require medical judgment balancing patient risk. Have a communication plan for informing patients and the public if services are curtailed – transparency can reduce panic. Additionally, engage biomedical engineering teams to establish fail-safes on critical devices (for instance, insulin pumps or ventilators) so that if network control is lost, they default to safe modes.

Government Agencies and Public Services

  • Assess and Harden Critical Infrastructure: Conduct thorough risk assessments of critical public services (water systems, power grid controls, emergency services dispatch, etc.) to identify vulnerabilities. Eliminate unnecessary internet connections to operational networks – use air-gapping or robust VPN with multi-factor auth for remote access when needed. In the Oldsmar water plant case, simply removing or securing remote desktop software could have averted the incident . Ensure all default passwords on SCADA/ICS systems are changed and devices are not exposed via search engines like Shodan.
  • Whole-of-Government Incident Response Plans: Government entities should establish a central incident response framework, often led by a national cyber agency or task force. Define how local agencies get support from national resources (for example, a small town’s water utility should know how to quickly get help from federal cybersecurity teams). Regular inter-agency exercises can improve coordination – the lack of a coordinated response structure severely hampered Ireland’s initial handling of the HSE attack .
  • Continuity of Citizen Services: For each public service, create continuity plans that address how to serve citizens during a cyber outage. This could mean keeping some manual processes as fallback (as seen when Costa Rican customs resorted to paper forms for weeks) or building lightweight parallel systems for critical tasks. Prioritize essential functions – e.g., a government might accept that some websites go down in order to keep border control or 911 services running. Cross-train staff to perform critical operations in case primary IT systems fail.
  • Public-Private Collaboration: Build relationships with private sector experts and international allies before an incident. This could involve establishing contacts with major tech companies for emergency support (Microsoft’s assistance to Costa Rica , for instance, was invaluable) or participating in international cyber exercises. Sharing threat intelligence with industries that run national infrastructure (energy companies, telecom providers) is also key, since state-sponsored attacks often target multiple facets of society.
  • Budgeting and Political Support: Advocate for sustained investment in government cybersecurity. Often, public sector systems suffer from underfunding and outdated technology (Ireland’s NCSC had only 25 staff and a limited budget at the time of the HSE attack ). Cyber resilience must be treated as a national security priority, with funding for modernizing IT, hiring skilled personnel, and educating employees at all levels. Leaders should also establish clear accountability – someone in government has to be responsible for cyber readiness. As seen in Costa Rica, high-level acknowledgement of cybersecurity gaps can be the first step to securing resources to fix them.

The wave of cyber incidents from 2020 to 2025 has made one thing evident: achieving true cyber resilience in critical sectors is challenging but absolutely imperative. Banking networks, hospital systems, and government services will continue to be in attackers’ crosshairs – whether criminals seeking profit or actors looking to sow chaos. The incidents at BancoEstado, the HSE, Costa Rica’s government, and elsewhere show that even when prevention fails, smart resilience strategies can limit the damage. Segmented systems kept some bank services running , manual backups protected life-saving care in emergencies, and international cooperation helped governments pull through crises . On the other hand, lack of preparedness or leadership can turn a cyber attack into a prolonged catastrophe .

For cybersecurity professionals, the mandate is clear: plan for the worst. Advocate for and implement measures that ensure your organization can withstand shocks and bounce back quickly. This means blending sound security practices (to minimize incidents) with robust continuity plans (to survive incidents). It means engaging the whole organization – from the server room to the board room – in resilience efforts. And it means fostering a culture that learns from every near-miss and attack to emerge stronger. In a world where threats are ever more sophisticated, cyber resilience is the ultimate insurance that our most critical services and infrastructures will remain dependable when society needs them most.

← Back to Newsroom