Why Stryker's Outage Is a Disaster Recovery Wake-Up Call

CYBERSECURITY OPERATIONS CYBER RISK THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES NEWS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call The Iranian cyberattack on Stryker is the kind of stress test that business continuity and disaster recovery programs often do not plan for. Jai Vijayan,Contributing Writer March 12, 2026 5 Min Read SOURCE: JHVEPHOTO VIA SHUTTERSTOCK A cyberattack that appears to have knocked tens of thousands of systems offline at medical technology company Stryker this week is a sobering reminder of the importance for organizations to have robust and tested business continuity and disaster recovery plans. Iranian threat group Handala claimed responsibility for the attack, calling it a retribution both for a recent airstrike on a school in Iran that reportedly killed more than 160 children and for the company's alleged ties to Israel. In a post on X, Handala claimed it had wiped some 200,000 Stryker "systems, servers and mobile devices" in addition to exfiltrating 50TB of company data. "Stryker's office in 79 countries have been forced to shut down," the group claimed. "All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity." Stryker, a company with revenue of $25 billion, described the incident on Wednesday as a "global network disruption to its Microsoft environment," which it believed has been contained. The statement noted the company is working on understanding the true scope of the attack, adding it has business continuity plans in place for supporting customers and partners. "We are committed to transparency and will keep stakeholders informed as we know more." Related:White House Cyber Strategy Prioritizes Offense Stryker updated its message on Thursday to indicate that it was still working on fully restoring disrupted systems but noted that products like its robot-assisted surgical platform, its real-time communication platform for healthcare professionals, and advance life support monitor and defibrillator devices were safe to use. Stryker did not respond immediately to a Dark Reading request for comment on Handala's claims regarding the number of impacted systems and the claimed theft of company data. However, several media outlets have reported that Stryker employees in the US and elsewhere were sent home after their systems, including mobile devices and phones that employees used at work, were reset to factory settings. A Wake-Up Call Security experts have been warning about retaliatory cyberattacks by Iranian threat groups against US companies and cyber assets since the US and Israel launched military operations against the country about two week ago. The wiper attack on Stryker is the first big one, but security experts predict more will follow. In a research note, Flashpoint identified several technology companies including Amazon, Google, Microsoft, Oracle, Palantir, and Nvidia as organizations that Iran's Islamic Revolutionary Guard Corps (IRGC) has threatened to attack. Related:Software Development Practices Help Enterprises Tackle Real-Life Risks Incidents like the one at Stryker highlight how business continuity can collapse if recovery depends on the same systems that were just compromised, says Kim Larsen, group chief information security officer (CISO) at Keepit. "If your identity layer, endpoints, and backups all fail together, resilience is largely theoretical.” Global organizations in particular struggle with business continuity and disaster recovery because their data tends to be fragmented across platforms, regions, and regulatory regimes. That complexity slows recovery precisely when speed matters most, he says. “We also see sovereignty become a real constraint during recovery. If organizations don't have clear control over where their data lives and who governs access, legal and operational uncertainty can delay restoration when every hour counts," Larsen notes. Planning for the Worst Case Vincenzo Iozzo, CEO and co-founder of SlashID, says breaches like the one at Stryker highlight why it's a good idea for organizations to frequently back up cloud environments. "Adopting Infrastructure as Code (IaC) practices can also help restore environments much more promptly," he says. "Further, segregation of privileges is paramount."  Related:Stranger Things Meets Cybersecurity: Lessons from the Hive Mind Organizations need to ensure that global admin privileges, especially in cloud environments, are restricted to a handful of "break-glass" accounts, Iozzo says, while routine administration across different environments should be handled through separate, lower-privilege accounts for specific functions.  BCDR programs often assume the management plane, identity infrastructure, and corporate communications will survive the attack, says Collin Hogue-Spears, senior director of solution management at Black Duck. But a wiper attack that is designed to permanently destroy data breaks all three assumptions at once. "CISOs must rebuild BCDR plans around a total-loss wiper scenario, not a recoverable ransomware scenario," Collin says.  That means having immutable backups isolated from the primary identity plane, out-of-band communications that do not depend on corporate infrastructure, and recovery runbooks that assume zero functioning endpoints on day one. "If your disaster recovery test has never started with the words 'every device is gone and email does not work,' you have never tested for the scenario that just happened," he says.  The hardest part of multinational BCDR is not restoring systems, Collin adds. "It is governing parallel recovery across countries with different critical functions, different legal constraints, different local infrastructure maturity, and different decision rights, all demanding action at the same time, with no established coordination mechanism for that scale." CISOs at companies with global operations should decide ahead of time which locations and systems are most important so they know the order to restore them during an incident. They should set up recovery teams in different regions and give them the authority to act quickly in an emergency and prepare breach-notification plans in advance for every country they operate in, so they can quickly meet local regulatory requirements if something happens, Collin says. "If your BCDR plan treats 79 countries as one recovery zone, you will discover during the incident that it is actually 79 separate recoveries running with no coordination," he says. "The hardest part of multinational BCDR is not the technology. It is the conversation where leadership decides which country comes back online first." Editor's Note: The reporter who wrote this story has a family member who is employed by Stryker. About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERSECURITY OPERATIONS Cyberattacks Likely Part of Military Operation in Venezuela by Robert Lemos, Contributing Writer JAN 07, 2026 CYBERSECURITY OPERATIONS Contrarians No More: AI Skepticism Is on the Rise by Rob Wright DEC 31, 2025 CYBERSECURITY OPERATIONS Prep is Underway, But 2026 FIFA World Cup Poses Significant Cyber Challenges by Robert Lemos, Contributing Writer SEP 26, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE