Ransomware recovery: when steady beats speedy

The biggest blocker to bouncing back from ransomware isn’t missing backups. It’s the “all systems go” approach to recovery.

 

After a major breach, pressure builds to get the entire organisation running again immediately. On paper, restoring everything at speed looks like the quickest way to regain control. But it commonly creates the opposite outcome as teams become overloaded, timelines slip, and systems are brought back before anyone can be confident they’re safe.

 

The fastest recoveries come from teams that think differently from the start. They plan on the basis that significant parts of the corporate environment will be down or cannot be trusted, and they build their response around that reality. The objective becomes simpler and more achievable: restore the most critical services first and restore them cleanly.

 

 

The non-negotiables to staying operational

Focusing on the critical areas of an organisation is the idea behind the Minimum Viable Company (MVC) concept, sometimes referred to as the Minimum Viable Organisation. It is a definition of what must exist for the organisation to survive in challenging conditions, such as a cyber-incident.

 

It’s not just a technology concept; it’s a business definition of survival in terms of the minimum combination of people, processes, technology, documentation, facilities, and third-party dependencies required to keep a business functioning and creating value.

 

 

The key steps towards an MVC

There are five key capabilities when it comes to operationalising an MVC.

 

1. Clarity on critical services

A precise understanding of the systems and dependencies that directly support revenue and mission-critical operations is needed here. To understand the MVC, it is key to map systems to business value. Without this understanding, it’s impossible to accurately define the MVC.

 

The first steps focus on undertaking a structured assessment, aligning across business and technology stakeholders, and going through a realistic simulation of how recovery will unfold under pressure. This will uncover the key areas needed to provide just enough capability to keep the organisation functioning safely during a crisis and guide recovery. In practice, this means defining what must function in the first 24 hours, the first 72 hours, and the first week after a disruption. 

 

2. A trusted foundation (Tier 0)

In the event of a cyber-attack, many organisations miss the critical foundational layer that allows them to establish identity and access control independently of compromised systems. This foundational layer is what we call Tier 0 or the control plane for recovery. It includes identity and access management, networking and DNS, privileged access controls, core security tooling, physical access systems, and secure communication channels.

 

It also covers non-technical dependencies that are easy to overlook until they’re urgently needed such as incident response playbooks, contact lists and escalation paths, insurance policies, and contracts with external responders. These are the foundations underpinning the critical systems that need to be restored after a cyber-incident. Without this layer, a trusted recovery is not possible.

 

3. Isolation of recovery assets

In the event of a cyber-security breach, organisations must establish control of their most critical systems. This requires recovering data separately from clean snapshots and investigating in parallel, not sequentially, to ensure the recovered systems are not infected by malicious software. As part of this process, backups, configurations, and recovery tooling must be protected from the same blast radius as production. If key recovery assets can’t be isolated, a rapid and trusted control of critical systems can’t be achieved.

 

4. Clean-room recovery capability

To set up an isolated environment to rebuild systems without reintroducing compromise, organisations need to set up what we call a ‘Digital Jump Bag’. This is a secure, isolated repository containing everything required to establish a trusted recovery starting point to rebuild systems without reintroducing compromise.

 

5. Validated ability to operate

The next step is to validate the ability of the MVC to operate through realistic crisis scenarios. Resilience must be proven under real-world conditions. Practice is important here because an untested plan remains theoretical. Rehearsals will also help to answer the Board’s most direct question in the event of a cyber-attack - how long will it take to restore critical services to a trusted state?

 

 

Faster recovery starts with ruthless prioritisation

One of the biggest resilience pitfalls isn’t a lack of tooling; it’s a lack of decisions. Too many organisations haven’t agreed on what needs to be restored first or what ‘clean and safe’ looks like when bringing it back. Until that’s defined, recovery is improvised each time. It’s a one-off activity rather than a repeatable, dependable capability.

 

An MVC also isn’t a one-and-done situation. As an organisation evolves with new systems, new dependencies and new risks, the MVC has to be revisited time and time again. But the logic doesn’t change. You recover more effectively when you stop aiming to resurrect everything and focus instead on getting the essentials back quickly, in a state you can trust.

 

---

 

Fraser Hutchison is  Vice President UK&I at Cohesity 

 

Main image courtesy of iStockPhoto.com and bin kontan