Ransomware recovery usually doesn’t collapse because backups are missing. It collapses because organisations treat the aftermath of an attack like a race to switch the lights back on, everywhere, all at once.
In the first few hours after an attack, urgency takes over. The best option for the business is believed to be to restore the full estate at maximum pace. But this ‘big bang’ approach often produces a slower, riskier recovery. Teams become stuck behind the same bottlenecks, hidden dependencies derail sequencing, and services are reinstated before anyone can say, with certainty, that they’re safe.
The organisations that regain control quickest after a ransomware attack don’t aim for ‘everything back up and running ASAP’. They assume parts of the IT environment will be unusable or untrusted and design their response around this constraint. Their target is narrower and more realistic, looking to bring back the handful of services the business cannot operate without, and bring them back in a state that can be trusted.
Define what the business must keep doing, no matter what
This is where the Minimum Viable Company (MVC) approach comes into play. MVC is the practical definition of what must exist for the organisation to keep functioning through disruption, including a cyberattack of material business impact such as ransomware. It isn’t just an IT exercise, it’s a business-level view of survival. What is the minimum mix of people, processes, technology, documentation, facilities, and third-party dependencies required to keep value flowing and operations legally, safely, and commercially viable?
The five key steps to turning MVC from theory into an executable recovery plan
- Clarity on critical services: A precise understanding of the systems and dependencies that directly support revenue and mission-critical operations is needed here. To understand the MVC, it is key to map systems to business value. Without this understanding, it’s impossible to accurately define the MVC. The first steps focus on undertaking a structured assessment, aligning across business and technology stakeholders, and going through a realistic simulation of how recovery will unfold under pressure. This will uncover the key areas needed to provide just enough capability to keep the organisation functioning safely during a crisis and guide recovery. In practice, this means defining what must function in the first 24 hours, the first 72 hours, and the first week after a disruption.
- A trusted foundation (Tier 0): In the event of a cyberattack, many organisations miss the critical foundational layer that allows them to establish identity and access control independently of compromised systems. This foundational layer is what we call Tier 0 or the control plane for recovery. It includes identity and access management, networking and DNS, privileged access controls, core security tooling, physical access systems, and secure communication channels. It also covers non-technical dependencies that are easy to overlook until they’re urgently needed such as incident response playbooks, contact lists and escalation paths, insurance policies, and contracts with external responders. These are the foundations underpinning the critical systems that need to be restored after a cyber incident. Without this layer, a trusted recovery is not possible.
- Isolation of recovery assets: In the event of a cybersecurity breach, organisations must establish control of their most critical systems. This requires recovering data separately from clean snapshots and investigating in parallel, not sequentially, to ensure the recovered systems are not infected by malicious software. As part of this process, backups, configurations, and recovery tooling must be protected from the same blast radius as production. If key recovery assets can’t be isolated, a rapid and trusted control of critical systems can’t be achieved.
- Clean-room recovery capability: To set up an isolated environment to rebuild systems without reintroducing compromise, organisations need to set up what we call a ‘Digital Jump Bag’. This is a secure, isolated repository containing everything required to establish a trusted recovery starting point to rebuild systems without reintroducing compromise.
- Validated ability to operate: The next step is to validate the ability of the MVC to operate through realistic crisis scenarios. Resilience must be proven under real-world conditions. Practice is important here because an untested plan remains theoretical. Rehearsals will also help to answer the Board’s most direct question in the event of a cyberattack - how long will it take to restore critical services to a trusted state?
Speed of recovery comes from prioritisation, not panic
One of the most common resilience failures isn’t tooling. It’s the absence of agreement about what comes back first, what can wait, and what ‘clean’ means in operational terms. When these decisions aren’t made ahead of time, every ransomware event becomes an improvised project bringing high stress and low repeatability.
MVC shifts the mindset from ‘restore the estate’ to ‘restore the essentials’. But, it’s worth remembering it’s not a ‘set and forget’ task. As an organisation changes and evolves, new systems, suppliers and risks come into play. The MVC definition must evolve as well.
Recovery is quicker when organisations avoid the ‘bring everything back’ scramble and instead restore the most critical services first, fast, and with confidence that they’re clean and trustworthy.
