Keep calm and stay online

This year’s wave of cyber-attacks in the UK forced several major retailers to take their operations offline — with disruption costing an estimated  £270-440 million, according to the UK’s Cyber Monitoring Centre. The different approaches taken by those retailers has sparked a debate about the ‘best first action’ that victims should take. Despite the costs associated with downtime and lost sales, some IT teams decided to immediately, and proactively, pull the plug on IT operations to protect data and prevent further damage. Was it the right thing to do?

 

In the past, many cyber-security experts would have criticised this move. Historically, uptime has been a primary goal for retailers, especially in e-commerce. Achieving a very high uptime, commonly cited as 99.9% or higher, was long considered essential for maintaining customer trust, ensuring steady revenue, and protecting brand reputation. But this is becoming a much more nuanced metric – as the retail outages showed. Is it better to have 50% of your systems down for several months, or 100% of your systems down for several days?

 

Obviously, the ideal state is to get as close to 100% of systems up 100% of the time. But, when you stop looking at uptime as binary, resilience fast becomes the key metric of success. In these recent attacks, the retailers who acted quickly suffered less disruption and got back online faster. But this only works if you have a robust failover solution — a system, plan or process that allows operations to automatically switch to a reliable backup or standby system when the primary infrastructure fails. Failover systems give businesses the confidence to take the ‘nuclear option’ and get back online quickly and securely. 

 

Uptime is the outcome, not the goal. Resilience has now risen to the top of the agenda, and from it, everything else falls into place. So, how can businesses ensure they have the foundations in place for a rapid recovery in the event of a catastrophic cyber-attack?

 

 

Design your return, not just your defence

Most organisations spend millions on detection and prevention, but barely anything on recovery design. According to Gartner, nearly 90% of security budgets are allocated to protection and detection, with less than 10% spent on response and recovery.

 

Coming back online should be treated like a product launch: a staged, choreographed, and intentional act. Customers are far more understanding of cyber-attacks thanks to frequent media coverage, and are more likely to judge based on how well a business responds and communicates rather than a perceived slip in cyber-security practices.

 

So how should firms begin designing their return from unexpected downtime? There’s no universal formula in 2025, just an understanding that what works well is what works best.

 

Still, some principles are worth treating as non-negotiable. Start by implementing a failover system that keeps operations running when your primary infrastructure fails. This system continuously monitors performance and, if it detects a failure, can automatically switch to an alternative. A strong foundation is key.

 

Once the failover systems take over, activate the incident response plan — not as an emergency scramble, but as a rehearsed production. Everyone has a role, knows their cues, and executes their part. The wider organisation supports the response like a backstage crew: coordinated, efficient, and ready. Getting to that point takes deliberate practice. Tabletop exercises and live simulations transform static policies into real-world readiness.

 

Build isolated, clean environments ahead of time that can be trusted post-breach. Think “pre-approved recovery zones” that can be spun up and switched over in hours, not weeks. And recovery rulebooks, which prioritise the order of operations, are crucial to keeping heads cool.

 

Getting these fundamentals in place makes it easier to return to full operation. When we say this step is important, it isn’t just hyperbole. According to Deloitte, 93% of companies that suffer major data loss without a recovery plan shut down within a year.

 

Better to be ready for boom-and-bust cycles than let threat actors dictate the terms of operations.

 

 

Let data lead your recovery

The best lessons in life come from hard landings. After a devastating blow, rerunning what happened might be painful, but it’s often the best way to understand what to do next time. Recovery is no different. Building full observability across systems ensures businesses are not only able to see what’s on fire during an attack but also replay the blow-by-blow in the aftermath.

 

Many large organisations adopt formal incident response plans after an attack, which correlates with better handling of subsequent breaches. By treating cyber-events like an aeroplane black box — with searchable, reliable logs — businesses are better able to conduct post-incident analysis and demonstrate control to regulators.

 

Bring the whole crew in — not just IT and security, but legal, ops, comms, and senior leadership. Everyone has a role when the ground rushes up. Rehearse your landing. Keep your playbook current and practical, not theoretical. Recovery isn’t the time to start planning. Integrate response and recovery: cyber-security isn’t just a defensive posture; it’s a business survival strategy.

 

It’s important to remember that recovery is not a restart — it’s a reboot. It’s far better to switch the focus from simply bringing systems back online to successfully navigating a challenge that provides an opportunity to rebuild trust, confidence, and control.

 

One of the most important steps is to use data to inform long-term strategies and policies. Return regularly to tabletop exercises. Use the recovery period to strengthen defences, close security gaps, and refine response strategies. But above all, learn from the incident — conduct a full post-mortem, document lessons learned, and apply them across the organisation.

 

---

 

Bhooshan Thakar is VP and GM, Data Resilience at Arctera

 

Main image courtesy of iStockPhoto.com and Dragon Claws