Why You Can’t Rely on IT Alone for Operational Resilience and Why Time Is Running Out
Imagine this: your company is hit by a cyberattack. You can’t access your systems. Emails won’t send. Orders can’t be processed. Your teams are stuck. You call IT. You hear:
"We’re working on it. It might take weeks."
That’s not a hypothetical. It’s reality, and it’s happening to businesses of all sizes, across every industry, more and more frequently.
So here’s the hard truth: if you’re relying solely on IT recovery to keep your business running after a cyberattack, you’re setting yourself up for weeks of painful, costly paralysis. It’s not because your IT team isn’t good. It’s because the very nature of modern systems, backups, and attacks makes fast recovery impossible. And the business; not IT; pays the price.
Let’s break this down, in human terms.
IT Recovery Takes Weeks. That’s Normal. And Here’s Why.
Restoring Data Is Manual, Massive, and Painfully Slow
After a cyberattack, your data often needs to be restored from backups. But this isn’t as simple as clicking “restore”:
- Backups are often stored daily, so the newest data is already lost.
- Copying huge amounts of data back into systems takes time. Every terabyte can take hours. Imagine hundreds of them.
- If the attack encrypted your backups (which often happens), the team has to piece together data from various sources, safely and meticulously.
Even with “modern” backup tools, companies average 21–24 days of downtime after a ransomware attack.
Your Entire IT Ecosystem Might Be Damaged
Today’s attacks don’t just hit one system, they ripple across everything:
- Hundreds of PCs, servers, and apps may need to be rebuilt one by one.
- Each step must follow a strict order (for example, you can’t log into apps if your Active Directory system, the digital identity manager and gatekeeper, is still broken).
- Overlook one part, and it can derail everything.
One IT admin reported it took 7 full days just to re-image and restore all employee laptops after an attack.
You Can’t Start Until the Threat Is Contained
Before recovery starts, the team needs to:
- Detect and analyze the attack (which can take 3 days or more, often no one realizes until systems start failing).
- Eradicate malware and close every security hole.
- Ensure the attacker no longer has access, otherwise, you risk being hit again during recovery.
Even ransom negotiations (for those who go that route) take 8–10 days on average, and even when paid, the “decryption tools” often don’t work well.
But We’re in the Cloud, So We’re Safe!
Not Quite.
Cloud systems offer high availability not instant resilience:
- If malware encrypts your local files, your cloud-synced files may also be overwritten, with corrupted versions.
- If attackers gain access to your cloud account (and they often do), they can delete data, servers, and even backups.
- Cloud recovery still takes days or weeks. For instance:
- Atlassian’s 2022 cloud outage took 14 days to recover affected customers — even without an attack.
- Kronos, a cloud payroll provider, was offline for weeks after a ransomware hit, forcing clients to do payroll manually.
It’s Not Just About IT. It’s About Keeping the Business Running.
Here’s the part most people miss: IT disaster recovery isn’t the same as business continuity.
- Disaster Recovery = Get systems working again.
- Business Continuity = Keep the business running, with or without systems.
When systems go down, the business can’t afford to wait weeks.
You need (manual) workarounds, alternative workflows, and clear operational plans to keep moving. For example:
- During a major NHS outage in the UK, hospitals went back to paper-based processes to treat patients safely.
- When Royal Mail was hit, international shipping ground to a halt, because there was no fallback. Parcels piled up for weeks.
If your teams don’t know how to do their core job without their digital tools, your business stops.
Real-Life Catastrophes: A Look at the Headlines
Still think “a few days of downtime” is manageable? These examples prove otherwise:
- Maersk (2017): 2 weeks offline after NotPetya malware. Losses: $300 million.
- Travelex (2020): 2 weeks offline. Ended in bankruptcy.
- MGM Resorts (2023): 9 days of disruption. Losses: $100 million.
- Costa Rica (2022): National emergency declared. Some systems offline for months.
- M&S (2025) : M&S cyber-attack disruption costs £300m due to few weeks of interruption.
These weren’t failures of IT. They were failures of business resilience planning.
The Takeaway: Business People Must Own Their Resilience
Let’s be crystal clear:
If your business cannot function without IT systems, and you have no backup plan for people and processes, then your operations will stop for weeks when a cyberattack hits.
This isn’t an IT issue anymore. It’s a boardroom issue. A business risk. A leadership blind spot.
You must ask yourself:
- Can my teams perform the most critical tasks without digital tools?
- Do we have manual procedures documented and tested?
- Can we serve customers, fulfill orders, or operate in “paper mode” for days or weeks?
If the answer is no, you are at risk.
IT outages can happen for many reasons, from accidental missteps and system failures, to geo-politics, to insider mistakes, deliberate sabotage or more and more sophisticated attacks. These disruptions are no longer rare events; they’re a regular part of today’s digital reality. The real question is no longer if your systems will go down, but when, and how ready your business will be to keep going when they do.
Business People, Own Your Resilience. Own Your Destiny.
Though more and more optimized, IT recovery will always take time and that’s OK. That’s how the systems are built. Cyber Insurance are not the answer, and certainly (really) don't cover everything !
But your business doesn’t have to stop. Not if you plan for it. Not if you own it.
You can’t outsource resilience. You can’t delegate continuity.
You must build it. test it. own it.
Start today. Because when the next attack hits, the clock starts ticking and waiting is not an option.
