How long till we are back online?

Executives come under intense pressure the moment a ransomware attack hits. Lines-of-business want to know when their services and products will be back online, the Board wants assurances that things are under control and regulatory obligations are being met, all while customers are worrying about whether you’ve lost their data and are starting to look at your competitors.

 

In their eagerness to reassure stakeholders and avoid a media brouhaha, executives often push for IT systems to be restored as quickly as possible. Big mistake. Not only does this often produce the opposite result - longer downtime and reputational damage - but it also increases the risk of reinfection and prolonged recovery.

 

And cyber-security teams often have it worse. Caught between the need to follow process for a safe recovery (ensuring they aren’t recovering vulnerabilities, gaps in detection and attack artefacts that will result in reattack) and urgent pressure from executives, they find themselves between a rock and a hard place. Despite good intentions, they sometimes end up missing critical steps. When they reboot, finding that attackers are still in the system, downtime continues, and they are the ones in the firing line.

 

Part of the challenge can be seen in a 2024 Viking Cloud study. It found 81% of C-suite cyber-security executives feel confident in their organisation’s cyber-defence maturity. Yet only 29% of frontline cyber-security managers agree. Undeniably, there’s a disconnect.

 

That’s why, when ransomware occurs, executives are often surprised by the scale and difficulty of overcoming it. Even when armed with incident response plans, they’re unprepared for the chaos, the delays, the need for close collaboration between IT and security teams.

 

What’s missing is a transparent, industry-wide benchmark for ransomware response and recovery. A credible benchmark would provide accessible global and regional data, setting expectations not just for how quickly recovery to a secure state should occur but also clear, actionable steps for how systems should be brought back online securely - with estimated timings.

 

The goal? To help businesses and executives understand where they are in the response and recovery timeline based on industry averages and give cyber-security teams a reference point to push back when leaders get too hands-on.

 

How would the benchmark work?

An industry benchmark would reveal average containment times, remediation durations, average ransom payments, and frequency of attacks within sectors.

 

Right now, there are no real industry-standard benchmarks for ransomware response and recovery, particularly none that break the process down into clear, actionable steps. Industry stats and reports aggregate some of this data to a limited degree and provide a useful frame of reference, but ultimately, it’s not as comprehensive as we need.

 

Adjacent reporting standards demonstrate how a ransomware benchmark could work in theory. The best example is the Joint Technical Standards on Major Incident Reporting (EBA), published by the European Banking Authority for the financial sector, introduced in July 2024. Part of the Digital Operational Resilience Act (DORA), EBA requires financial entities to report major ICT-related incidents across the sector.

 

How does it work? Whenever there is an incident causing significant operational disruption - such as downtime, economic impact, reputational damage, or an impact on the volume of users - the affected party sends an initial notification within four hours, followed by a more detailed report within three days, and a final report, including lessons learned, at conclusion (similar to the aforementioned DORA).

 

Doing so gives regulators a comprehensive, accurate, and timely view of major incidents, helping track incident trends, highlight cross-border risk, and promote transparency and standards across Europe. While regulators stop short of allowing financial institutions to log in and benchmark against this data, they do release guidance on what’s happening based on it and how to respond to cyber-threats.

 

Extrapolating this idea to ransomware, formal notification legislation would compel organisations to create a reliable benchmark. With structured, time-bound disclosures (that incur fines if missed), we could move beyond stats, case studies and reports towards transparent discussion of recovery timelines and organisational preparedness. Against rising cyber-crime and the introduction of the UK’s Cyber Security and Resilience Bill, this would help organisations benchmark themselves on resilience maturity, not just recovery outcomes. This includes understanding their current capabilities across people, processes and technologies, and how effectively they can withstand, respond to and recover from cyber-incidents over time by examining.  

 

Providing a clear roadmap

An industry benchmark of this nature would help executives understand where they stand on the journey and allow peer comparisons, but perhaps more importantly, it would challenge the belief that there is a magic button cyber-security teams can press to get organisations back up and running safely and quickly. Unlike a traditional continuity event, the response and recovery process also demands time for investigation and threat remediation, which inevitably extends the timeline.

 

For cyber-security teams, it would provide breathing room and reputable statistics showing ransomware response and recovery should be measured across dwell time, time to detection, time to containment, the integrity and cleanliness of recovered data, and the time taken to restore critical systems without reinfection. Detailed data on reinfection risk shows that once attackers establish persistence, organisations may regain systems but not full control of their environment.   When attackers embed themselves deeply enough, it becomes extremely difficult to determine how many extensive hidden backdoors and residual artefacts may be.

 

Why is all this important? I’m reminded of The Checklist Manifesto by Atul Gawande, an American surgeon turned writer. Its premise is simple: no matter how expert you are, a well-designed checklist can improve outcomes. Rather than suggesting checklists are a cure-all for serious problems like commercial ransomware, the book shows that a carefully considered checklist helps us slow down and focus on the details.

 

In the absence of an accepted industry-standard benchmark, which may come but not in the foreseeable term, businesses should gather that data themselves and create their own benchmark. The benefits remain the same, and it ensures all parties are aligned. For accountability’s sake, publish that roadmap.

 

Yes, we might see formalised ransomware benchmarks in the future, even regulations - but it’s unlikely to happen in the foreseeable future. It’s better to collect data internally and secure buy-in from stakeholders. Educating C-level and senior management about due process means that when an incident occurs, they understand why teams advise against rushing to get systems back online, instead prioritising the minimising of reinfection risk.

 

Visibility beats velocity

You can throw all the money in the world at a ransomware problem, but cyber-resiliency isn’t something you can buy; it’s something you become. Not just by having the right technology and people, but applying them in the right way.

 

Executives, even with the best interests of the business at heart, often miss the wood for the trees. Visibility over ransomware procedures - whether through an official industry benchmark or an in-house approach - helps ensure everyone is on the same page.

 

---

 

James Blake is VP of Global Cyber Resiliency at Cohesity

 

Main image courtesy of iStockPhoto.com and Dilok Klaisataporn