Do you have any questions?
+48 22 487 8636
Do you have any questions?
+48 22 487 8636
Business Continuity (BCP/DR) in the era of cyber attacks: How to survive a ransomware disaster?
Business Continuity Management (BCM) is a mature business discipline that aims to ensure that an organization can survive and continue operations in the face of a disaster. Over the years, business continuity (BCP) and disaster recovery (DR) plans have been developed with physical scenarios in mind: a server room fire, a flood, a long-term power outage or a pandemic. In each of these cases, the fundamental premise was the same: the infrastructure was destroyed, but our data, safe in a backup location or on backup tapes, is intact and trustworthy.
However, cyber attacks, and ransomware in particular, are completely turning this model upside down. A cyberattack is not a mindless element. It’s an intelligent, malicious adversary whose goal is not only to destroy production infrastructure, but also to deliberately and intentionally destroy a company’s ability to restore it. Attackers actively prey on backup servers to encrypt or delete them, depriving the victim of a last resort. This is a fundamental change that renders traditional BCP/DR plans, based on the assumption of backup integrity, useless in the face of a cyber attack. It’s time to rewrite them.
What is business continuity management (BCM) and what are its key elements (BCP, DR)?
Business Continuity Management (BCM) is a holistic management process that aims to identify potential threats to an organization and their impact on business operations. On this basis, it builds a framework for enhancing resilience and the ability to respond effectively that protects key stakeholders’ interests, reputation, brand and value-creating activities.
BCM consists of several key interrelated components:
- Business Impact Analysis (BIA): The process of identifying critical business processes and the effects of their disruption over time.
- Risk Assessment: Identification and analysis of the risks that could lead to these disruptions.
- Business Continuity Plan (BCP): A document that describes how an organization will continue its critical business functions during and after a disaster. It focuses on people, processes and alternative ways of working (e.g., working from a backup office).
- Disaster Recovery Plan (DR Plan): This is a technical subset of the BCP that focuses on restoring IT infrastructure and data after a disaster.
Traditionally, BCP has answered the question “how does the business survive?” and DR has answered the question “how does IT enable it?”. In the era of cyber attacks, that line is blurring.
Why are traditional BCP/DR plans, designed for physical failures, insufficient in the face of cyber attacks?
Traditional business continuity plans are based on several fundamental assumptions that prove to be flawed and dangerous in a cyberattack scenario.
First, they assume the integrity of the data and backups. In the case of a fire, no one questions whether the backups on the tapes at the backup location are “clean.” In the case of a ransomware attack, this is the number one question. Attackers often stay online for months before encrypting data (a long “dwell time”), which means that our backups from the past weeks or months may also contain malware or backdoors. Restoring a system from an infected backup is a straightforward path to immediate reinfection.
Second, they treat a disaster as a single, completed event. A fire erupts, destroys and goes out. A cyber attack is a
Third, they focus on restoration, not investigation. In the event of a hardware failure, the goal is to restore operations as quickly as possible. In the case of a cyber attack, hasty restoration of systems can destroy key digital evidence, making it impossible to understand how the attack occurred, what the scope of the attack was and how to prevent it from happening again.
| Comparison of disaster scenarios: Physical failure vs cyber attack | ||
| Aspect | Physical disaster (e.g., fire) | Cyber attack (e.g., ransomware) |
| Condition of infrastructure | Destroyed or inaccessible. | Potentially working, but compromised and untrusted. |
| Trust in backups | High (backups are seen as “clean”). | Extremely low (backups can be encrypted, deleted or infected). |
| The main target after the disaster | Restore operations as quickly as possible (Recovery First). | Stopping the attack and understanding its scale (Investigation First). |
| The role of the security team | Supportive (restoration assistance). | Key and leading (investigation, removal of the threat). |
How do you integrate an incident response (IR) plan with a business continuity plan (BCP)?
In the era of cyber attacks, incident response (IR) and business continuity (BCP/DR) processes can no longer exist as two separate, independent plans. They must be integrated into a single, cohesive and overarching
In the traditional model, the DR process was run first to restore systems as quickly as possible. In a cyber scenario,
- Containment: The IR team must first ensure that the attack has been fully contained and the attacker no longer has active access to any part of the network.
- Investigation (Investigation): The IR team must identify the attack vector (how the intrusion occurred), the extent of the compromise (which systems were affected), and make sure that all of the attacker’s backdoors and persistence mechanisms have been found.
- Verification of backups: The IR team must analyze the backups to identify the last “clean” and trustworthy restore point that was created before the moment of the original compromise.
Only after completing these activities and receiving the “green light” from the IR team can procedures from the disaster recovery (DR) plan be safely started.
What is a business impact analysis (BIA) and how does it help define priorities?
Business Impact Analysis (BIA) is a fundamental process that lies at the heart of any mature business continuity plan. Its purpose is to identify and assess the potential impact of disruption to critical business processes. Simply put, a BIA answers the question, “What is really important to us and how much will it hurt us if it stops working?”.
The BIA process involves mapping all the key processes in a company (e.g., production, sales, customer service, invoicing) and then determining for each of them:
- Dependencies: What IT systems, people and vendors does the process depend on?
- Impact of failure: What will be the consequences (financial, reputational, legal) of this process being unavailable after an hour, a day, a week?
The results of the BIA analysis make it possible to objectively rank processes and systems according to their criticality. This, in turn, is the basis for defining two key indicators for the DR plan: the Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
What is the importance of RTO and RPO indicators in the context of cyber attacks?
RTO (Recovery Time Objective) and RPO (Recovery Point Objective) are the two most important metrics that define the goals and requirements for disaster recovery strategies.
- RTO (Targeted Recovery Time): Defines the maximum acceptable time a system or business process must be recovered from a disaster to avoid unacceptable losses. An RTO of 2 hours for a critical e-commerce system means that it must be back in operation within 2 hours of a disaster.
- RPO (Targeted Recovery Point): Defines the maximum acceptable amount of lost data, measured in time. An RPO of 15 minutes means that in the event of a disaster, the company accepts the loss of data from at most the last 15 minutes before the disaster. In practice, the RPO determines how often backups must be performed.
In the context of cyber attacks, these metrics become even more important. A ransomware scenario can significantly increase real recovery time, as the time required to investigate and verify backups comes into play. Therefore, when planning, companies need to take this “buffer” into account and consider whether their business can survive a much longer outage than the traditional DR plan assumed.
How to design a backup strategy resistant to ransomware attacks (3-2-1 rule, immutable copies)?
In the fight against ransomware, the backup strategy is the last and most important line of defense. It must be designed with the assumption that the attacker will actively try to destroy it.
The basis is the battle-tested 3-2-1 rule:
- 3 copies of your data: Have at least three copies of your data (one production and two backups).
- 2 different media: Store copies on at least two different types of media (e.g., disk and tape, or disk and cloud).
- 1 offline/offsite copy: Keep at least one copy in another physical location (offsite) and, absolutely critical, offline or air-gapped (physically disconnected from the network).
In the ransomware era, the rule is evolving. The use of immutable backups technology is becoming crucial. These are backups that, once saved, thanks to special mechanisms at the storage or cloud service level, cannot be modified or deleted (even by the administrator) for a predetermined period of time. Even if an attacker takes full control of the backup server, he won’t be able to encrypt or delete such unalterable copies, which guarantees the possibility of data restoration.
How does nFlo help organizations build and test BCP/DR plans that are resilient to cyber attacks?
At nFlo, we understand that modern business continuity management must be inextricably integrated with cyber security strategy. Our approach is to build bridges between these two, often isolated, worlds and create cohesive, cyber-proof crisis management plans.
We help our clients modernize and integrate their existing BCP/DR plans. We perform a gap analysis, identifying where traditional plans fall short in the face of threats such as ransomware. We facilitate the process of integrating an incident response (IR) plan with a business continuity plan, creating a single, consistent procedure in which the activities of the security team and the IT team are fully synchronized. Our unique value is the
About the author:
Justyna Kalbarczyk
Justyna is a versatile specialist with extensive experience in IT, security, business development, and project management. As a key member of the nFlo team, she plays a commercial role focused on building and maintaining client relationships and analyzing their technological and business needs.
In her work, Justyna adheres to the principles of professionalism, innovation, and customer-centricity. Her unique approach combines deep technical expertise with advanced interpersonal skills, enabling her to effectively manage complex projects such as security audits, penetration tests, and strategic IT consulting.
Justyna is particularly passionate about cybersecurity and IT infrastructure. She focuses on delivering comprehensive solutions that not only address clients' current needs but also prepare them for future technological challenges. Her specialization spans both technical aspects and strategic IT security management.
She actively contributes to the development of the IT industry by sharing her knowledge through articles and participation in educational projects. Justyna believes that the key to success in the dynamic world of technology lies in continuous skill enhancement and the ability to bridge the gap between business and IT through effective communication.