Planning for Expected Downtime in a Major Cyber Attack

In today's digital-first world, cyber attacks are no longer a matter of "if" but "when." As cyber threats become more sophisticated, businesses must be prepared to handle the inevitable downtime that follows a major incident. Whether it's a ransomware attack, a DDoS disruption, or a cloud service outage, the ability to anticipate, respond to, and recover from downtime is critical to operational resilience.

This guide provides a structured approach to planning for expected downtime in the event of a major cyber attack. By defining downtime scenarios, setting recovery objectives, and implementing a detailed response plan, organisations can mitigate the financial, operational, and reputational damage associated with prolonged disruptions.

1. Define the Downtime Scenarios

Type of Cyber Attack

• Ransomware: Could result in days to weeks of downtime.
• Data Breach: Systems may need to be taken offline for forensic investigation (hours to days).
• DDoS Attack: If mitigations are in place, downtime is usually hours; without protection, it can extend to days.
• Insider Threats/Malicious Deletions: Recovery depends on backup integrity (hours to weeks).
• Cloud Service Outage: Dependent on the provider, ranging from minutes to days.

Severity of the Incident

• Partial Disruption: Some systems offline but core operations continue (4-24 hours).
• Full System Lockout: Company-wide impact, needing full recovery (3-14 days).
• Regulatory Impact (GDPR, FCA Compliance): Data review and compliance assessments extend downtime (weeks).

Business-Critical System Dependencies

• Identify systems that must remain online and those that can tolerate downtime.
• Ensure redundant systems are available for mission-critical functions.

2. Establish Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)

RTO (Maximum Acceptable Downtime)

• Mission-Critical Systems: Minutes to Hours (cloud platforms, financial transactions).
• Operationally Critical Systems: 4-24 Hours (internal email, business applications).
• Non-Critical Systems: 2-7 Days (marketing tools, file storage).

RPO (Maximum Data Loss Tolerance)

• Near Zero Data Loss: Real-time backups for critical systems.
• Last 4-12 Hours: Acceptable for operational systems.
• Last 24-48 Hours: Acceptable for non-essential data.

3. Implement a Downtime Response Plan

0-6 Hours: Immediate Response

• Activate Cyber Incident Response Plan (CIRP).
• Isolate affected systems to prevent spread.
• Communicate via alternative secure channels (Sentinel Spaces, WhatsApp).
• Engage external cybersecurity experts for investigation.
• Assess business impact and prioritise recovery steps.

6-24 Hours: Containment & Stabilisation

• Notify customers, partners, and regulators if necessary.
• Deploy backup and alternate systems.
• Secure essential business functions (e.g., payment processing).
• Validate backup integrity and assess data loss.

1-7 Days: Recovery & Restoration

• Restore systems based on RTO priorities.
• Test all recovered systems before full relaunch.
• Monitor for reinfection or further threats.
• Resume business-critical operations.

7+ Days: Post-Incident Review & Strengthening Resilience

• Conduct forensic analysis and root cause assessment.
• Strengthen security measures, patch vulnerabilities.
• Update Business Continuity & Incident Response Plans (BCP & CIRP).
• Evaluate financial losses and initiate insurance claims.

4. Plan for Communication & Reputation Management

• Internal Communication: Provide clear crisis updates to employees.
• Customer Messaging: Be transparent with customers and provide regular updates.
• Regulatory Reporting: Ensure GDPR, FCA, and ICO compliance for data breach disclosures.
• PR & Media Handling: Assign a spokesperson and ensure legal review of statements.

5. Financial Planning for Downtime Impact

• Assess financial reserves to cover business interruption, security services, and legal expenses.
• Ensure cyber insurance coverage for ransomware, regulatory fines, and recovery costs.
• Identify temporary alternative revenue streams to maintain cash flow.

6. Testing & Continuous Improvement

• Conduct tabletop exercises and war games to test downtime readiness.
• Run disaster recovery drills to validate failover systems.
• Perform regular penetration testing to identify vulnerabilities.
• Train employees on cybersecurity best practices to reduce risks.

7. Expected Downtime & Recovery Actions

Detection & Containment (0-6 hours)

• Activate CIRP, isolate systems, engage response teams.

Recovery Start (6-24 hours)

• Restore critical systems, communicate with stakeholders.

Full Recovery (1-7 days)

• Restore non-critical systems, validate security, resume operations.

Post-Incident Review (7+ days)

• Conduct forensic analysis, update response plans, strengthen security.

Final Thoughts

Cyber attacks are no longer rare, isolated incidents—they are an ongoing reality for businesses of all sizes and industries. The difference between organisations that recover swiftly and those that suffer prolonged disruption often comes down to preparation, execution, and adaptability.

By taking a proactive approach to downtime planning, organisations can significantly reduce the impact of a cyber attack. The key takeaways from this guide include:

• The speed of your response dictates the severity of the disruption. The faster an organisation detects, contains, and mitigates a cyber attack, the shorter the downtime and the lower the overall damage. A well-rehearsed Cyber Incident Response Plan (CIRP) ensures a swift and coordinated response.

• Regular testing builds realistic recovery expectations. Many businesses overestimate their ability to recover from an attack. Running tabletop exercises, disaster recovery drills, and real-world simulations exposes gaps in preparedness and helps refine response strategies.

• Pre-planned crisis communication minimises reputational risk. Silence and ambiguity fuel speculation and distrust. Transparent, timely, and well-structured communication with employees, customers, regulators, and the media can maintain confidence and credibility during a crisis.

• Cyber insurance can offset financial losses but is not a substitute for resilience. While cyber insurance can cover ransomware payments, recovery costs, and regulatory fines, it cannot repair lost customer trust or restore critical business operations overnight. A robust security posture remains the best defence.

• Resilience is a continuous journey, not a one-time effort. Cyber threats evolve, and so should your approach to managing them. Regularly updating incident response plans, investing in cybersecurity training, and adopting the latest security technologies ensure that your organisation stays ahead of emerging risks.

Organisations that embed downtime preparedness into their broader business continuity strategy are not just protecting themselves against cyber threats—they are building a competitive advantage. Customers, partners, and stakeholders trust businesses that can demonstrate resilience in the face of adversity.

The goal is not just to recover from a cyber attack but to emerge stronger, more secure, and better prepared for the future.