Boards & CEOs Ransomware Series #8: Are Our Backups Aligned With Business Needs?
Backups are like seatbelts—you rarely think about them until the crash. But when ransomware strikes, they’re often the only thing standing between a temporary outage and a full-blown business meltdown.
In August 2016, a power outage took down one of Delta Airline’s data centers in the US. They had backups, yes—but restoring systems took far too long. Flights were grounded, passengers stranded, and the cost? Roughly US$150 million. The issue wasn’t that backups didn’t exist—it was that recovery couldn’t keep up with the pace of the business.
That’s the hard question every board and CEO needs to face: Do our backups actually support our business, or are they just sitting idle in storage?
Backups Alone Won’t Save You—Speed and Strategy Will
Having backups is table stakes. What truly matters is whether those backups can bring your business back to life quickly and effectively.
When ransomware or a catastrophic failure hits, speed is everything. Delays in recovery don’t just mean downtime—they mean disrupted customers, operational chaos, missed revenue, and long-lasting brand damage. It’s not just about recovering data—it’s about recovering the business.
So how can the board and the CEO ensure backups are aligned with business objectives? Let’s break it down.
Does Recovery Speed Match Business Needs?
Restoring data isn’t enough. You need to restore operations—on time.
Every critical function in your business has a Recovery Time Objective (RTO): the maximum acceptable downtime before the damage becomes severe. If your RTO is 24 hours but it takes 72 to recover, you’ve got a major risk gap.
Look at Maersk in 2017. The NotPetya ransomware crippled global shipping. While backups existed, restoring systems took weeks. The result? Inactive ports and a US$300 million loss.
As a board or CEO, you should be asking:
What are our defined RTOs for all critical business functions, and do recent test results show we can meet them?
This isn’t just IT’s problem—it’s a strategic risk. If you can’t bounce back fast, the business suffers, period.
Are Our Vendors’ Recovery Capabilities Good Enough?
No business operates alone anymore. Payroll, CRM, finance, logistics, legal—so many functions now run on third-party platforms. But what happens when they go down?
Imagine: A major payroll vendor’s outage means companies won’t be able to pay their employees. Not because they failed—but because they trusted a vendor that couldn’t recover on time.
This is where vendor due diligence gets real. You need to know their RTOs, test their claims, and hold them to contractually defined standards.
The board or the CEO should be asking:
How do we verify that our critical vendors' recovery capabilities are tested, aligned with our business continuity needs, and capable of minimizing operational and reputational damage if things go south?
If vendors fail, you take the hit—not them.
Are Our Cloud Backups Fast Enough—And Resilient Enough?
Cloud backups are great—until they’re not.
In 2021, a fire at an OVH cloud data center in France wiped out both live systems and hosted backups. It wasn’t just a downtime issue—it was a data loss event. Even when backups survive, recovery can be slow, expensive, and bandwidth-limited.
So what’s the plan? Are your cloud backups tested under real conditions? Can you meet your Recovery Point Objectives (RPOs) and RTOs? Are you using hybrid strategies to avoid a single point of failure?
Here’s the board and CEO-level question:
Do we have specific test results that prove our cloud recovery strategies can meet our business and regulatory expectations for continuity and data integrity?
Because if your only recovery plan relies on a cloud vendor’s vague assurance, that’s a risky bet.
The Real Message: Test, Validate, Align
Ransomware resilience doesn’t come from having backups—it comes from knowing they work and that they’re aligned with how your business actually operates.
So here’s what the board and the CEO should ensure right now:
Recovery timelines must match real business impact thresholds.
Vendor recovery commitments should be tested, proven, and contractual.
Cloud recovery plans must be validated with data, not just assumptions.
In a ransomware crisis, slow recovery is no recovery.
That’s all for this week!
Cheers,
Siva