What major cyberattacks reveal about the cost of slow recovery

What major cyberattacks reveal about the cost of slow recovery

Cyberattacks often succeed not because they are sophisticated but because organizations lack reliable backups or struggle to restore data quickly. When recovery is slow, even minor disruptions can escalate, providing attackers with the time and leverage they need to deploy ransomware and halt operations.

When systems go down, every minute of downtime results in operational disruption, a drop in revenue, and lost customer trust. That is why the recovery time objective (RTO), which sets the maximum time to restore systems after an attack, is a vital part of any disaster recovery plan.

According to SPC IT's analysis, downtime can cost up to £330 per minute for small businesses and up to £12,500 per minute for large enterprises, highlighting why recovery speed matters as much as having backups.

Two historic cyber incidents illustrate this reality: the 2017 WannaCry ransomware outbreak and the 2021 Colonial Pipeline ransomware attack. Both show that even when backups exist, recovery timelines can still bring operations to a halt.

The WannaCry lesson

In May 2017, the WannaCry ransomware attack spread across 150 countries. It exploited the EternalBlue vulnerability targeting Microsoft Windows, allowing the malware to rapidly infect unpatched systems. The United Kingdom's National Health Service (NHS) became the face of the crisis, with 81 NHS trusts affected, 19,500 cancelled appointments, and ambulances diverted from emergency departments.

The NHS had backup policies in place, but PublicTechnology, citing findings from the National Audit Office, noted that the NHS's response plan had not been tested locally. This left many trusts unclear about what to do when WannaCry struck. Without recovery coordination, hospitals were forced offline, relying on pen and paper for weeks.

The Colonial Pipeline crisis

Four years later, in 2021, Colonial Pipeline, the United States East Coast's fuel lifeline, fell victim to a ransomware attack by the DarkSide group, halting operations and sparking fuel shortages. This event shifted the focus of response from the existence of backups to recovery velocity.

Unlike many ransomware victims, Colonial Pipeline actually had functional, unencrypted backups. However, as reported by Fox Business, the company still shut down operations and paid a $4.4 million ransom in an attempt to expedite restoration using a decryption tool. Huntress’ analysis later revealed that the tool was agonizingly slow, ultimately forcing the company to rely on its backups. Despite having viable backups, the incident still resulted in a six-day outage.

Why RTO must work in practice

According to The State of Ransomware 2025 report by Sophos, while most organizations eventually recover their data after a ransomware attack, recovery times vary widely. Only 16% fully recover within a single day, while 53% take up to a week, and others even longer.

Many organizations invest heavily in backup infrastructure but fail to define or validate how quickly they can restore operations. Without a clear RTO, teams often discover recovery limitations only when a crisis is already underway.

A clearly defined and tested RTO helps organizations:

· Identify the most critical systems that must be restored first.

· Align backup infrastructure with business recovery timelines.

· Minimize operational disruption during cyber incidents.

· Reduce financial losses and maintain customer trust.

Know your recovery gaps before attackers do

These two attacks, years apart, highlight the same lesson: backup availability alone does not guarantee resilience. What matters is how quickly and confidently an organization can restore operations when systems go down.

Cyber resilience is not measured only by whether data survives an attack, but by whether recovery can happen within an acceptable business window. Many organizations assume their recovery timelines are sufficient, but few have validated them under realistic conditions.

Our recovery readiness assessment can help you determine whether your backup and recovery strategies can realistically meet your RTOs. Identifying the gaps in your readiness now can prevent costly disruptions later.