Do cyber-attacks mean that RTOs and RPOs are pointless?

Cyber-attacks are at, or near to, the top of the risk register for most organisations today, and with good reason. The average cost of a data breach was $4.45 million in 2023, the highest average on record. Not only that, around 4 in 10 UK businesses identified that they had been victims of such an attack, and with enhanced cyber security leading to a higher identification of attacks, that suggests less cyber mature organisations in this space may be underreporting.

It’s clear that cyber-attacks are a threat and have tangible unwelcome impacts, not only in terms of costs to the business, but also frequently in reputational damage and consequences for customers. And yet, organisations typically predicate much of their planning on the Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) defined in Business Continuity (BC), Business Impact Analyses (BIA), and Disaster Recovery (DR) plans.

  • Activity RTOs – What priority activities do we need to be able to resume, and when, following an incident?
  • IT RTOs – What infrastructure, application and data availability must we have up and running in order to support the activity RTOs?
  • IT RPOs – What data currency must we have available to support the activity RTOs?

Why do we use RTOs and RPOs?

They were “invented” in the late 1970s to provide targets for IT organisations to design their DR programmes. This was back when a disruptive incident meant that all production was down, and all hands were focused on the recovery effort. BC management programmes adopted those yardsticks to define the wider recovery requirements of the organisation following a disruption, and they’ve continued to be used to define the scope of DR programmes, data backup parameters, and recovery objectives.

The problem is that those yardsticks depend upon there being a reliable data backup that can be used to restore essential IT services which support the resumption of priority activities. If production and recovery IT assets are compromised following a cyber-attack, then the traditional cutover to the IT disaster recovery (DR) environment might be wrong, because the cyber attacker will be right there in the recovery environment as soon as you switch operations to your alternative data centre.

Returning to normal IT service availability following a cyber-attack can take many days (often a week or more), which is well beyond most organisation’s definition of an acceptable RTO. For example, the average ransomware attack in 2022 incurred 21 days downtime and took a further 287 days to recover fully from the incident. The reason? It simply takes time (and a lot of it) to thoroughly eradicate malware, validate that it’s safe to resume operations, and repatriate confirmed clean data to the production environment.

So, what does this mean for RTOs and RPOs?

In short, it means that organisations have to think about Data Recovery in a very, very different way to Disaster Recovery, and the use of RTOs and RPOs as a means of defining recovery timescales and wider requirements is of very limited use.

Identifying Vital Data is key

Rather than simply looking at the IT services and data that support priority activities – those that are time-critical – organisations need to identify their vital data assets (VDAs). Data that, if it were lost, would threaten the viability and sustainability of the business. VDAs and time-critical data are NOT likely to be the same thing, and recovering compromised data after a cyber-attack needs to be focussed on those VDAs. Their importance cannot be over-emphasised. Therefore, Business Impact Analyses (BIAs) – the foundational component of BC and IT DR – need to identify what these are, where they sit in the production environment, how they’re backed up, what their minimum acceptable recovery configurations and requirements are, as well as their technical profile (data types, size and growth rates, structured and unstructured, archive requirements etc.)

So, RTOs and RPOs simply don’t matter?

Well, not quite.

RTOs and RPOs can still provide a framework for some contingency planning in the event of a cyber-attack. They can help in defining timescales for the deployment of alternative work processes and manual workarounds to keep the business moving in the absence of key applications. They can also be used to define trigger points for communications to customers and key stakeholders when it’s clear that the likes of expected timescales for the delivery of products and/or services will not be met. They also have role in mitigating the impacts associated with actual data loss.

But ultimately, there’s a known unknown – the timescales needed to ensure that clean data can be repatriated back to a malware-free production environment following a cyber-attack – and orthodox BC strategies and plans based on those RTO and RPO yardsticks might have to be discarded for tailored strategies and plans developed that support prolonged unavailability or possible loss of vital data.

So the questions for every BC or IT manager are:

  • Do you actually know what your vital data assets are?
  • The last time you tried to restore production systems from backups, did you achieve your stated RTO/RPO?
  • Are you confident that following a cyber-attack that compromised your vital data, you’d be able to eradicate malware, validate that it’s safe to resume operations, and repatriate confirmed clean data to the production environment, all within your stated RTOs?
  • Do your current BC and ITDR plans incorporate activities to mitigate prolonged unavailability or loss of vital data?

If the answer to any of those questions is “no”, then it’s likely your cyber-resilience capabilities need some attention. Discuss your IT security with one of our experts.

Related Posts



0800 983 2522