Updated: July 08, 2026
Here is a question that cuts through every cybersecurity slide deck: ransomware encrypts your environment at 2 a.m. tonight. Could your critical systems be running again by 9 a.m.? Not "do you have backups", not "are you compliant", but could you actually be back, serving the business, before the working day begins? For most enterprises, the honest answer is no, and the data explains why. The average enterprise spends around 38 days recovering from a ransomware attack. Against that reality, "back by 9" sounds absurd. It is not. The gap between 38 days and a few hours is not luck; it is preparation, and this is what that preparation looks like.
Because it forces you to measure recovery, not just prevention. Most security investment goes into keeping attackers out, which matters, but no defence holds forever, and the question that decides whether an attack is a bad week or an existential event is how fast you recover. "Back by 9" is really a question about your recovery-time objective, the maximum time your business can be down before the damage compounds. Downtime is the true cost of ransomware, often far exceeding any ransom, so the speed of recovery, not the strength of the wall, is what protects the business once an attacker is inside. Asking "by 9?" turns an abstract risk into a number you can plan against.
The same attack produces two completely different mornings depending on readiness. The table follows the clock from the moment of detection.
| Time | A Prepared Organisation | An Unprepared Organisation |
|---|---|---|
| 2 a.m. | Attack detected; affected systems isolated automatically | Attack detected late; spread continues |
| 3 a.m. | Scope assessed against a known asset map | Teams scramble to understand what is hit |
| 4 a.m. | Clean-room recovery environment spun up | Debate begins over whether backups are safe |
| 5–7 a.m. | Priority systems restored from air-gapped, immutable copies | Backups checked; some found compromised |
| 8 a.m. | Recovered systems validated as clean and working | Manual recovery attempts; repeated setbacks |
| 9 a.m. | Critical services back; lower-priority systems queued | Still assessing; recovery measured in days |
The prepared organisation is not lucky. It has clean copies the attacker could not reach, a place to restore them safely, a rehearsed order of work, and the automation to move fast. The unprepared one is improvising under the worst possible pressure. Everything that separates the two columns is decided before the attack, not during it.
Five things, all built in advance.
The evidence is blunt: combining immutable backups with automated recovery has been shown to cut average recovery time from around 31 days to about 14, and organisations that test their backups quarterly recover far faster than those that do not. Readiness is measurable, and it pays back in hours saved.
An air-gapped backup is a copy of your data kept isolated from your live network, so an attacker who compromises your environment cannot reach or encrypt it. The isolation can be physical or logical, but the principle is the same: there is always a clean copy the ransomware never touched. This matters because the most common reason recovery fails is that the backups were reachable and were attacked along with everything else. An air gap is what guarantees you have something clean to recover from at all, and it is the foundation the rest of the recovery clock rests on.
Clean-room recovery means restoring your systems into a separate, known-good environment rather than back into the compromised one. If you restore clean data onto infrastructure where the malware still lurks, it simply re-encrypts your recovered systems, and the recovery fails in the most demoralising way possible. A clean room, an isolated, verified environment, lets you bring systems back, confirm they are clean, and reconnect them safely. It is the difference between recovering once and recovering repeatedly while the attacker keeps winning. Together, air-gapped copies and a clean room are what make a fast, reliable recovery possible rather than a hopeful one.
By tiering them to business priority, honestly. Your recovery-time objective is how fast a system must be back; your recovery-point objective is how much data you can afford to lose. Not everything needs to be back by 9, and pretending it does makes the whole plan unaffordable and unrealistic. The disciplined approach ranks systems into tiers: the handful of critical services that must return within hours, the important ones that can follow within a day, and the rest that can wait.
That ranking drives everything: what gets the air-gapped, fast-recovery treatment, what gets restored first, and where the budget goes. "Back by 9" is a realistic target for your critical tier, precisely because you have decided what belongs in it and engineered for that, not for restoring the entire estate at once.
The journey from a 38-day average to a same-morning recovery of critical systems is built from these parts: immutable and air-gapped backups, a clean-room to recover into, a tiered set of recovery objectives, a rehearsed and prioritised runbook, automation to move fast, and regular drills to keep it all real. None of it is exotic, and the payoff is measured in the hours and days of downtime you avoid, and the ransom you never have to consider paying. The organisations that recover by 9 are simply the ones that decided, in advance, that they would.
The difference between a bad morning and a bad month is built long before 2 a.m. Designing the air-gapped backups, the clean-room, the tiered objectives and the rehearsed runbook, and proving they deliver the recovery times you need, is where an experienced partner turns "we hope so" into "yes, by 9".
Proactive Data Systems designs and runs cyber recovery for Indian enterprises, built around tested, time-bound recovery, with air-gapped, immutable backups and clean-room recovery across Veeam, Veritas, Rubrik, ExaGrid and Dell EMC. We are a Cisco Preferred Cloud and AI Partner, Dell Platinum Partner and NetApp Preferred Partner, with 35 years in enterprise IT, more than 1,500 organisations served, and a 24/7 service desk in India. To find out what your recovery clock really reads, you can ask Proactive for a cyber-recovery readiness assessment.
We'll get back to you shortly.