- Traditional disaster recovery strategies typically focus on restoring the entire IT environment. It can take months, leaving businesses unable to function properly in the meantime.
- A minimum viable company is the leanest version of a business that is still capable of operating and serving its customers if parts of its systems or processes are disrupted. This approach helps organisations maintain continuous business, even amidst a cyber attack.
- By knowing in advance which systems and data to prioritise, organisations avoid the inefficiency of trying to restore everything at once. Recovery efforts can focus on the core environment that keeps operations moving, while the broader IT estate is brought back in parallel.
For modern organisations, the main challenge associated with cyber attacks has shifted from whether an attack will occur to how quickly they can restore essential operations once it does.
The incidents affecting M&S and Jaguar Land Rover (JLR) last year once again brought the scale of disruption into sharp focus. At M&S, recovering from an incident that came to light in late April 2025, reached a major milestone in early August when its click and collect services came back online. That’s nearly four months of lost revenue, not to mention the impact on brand reputation and consumer confidence.
The minimum viable company
Dealing with this kind of sobering reality requires a fundamental shift in perspective. A significant part of the problem is that traditional disaster recovery strategies typically focus on restoring the entire IT environment, a process that can take months, leaving even the most well-resourced businesses unable to function properly in the meantime.
So, what’s the alternative? This is where the Minimum Viable Company (MVC) concept comes into play.
An MVC is the leanest version of a business that is still capable of operating and serving its customers if parts of its systems or processes are disrupted. This approach helps organisations maintain continuous business, even amidst a cyber attack.
From an operational and IT point of view, what constitutes minimum viability will vary from one organisation to another, but typically the emphasis falls on areas such as communication and collaboration platforms, identity and access management and the core business applications that underpin supply chains, logistics, finance, customer services and, in the case of companies like JLR, production.
Without these essential services up and running, even a business that is technically ‘recovering’ can remain unable to function. The MVC, therefore, represents a practical starting point for resilience planning, bridging the gap between immediate continuity and longer-term restoration.
Defining an MVC
While the logic behind the MVC is straightforward, and recent research found that 36% of businesses recognise with its value, most organisations struggle to define and size it. The biggest barriers were found to be the complexity of existing systems and applications (52%), keeping recovery plans in line with changing business needs (47%), and difficulties separating ‘core’ systems from ‘broader’ operations (30%). Large enterprises, in particular, often lack a clear, documented view of the systems and processes that make up their minimum viable state, and even fewer have tested that view end to end.
A key part of the difficulty lies in the way IT functions are typically structured. Teams responsible for networking, storage, cloud platforms, collaboration tools and servers tend to operate in silos, which means critical dependencies between systems are easily overlooked. A customer-facing application, for example, may rely on ERP, warehousing and CRM platforms in the background. Without all of these aligned, restoring the front-end service alone achieves very little.
The complexity of hybrid infrastructures is another factor. With on-premises, SaaS, and cloud-native services running in parallel, determining what to recover and in what order is far from straightforward. The result is that organisations remain vulnerable to extended disruption, even when they believe they have resilience plans in place.
When a major incident occurs, incident response and recovery teams both need access to the same infrastructure under intense pressure. Safeguards that organisations expect to rely on frequently fail; disaster recovery sites can be compromised if they share the same domain and backups are often corrupted or encrypted.
As a result, identifying a clean restore point can take days, with further time needed to build infrastructure and validate applications. Total downtime of 20 to 23 days is not unusual – a period many organisations would struggle to withstand. This underlines why defining an MVC in advance is critical: it provides a baseline for recovery that avoids weeks of paralysis.
Sizing a minimum viable company
As a rule of thumb, allocating around 20% of production in terms of storage, compute and workload scope offers a workable resource baseline. This subset should be made immutable and air-gapped to protect it from compromise, with around 10% of that allocation reserved for a cleanroom or isolated recovery environment.
For example, an organisation with a 4-petabyte production estate could begin with 800 terabytes of immutable backup, of which 80 terabytes are set aside for clean recovery. While not a substitute for full MVC analysis, this approach provides a foundational layer of resilience while longer-term planning continues.
By knowing in advance which systems and data to prioritise, organisations avoid the inefficiency of trying to restore everything at once. Recovery efforts can focus on the core environment that keeps operations moving, while the broader IT estate is brought back in parallel.
Added to this, modern recovery platforms can also cut downtime dramatically. By continuously scanning backup copies for malware, identifying clean restore points, spinning up isolated recovery environments on demand and orchestrating application rebuilds with dependencies intact, recovery that once took 20 days can be reduced to a matter of hours or a single day.
Equally, bringing incident response and recovery into a single pane of glass is a big advantage, not least because it enables teams to ensure the right systems are restored in the right order. For smaller organisations this can begin with a minimal package — such as immutable backup of Microsoft 365 and secure Active Directory recovery — while enterprises can scale the same principles with consulting support. Either way, establishing a Minimum Viable Company can go a long way to mitigating the headline-grabbing risks of business downtime.
Darren Thomson is Field CTO EMEAI at Commvault.
Read more
The risks of supply chain cyberattacks on your organisation – Nick Martindale explores the risks to organisations associated with supply chain cyberattacks and what you should do about it
Will more AI mean more cyberattacks? – An increased use of AI within organisations could spell a rise in cyberattacks, explains Nick Martindale. Here’s what you can do
What the first 24 hours of a cyber incident should look like – The early stages following a cyber incident are arguably the most important. Here’s how to manage it and learn from it
