The first reflex after a cyberattack? Restore everything. This is also the first mistake, and it can be fatal.
When a cyberattack brings a company down, the first instinct of managers is almost always the same: get everything back online, as quickly as possible. It is precisely this reflex which prolongs the crisis. Because the question that separates organizations that recover from those that get stuck is not how to restore everything, but what to restore first, in what order, and with what degree of confidence.
The observation is not abstract. Data from the site ransomware.live shows 189 successful ransomware attacks in France in 2025, compared to 139 in 2024. Over the first 6 months of 2026, 122 attacks have already been recorded, demonstrating an ever-increasing threat to organizations.
In its 2025 Cyber Threat Panorama, published on March 11, ANSSI dealt with 1,366 security incidents over the year, a level which remains high and stable compared to 2024. Its director general, Vincent Strubel, describes a threat that has become “systemic”, marked by the blurring of the border between cybercriminals and state actors, and by the appearance of attacks with destructive physical effects. The series of coordinated attacks against Polish electricity infrastructure at the end of 2025 gave a concrete face to this scenario that France fears for its own critical systems.
When the attacker’s objective is to destroy
For years, recovery plans have been designed for a breakdown: a server that goes down, a site that fails, a piece of data to recover. So-called “erasing” attacks, wipers, change the situation. Their goal is not to encrypt for ransom, but to make systems unusable or untrustworthy. Empty stations, cut access, stopped activity: it is no longer a question of anticipating a partial failure, but an overall breakdown.
Wanting to restart everything at once amounts to running three risks at once. We slow down the recovery by saturating teams already under tension. We reinject the vulnerabilities that allowed the intrusion. And we are weakening trust, at the precise moment when it should be rebuilt. Anssi provides a striking illustration: a company, having detected the compromise before encryption, chose to physically disconnect its data center. The decision may have avoided the worst, but it caused a total shutdown, an uncertain restart and the loss of traces useful for the investigation. The agency’s lesson is unambiguous: containment is prepared in advance, it cannot be improvised in a hurry.
Define your bare minimum subsistence level
The most resilient organizations adopt the opposite logic. Rather than aiming for a complete return, they cold define their strict vital minimum, what the Anglo-Saxons call the Minimum Viable Company: the smallest version of the company still capable of operating, serving its customers and keeping its commitments in extreme conditions.
This is not a technical matter, it is a management decision. It’s about identifying the minimum combination of people, processes, tools, documentation and dependencies that allows you to operate in degraded mode. It can be seen as the equivalent of emergency lighting in a building: just enough capacity to shelter the organization during the crisis and guide the exit.
Rebuild the foundations before relaunching the activity
Before restarting any business application, it is necessary to rebuild the foundation that allows you to regain control: basic infrastructure (network, DNS, security tools), but also network diagrams, response plans, insurance contracts, contact details of external experts, and secure and independent communication channels. Because in many incidents, the first failure is not software, it is human: a company whose teams can no longer coordinate cannot recover.
At the heart of this foundation is identity management. Without a healthy connection directory, starting with the Active Directory, no secure restoration is possible. These systems do not contain simple lists of users: if compromised, they can redeploy malware or reopen backdoors. Restoring your applications to a corrupted identity invites the attacker to take back control immediately. The absolute priority is therefore not to restart everything, but to restore confidence in access.
A “cyber first aid kit”, away from the disaster zone
You still need to have what you need in the right place. Hence the interest in a secure and isolated repository, a sort of cyber first aid kit, which brings together hardened system images, privileged identifiers, identity recovery elements, response manuals, key contacts and essential licenses. Its main characteristic: it lives outside the compromised production environment and remains accessible when everything else has fallen.
From theory to proof
A plan that has never been tested remains a reassuring fiction. Resilience is demonstrated in the field: clarity on critical services, reliable base, isolation of recovery assets, ability to restore in a protected environment, validated ability to operate in degraded mode. It is the repeated exercises, and these alone, that allow us to answer the only question that interests a board of directors: how long does it take, in concrete terms, to restore our critical services to a fully safe state?
This requirement becomes an obligation. Since January 17, 2025, the European DORA regulation has imposed truly tested continuity and recovery plans on the financial sector; the cyberattack that hit the service provider Harvest at the start of the year was a reminder of how exposed the subcontracting chain is. And the NIS2 directive, whose French transposition within the Resilience law is expected in the summer of 2026, will extend comparable requirements to 15,000 to 18,000 entities, well beyond just large groups.
The real risk, ultimately, has never been the technical failure of backups. It lies in the inability to prioritize and control the return to normal. This is the difference between an undergone recovery, experienced as a technical operation, and a managed recovery, assumed as a competence of the company.
