惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Forbes - Security
Forbes - Security
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
P
Palo Alto Networks Blog
Martin Fowler
Martin Fowler
T
Threatpost
D
Docker
S
Schneier on Security
M
MIT News - Artificial intelligence
G
Google Developers Blog
L
LINUX DO - 热门话题
J
Java Code Geeks
月光博客
月光博客
博客园 - 三生石上(FineUI控件)
IT之家
IT之家
博客园 - Franky
C
Cyber Attacks, Cyber Crime and Cyber Security
K
Kaspersky official blog
Google DeepMind News
Google DeepMind News
N
News and Events Feed by Topic
V
Vulnerabilities – Threatpost
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
人人都是产品经理
人人都是产品经理
Spread Privacy
Spread Privacy
T
Tailwind CSS Blog
爱范儿
爱范儿
阮一峰的网络日志
阮一峰的网络日志
U
Unit 42
C
CERT Recently Published Vulnerability Notes
The GitHub Blog
The GitHub Blog
Simon Willison's Weblog
Simon Willison's Weblog
NISL@THU
NISL@THU
MongoDB | Blog
MongoDB | Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
H
Heimdal Security Blog
Recorded Future
Recorded Future
云风的 BLOG
云风的 BLOG
SecWiki News
SecWiki News
P
Privacy International News Feed
P
Proofpoint News Feed
O
OpenAI News
B
Blog
腾讯CDC
F
Full Disclosure
Apple Machine Learning Research
Apple Machine Learning Research
T
Tor Project blog
H
Hacker News: Front Page
Project Zero
Project Zero
Hugging Face - Blog
Hugging Face - Blog
C
Cisco Blogs
S
Security Affairs

Information Age

Is the SaaSpocalypse already over? - Information Age Stopping bad data from becoming bad business - Information Age Google I/O 2026 shows why enterprise AI governance needs an operating model Moving off the cloud – how to get repatriation right The AI inventory is the EU AI Act artefact most teams underestimate From speed to safety – how regulation is reshaping DevOps Quantum is coming. Here’s what CTOs can be doing today Small Language Models (SLMs) as the gold standard for trust in AI Your employees are waiting for your change programme to blow over How technical debt turns your IT infrastructure into a game you can’t win The business mobility trends driving workforce performance in 2026 Four actions CIOs must take to turn innovation into impact Eliminating blind spots – nailing the IPv6 transition Goodbye Software as a Service, Hello AI as a Service Smart auto-tiering vs. data reduction – logical efficiency vs. architectural efficiency The value of reducing middle office emissions for ESG How to match tech investment with real-world output
Why every organisation needs a minimum viable company strategy
Darren Thomson · 2026-05-14 · via Information Age

  • Traditional disaster recovery strategies typically focus on restoring the entire IT environment. It can take months, leaving businesses unable to function properly in the meantime.
  • A minimum viable company is the leanest version of a business that is still capable of operating and serving its customers if parts of its systems or processes are disrupted. This approach helps organisations maintain continuous business, even amidst a cyber attack.
  • By knowing in advance which systems and data to prioritise, organisations avoid the inefficiency of trying to restore everything at once. Recovery efforts can focus on the core environment that keeps operations moving, while the broader IT estate is brought back in parallel.

For modern organisations, the main challenge associated with cyber attacks has shifted from whether an attack will occur to how quickly they can restore essential operations once it does.

The incidents affecting M&S and Jaguar Land Rover (JLR) last year once again brought the scale of disruption into sharp focus. At M&S, recovering from an incident that came to light in late April 2025, reached a major milestone in early August when its click and collect services came back online. That’s nearly four months of lost revenue, not to mention the impact on brand reputation and consumer confidence.

The minimum viable company

Dealing with this kind of sobering reality requires a fundamental shift in perspective. A significant part of the problem is that traditional disaster recovery strategies typically focus on restoring the entire IT environment, a process that can take months, leaving even the most well-resourced businesses unable to function properly in the meantime.

So, what’s the alternative? This is where the Minimum Viable Company (MVC) concept comes into play.

An MVC is the leanest version of a business that is still capable of operating and serving its customers if parts of its systems or processes are disrupted. This approach helps organisations maintain continuous business, even amidst a cyber attack.

From an operational and IT point of view, what constitutes minimum viability will vary from one organisation to another, but typically the emphasis falls on areas such as communication and collaboration platforms, identity and access management and the core business applications that underpin supply chains, logistics, finance, customer services and, in the case of companies like JLR, production.

Without these essential services up and running, even a business that is technically ‘recovering’ can remain unable to function. The MVC, therefore, represents a practical starting point for resilience planning, bridging the gap between immediate continuity and longer-term restoration.

Defining an MVC

While the logic behind the MVC is straightforward, and recent research found that 36% of businesses recognise with its value, most organisations struggle to define and size it. The biggest barriers were found to be the complexity of existing systems and applications (52%), keeping recovery plans in line with changing business needs (47%), and difficulties separating ‘core’ systems from ‘broader’ operations (30%).  Large enterprises, in particular, often lack a clear, documented view of the systems and processes that make up their minimum viable state, and even fewer have tested that view end to end.

A key part of the difficulty lies in the way IT functions are typically structured. Teams responsible for networking, storage, cloud platforms, collaboration tools and servers tend to operate in silos, which means critical dependencies between systems are easily overlooked. A customer-facing application, for example, may rely on ERP, warehousing and CRM platforms in the background. Without all of these aligned, restoring the front-end service alone achieves very little.

The complexity of hybrid infrastructures is another factor. With on-premises, SaaS, and cloud-native services running in parallel, determining what to recover and in what order is far from straightforward. The result is that organisations remain vulnerable to extended disruption, even when they believe they have resilience plans in place.

When a major incident occurs, incident response and recovery teams both need access to the same infrastructure under intense pressure. Safeguards that organisations expect to rely on frequently fail; disaster recovery sites can be compromised if they share the same domain and backups are often corrupted or encrypted.

As a result, identifying a clean restore point can take days, with further time needed to build infrastructure and validate applications. Total downtime of 20 to 23 days is not unusual – a period many organisations would struggle to withstand. This underlines why defining an MVC in advance is critical: it provides a baseline for recovery that avoids weeks of paralysis.

Sizing a minimum viable company

As a rule of thumb, allocating around 20% of production in terms of storage, compute and workload scope offers a workable resource baseline. This subset should be made immutable and air-gapped to protect it from compromise, with around 10% of that allocation reserved for a cleanroom or isolated recovery environment.

For example, an organisation with a 4-petabyte production estate could begin with 800 terabytes of immutable backup, of which 80 terabytes are set aside for clean recovery. While not a substitute for full MVC analysis, this approach provides a foundational layer of resilience while longer-term planning continues.

By knowing in advance which systems and data to prioritise, organisations avoid the inefficiency of trying to restore everything at once. Recovery efforts can focus on the core environment that keeps operations moving, while the broader IT estate is brought back in parallel.

Added to this, modern recovery platforms can also cut downtime dramatically. By continuously scanning backup copies for malware, identifying clean restore points, spinning up isolated recovery environments on demand and orchestrating application rebuilds with dependencies intact, recovery that once took 20 days can be reduced to a matter of hours or a single day.

Equally, bringing incident response and recovery into a single pane of glass is a big advantage, not least because it enables teams to ensure the right systems are restored in the right order. For smaller organisations this can begin with a minimal package — such as immutable backup of Microsoft 365 and secure Active Directory recovery — while enterprises can scale the same principles with consulting support. Either way, establishing a Minimum Viable Company can go a long way to mitigating the headline-grabbing risks of business downtime.

Darren Thomson is Field CTO EMEAI at Commvault.

Read more

The risks of supply chain cyberattacks on your organisation – Nick Martindale explores the risks to organisations associated with supply chain cyberattacks and what you should do about it

Will more AI mean more cyberattacks? – An increased use of AI within organisations could spell a rise in cyberattacks, explains Nick Martindale. Here’s what you can do

What the first 24 hours of a cyber incident should look like – The early stages following a cyber incident are arguably the most important. Here’s how to manage it and learn from it