Survival is decided by the RTO. Why you need to know it before the crisis. RTO, Recovery Time Objective, is actually the time a company can hold its breath. When systems grind to a halt, the business operates in emergency mode, and each additional hour is more expensive and more risky.
Not every management asks this question in time, but it is the management that decides whether the company will survive the crisis or not. Today, modern cyber-attacks are not just about data leakage; increasingly, they can bring production, delivery and revenue to a complete halt. At the moment the machines are standing still, the most expensive time in a company’s history is running out. If the RTO is 72 hours, for example, that means that after three days of downtime, the business is already entering the danger zone: reputational, legal or existential, i.e. financial.
That’s why it’s important to know the limit of how long you can stand the outage. This time is not determined by feeling or intuition, but by an analysis of the impact on the business. It will show which processes need to be restored first, how much time you have to recover safely, and what level of data loss you can afford (RPO). Together, this establishes the company’s baseline tolerance for any outage.
RTO is not generated by estimation but by analysis
Thus, an assumption such as “we could probably make it work” is not sufficient to determine a realistic RTO. Business impact analysis is for that. A BIA analysis will determine exactly which processes are critical, how quickly they must be restored, and what losses are incurred when they are down.
For example, a typical BIA output might show that shipping needs recovery within 4 hours, a production line within 12 hours, and an accounting system within 48 hours. It is these differences that are the key to setting the right survival strategy.
The BIA is no longer just a recommendation, but also a requirement of the Cybersecurity Act legislation and the European NIS 2 Directive. Its results form the basis for the entire security strategy, from backup to crisis scenarios. If a company assesses that it can survive a maximum of one week without production, all technologies, processes and contractual relationships must be built to be able to resume operations within seven days. Not in theory, but in reality, when the situation is at its worst.
When a minute is worth more than a whole protection
The loss of production has direct and measurable financial consequences, often far greater than any fines or investment in prevention. It is not an abstract threat, but an immediate drain on the company’s money. The more automated and intertwined with supply chains a business becomes, the faster it loses money.
This is the reality of global incidents:
Jaguar Land Rover (2025)
The cyber attack halted production for more than five weeks, affecting 30 thousand employees and up to 200 thousand people in the supply chain. Over 5 thousand organisations were affected.
Losses exceeded £1.9 billion, sterling, with the firm losing millions a day. Losses at the Slovakian Nitra plant exceeded €5 million a day, with thousands of employees staying at home. The incident showed that even global brands are vulnerable if they don’t have separate IT and OT networks.
While IT systems manage information, OT systems manage the production itself – and their interconnection without adequate protection is one of the most common weaknesses of industrial enterprises.
Norsk Hydro (2019)
The LockerGog attack paralysed Norsk Hydro’s IT infrastructure and halted production in the Extruded Solutions division. More than 35 thousand employees in 40 countries were affected. The company had to switch to manual processes, close some plants and restore systems from offline backups. The total damage amounted to 75 million USD.
The company’s CFO Eivind Kallevik admitted at the time: “An hour of downtime cost us more than a full day’s investment in cybersecurity. In practice, I see that companies most often underestimate just how much time they actually need for a full recovery – and the difference between estimate and reality is dramatic.”
What it means in reality
Imagine an ordinary Monday morning. The operator reports that the line is unresponsive, but at first it looks like a minor outage. An hour later, three production sections are standing by, dispatch is waiting, and the customer calls to ask why the delivery is late. This is the moment when an unexpected incident turns into a chain reaction of losses.
According to an analysis by IBM and the Ponemon Institute, recovery from such an attack takes an average of 11 to 22 days, with costs rising with each day of downtime. The average financial damage exceeds €1.8 million before any ransom is paid, and that’s just for the losses caused by the interruption to production and systems recovery.
The Check Point Threat Intelligence Report of July 2025 states that the manufacturing sector in Slovakia faces an average of 958 cyber attacks per week. Ransomware is the biggest threat, capable of shutting down operations completely. This is no longer about the IT budget, but about the ability of the business to breathe. Attackers mainly target the availability of systems because they know that halted production hurts more than stolen data.
What a ready company looks like
While the GDPR focuses mainly on protecting personal data, cyber attacks in industry have a completely different dynamic. Their goal is not to steal data, but to halt production, disrupt operations and cause financial or reputational damage. Modern manufacturing is fully dependent on IT and OT systems, logistics, digital communications and real-time warehouse management. Downtime no longer assumes a “paper mode” as it did 30 years ago. Without systems, manufacturing does not exist today.
A well-prepared company knows its RTO for each critical process, regularly tests recovery from backups, has clear decision-making procedures for the first hours of an incident, and doesn’t count on IT to solve everything on its own. Preparedness means that in times of crisis, panic doesn’t set in, but a plan is implemented.
The 5 most common mistakes companies make when planning a renewal
- We believe that backup equals restore
To backup is not to be able to restore. Many businesses only discover when they are attacked that their backups are incomplete, out of date or inaccessible. A properly set up backup system should follow the 3-2-1-1-0 rule. This means having three copies of data, stored on two different types of media, with one copy kept offsite from the main site and another copy kept offline, i.e. physically disconnected from the network, to protect it from ransomware attacks. The last zero in the rule symbolizes zero recovery testing errors – that is, regular and automated verification that backups are not only available, but actually recoverable. - We set the RTO ourselves, without data and without testing
Recovery time is often “estimated” managerially, not technically. Yet the reality is almost always longer than the company assumes. - A recovery plan exists, but only on paper
Crisis scenarios tend to be nicely documented, but have never been tested in practice. If the plan does not pass simulation, it is only an illusion of safety. - IT solves everything
Production recovery is not just a technical problem. It involves logistics, communication with customers, management decision-making, suppliers and legal action. - Why would they hack us, we are not interesting
Attacks today are not targeted by prestige, but by vulnerabilities. Automated ransomware campaigns are also hitting small and medium-sized businesses, often the very ones that “have no reason to fear”.
Let’s go back to the question in the headline: How long?
How long can your company afford not to produce? If you can’t answer it accurately, it’s not just an information gap. It’s a risk that has a price, and it can be liquidating. This is an answer the company cannot fill in retrospectively after the incident. The value of the RTO must be determined in times of calm, when there is room for analysis and planning, not in times of chaos. The investment in prevention is always less than the cost of downtime. The same rules apply not only to large corporations, but also to medium and small businesses. The latter are often even more vulnerable. That’s why now is the time to find out what your RTO is and whether you’re ready to resume operations under realistic conditions.
The most expensive time in any company is the time in which nothing is produced.
