If there’s one thing we’re all hyperaware of these days, it’s that nothing is set and forget.

A new year typically signals that it’s time to review our disaster recovery (DR) processes, practices and technology. For most of us, it’s not because we ‘got it wrong’ last year, but because the pace of change means we need to re-evaluate what we got right, see what we can learn from others less fortunate, advances in technology, and what we can take on board and apply to our own organisations.

With a significant array of external forces – from cybercrime to floods to system failures – keeping us on our toes and second-guessing our own vulnerability, a near-enough DR plan isn’t nearly good enough.

Three key strategies to ensure business continuity

1. Make it (semi) permanent

An investment in immutable backups as part of your disaster recovery strategy will dramatically improve your organisation’s resilience.

You’ve likely already got backup under control with your 3-2-1-1 strategy. The 3-2-1-1, of course, refers to the best-practice approach of making three copies of your data, which you store on two different media: one copy off-site and the other a cloud-based, immutable or air-gapped backup.

It’s tweaking that last backup option that’s potentially a game-changer for your business.

If you’ve opted for air-gapped backups, then you’re relying on the practice of disconnecting your storage medium from your systems – it’s completely offline and safe from malware, viruses or ransomware. The only problem is that, even though it’s not connected to your network, a disgruntled admin or a malicious actor planted within your company can still sign in to the server and delete, corrupt, or encrypt your data.     

Whereas, if you opt for immutable backup, you’re locking that data down. This approach uses write-once, read-many (WORM) policies or object-lock technology to make your data impervious to change. Yes, it can be accessed and read on demand, but it can’t ever be overwritten or altered – regardless of the user’s permissions.

The data lockdown period can be set (to say, 90 days), and at the end of that period, it’s unlocked, and your data is no longer immutable. While you can choose to lock it down permanently, since out-of-date data is generally of no use, it’s neither recommended nor necessary.

Some key benefits of immutable backups include:

• Audit trails to show who accesses the data and controls to determine who can access it.
• Your data is protected from ransomware or someone trying to make malicious changes.
• You’ll always have clean, trustworthy data
• The integrity of your data is guaranteed – no bit-rot (the slow, silent corruption of digital data over time), corruption or accidental overwrites
• Ticks all the compliance boxes for immutability or retention requirements for a wide range of industry frameworks (HIPAA, etc.)
• Easy and fast recovery with data that’s never corrupted and always ready to use
• Reduced operational and human error risks with accidental deletion impossible
• Lower costs with cloud-based immutable solutions

2. Set realistic targets, and stick to them

Your DR strategy should never reflect unrealistic and unachievable expectations. It should reflect realistic, appropriate RTOs (recovery time objectives) and RPOs (recovery point objectives) that together will protect your business and boost its resilience.

Here’s why – together – they’re important:

1. They protect your bottom line

Every minute of downtime counts. The inability to operate can lead to significant financial losses, especially for e-commerce, financial services, or SaaS companies. Lower RPO values mean you’ve lost less data between backups. And having no gaps in your data is critical for maintaining data integrity, meeting regulatory or compliance requirements, and retaining customer trust.

2. It’s all about balance (the right balance, that is)

The relationship between RTO/RPO and cost is exponential. If you want to achieve a near-zero target, then you need to make a significant investment in your infrastructure and resources. So, the key is finding targets that align with your actual real-world business needs (and budget) rather than pursuing goals that simply make you look good.

For example, you could consider a tiered approach where, for your mission-critical systems, you have an RTO of between one and four hours and an RPO of 15 minutes. Whereas for your non-critical systems, an RTO of 48 hours and RPO of 24 hours may be perfectly acceptable.

In terms of best practice, get the balance right by:

• Carrying out a business impact analysis to determine your business’s actual (not imagined) tolerance for downtime and data loss
• Base your targets on the requirements of your business, not just your IT capabilities
• Test regularly to ensure your targets are achievable in real scenarios as well as on paper
• Communicate the costs to your leadership team so they understand the trade-offs you’re recommending
• Review your RTO/RPO annually (or if you’re going through a significant phase of change or growth)

The goal isn’t to have the most aggressive targets possible – few businesses can either afford them or even need them. As long as your targets are achievable and appropriate, you’ll still deliver operational resilience without breaking the bank.

3. Test, don’t guess

Thoughts and prayers are never enough if you’re planning to survive a cyberattack or a natural disaster. And guesswork is not your friend either.

What looks and sounds like best practice on paper doesn’t necessarily translate into a smooth, successful, and reliable recovery in real life. An untested disaster recovery plan is…a disaster waiting to happen when you can least afford it.

The roll over into a new year is the ideal time to put your current plan through its paces – and put theories to the test. Only testing will reveal if your disaster recovery plan has critical flaws, including:

• Configuration errors in your backup systems or failover procedures
• Documentation that’s out of date and doesn’t capture your current infrastructure
• Overlooked dependencies between your systems  
• Not enough resources in terms of bandwidth or storage capacity
• Team members who aren’t clear about their responses and responsibilities
• System vulnerabilities that no one expected

It’s only by applying the lens of best practice and diligently testing your disaster recovery plan regularly that you can transform it into a reliable lifeline when disaster strikes.   

What next?

If you’re even the slightest bit unsure whether those best laid plans will help you survive a disaster, then let’s chat. Improvement is always possible, and adding resilience is rarely regretted.

In the world of cybersecurity, acronyms are everywhere. For tech decision-makers trying to prevent a breach, the distinction between these acronyms isn’t just semantics – it’s the difference between a secure network and a very expensive headache.

Two of the most commonly confused terms are MDR (Managed Detection and Response) and SOC (Security Operations Centre).

While they are often sold as interchangeable silver bullets, they are fundamentally different disciplines. Relying on one without the other is a bit like installing a high-tech alarm system but leaving your front door wide open.

To build true cyber resilience, you need to cut through the noise and understand why SOC and MDR are simply better together.

What is Managed Detection and Response (MDR)?

At its core, MDR is a service designed to hunt, investigate, and respond to threats. It is, by nature, reactive. It assumes that the ‘bad thing’ has already happened or is currently happening, and its job is to detect it, capture it, and respond to it.

Think of MDR as the digital equivalent of reviewing security footage after a break-in. You can see exactly how the intruder got in, what they touched, and where they went. It is vital for understanding the scope of an attack and remediating it, but it is often retrospective.

You can purchase off-the-shelf MDR solutions from vendors like Arctic Wolf or CrowdStrike. These tools are excellent at investigating incidents – answering the ‘what,’ ‘how,’ and ‘who’ of a breach.

However, according to the 2025 Security Operations Report from Arctic Wolf, attackers are increasingly launching their assaults during “off-business hours.” The report highlights that 51% of security alerts are now triggered outside of the standard workday, making continuous, 24×7 visibility across the entire IT environment an absolute necessity, not just a nice-to-have.

What is a Security Operations Centre (SOC)?

If MDR is the team reviewing the footage after the fact, then the SOC is the security guard watching the live monitors 24/7, patrolling the perimeter, and checking that the windows are locked before anyone tries to climb through.

A SOC is proactive. It scans your entire environment – looking at logs, traffic analysis, and telemetry data – to ask, ‘Where are our vulnerabilities?’ and ‘Is this behaviour normal?’

Unlike a standalone MDR tool that might flag a specific malware signature, a SOC looks at the bigger picture. It might notice an open port that shouldn’t be there or user behaviour that deviates slightly from the norm. It leverages SIEM (Security Information and Event Management) data to aggregate logs and identify patterns that a single lens of telemetry might miss..

The power of combining MDR and SOC

As mentioned, the belief that deploying an endpoint MDR agent provides total coverage is a risky misconception.

When you rely solely on MDR, you are often looking at the world through a limited perspective. You might see what’s happening on the endpoint, but you’re missing the network traffic, the cloud logs, and the identity management data. You are effectively blind to the ‘grey area’ activity that precedes an attack.

Conversely, a SOC without strong response capabilities can suffer from ‘analysis paralysis’ – identifying threats but lacking the tooling or authority to stop them instantly.

As noted in recent industry analysis, while MDR focuses on rapid detection and containment, a SOC provides the broader organisational oversight required to maintain a hardened security posture.

The most secure organisations don’t choose between MDR and SOC – they combine them to build a stronger defence. Here’s why this integration is essential:.

• Clear insights
  A SOC collects data from your entire infrastructure – firewalls, servers, cloud environments, and Intrusion Detection and Prevention System (IDPS). When you layer MDR on top of this, you give your ‘hunters’ a complete map of the terrain. They aren’t just seeing a virus alert – they are seeing the traffic that led to the download and the user account that authorised it.
• Proactive and reactive mindset
  You need someone checking the locks (SOC) and someone ready to tackle the intruder (MDR). A SOC ensures your environment is hardened against attacks by identifying vulnerabilities proactively. If a sophisticated actor does slip through, the MDR capability kicks in to contain the threat immediately.
• Smarter threat containment
  One of the critical advantages of a combined approach is the ability to take an endpoint offline safely. In a standalone scenario, isolating a critical server might cause more business disruption than the attack itself. With the telemetry and context provided by a SOC, an MDR team can make informed decisions about containment – cutting off the attacker without cutting off your business.

The verdict

The message is clear. To keep your data safe in a landscape populated by increasingly sophisticated threats, you need the proactive vigilance of a SOC combined with the reactive speed of MDR.

It’s not an ‘either/or’ decision. It’s about ensuring that when you leave the house, the doors are locked, the alarm is on, and someone is watching the cameras.