Cyber security has two jobs. Most businesses only focus on one.

Every business I speak to has done something about cyber security. Multi-factor authentication, endpoint protection, maybe some staff training. Good. That is the right starting point.

But almost none of them have answered a different question: what happens on the day it doesn't work?

Because it will not always work. Attackers only need to get lucky once. Your defences need to work every time. That is not a criticism of your IT team , it is just the maths. And any honest security professional will tell you the same.

Prevention and recovery are two completely different things

Prevention is everything you do to stop an incident happening. Patching, access controls, firewalls, training staff not to click things they should not. You probably have most of this covered, at least partially.

Recovery is everything you need to do after an incident happens. And this is where most businesses are completely unprepared , not because they are careless, but because nobody has ever asked them to think about it.

A backup is not a recovery plan. A backup is a file. Recovery means knowing how long it takes to restore from that backup under pressure, who makes decisions while your systems are down, what you tell clients, whether you are legally required to report anything, and who calls your insurer. Those are business questions, not IT questions.

What I actually see when things go wrong

I have been called in after incidents more times than I would like. The pattern is almost always the same.

The business had IT support. IT support was doing a decent job on the prevention side. But nobody had ever sat down with the MD and worked out: if this happened, what would we do in the first two hours? Who calls who? What do we keep running? When do we tell clients?

So those decisions get made under pressure, without preparation, by people who are simultaneously trying to understand what has happened and contain it. That is when mistakes get made that make a bad situation worse.

One business I worked with had backups running every night. When they were hit with ransomware, they discovered the restoration process took 36 hours , information that would have been very useful to know beforehand. Another had cyber insurance but nobody in the room knew what it covered or who the claims contact was.

What a basic recovery plan actually covers

You do not need a 50-page document. You need honest answers to a small number of questions, written down somewhere people can find them when they are stressed:

• Who is in charge during an incident, and who steps in if they are not available?
• What does your cyber insurance actually cover, and who do you call?
• What are your GDPR reporting obligations if personal data is involved? (72 hours to the ICO in some cases)
• What do you say to clients , and who approves it before it goes out?
• Have you actually tested your backups? Not just checked they ran , tested that you can restore from them?
• At what point do you bring in external specialist help, and who is that?

None of this is complicated. It just needs someone to work through it before the day you actually need it.

The question worth asking yourself now

If something went seriously wrong with your IT tomorrow morning, would the people in your business know what to do? Not in theory , in practice. Could they actually execute a response without you having to make every decision yourself?

If the honest answer is no, the gap is not in your prevention. You probably have reasonable prevention in place. The gap is in everything that comes after.

"Prevention is what you invest in hoping you never need it. Recovery planning is what determines whether the investment was enough , or whether you can survive when it wasn't."

If you want to think through where your gaps are, I am happy to have that conversation.