• 03/31/2026
  • Technical contribution
  • Hacking & Defence
  • Management, Awareness and Compliance

When IT Comes to a Standstill: How Business Continuity Keeps Companies Operational

In light of rising cyber risks and complex IT dependencies, prevention alone is no longer enough. As the following article shows, business continuity is becoming a strategic competitive factor. It safeguards critical processes, minimizes downtime, limits damage, and makes companies resilient in the event of an emergency.

Written by Markus Zeischke

Abstract depiction of business continuity with gold circuit-like lines, stars, and the text “Business Continuity” on a dark background.

Index

From a focus on protection to a resilience strategy
BCDR as a core business decision
New protective measures are required in the face of modern threats
BSI-Standard 200-4: The roadmap for business continuity
Organization trumps technology
How to create BCDR strategy, step by step
Resilience as a competitive advantage
Further content from the it-sa Expo&Congress on this topic
Business Continuity FAQ

At the same time, cyber resilience is taking on a new strategic significance in Europe. Attacks on businesses are no longer aimed solely at extorting ransom payments, but increasingly target economic stability, supply chains and critical infrastructure. States and state-affiliated actors are deliberately using cyber operations as a geopolitical tool. For businesses, this means that resilience is no longer just about IT security – it is becoming an integral part of economic and social stability.

It’s Monday morning, 7:52 a.m. Employees at a medium-sized company turn on their computers and find that nothing works. Their files are encrypted and a ransom note appears on their screens. Production comes to a standstill. What follows are not just hours, but often weeks of downtime, resulting in data loss, contractual penalties, and reputational damage. For many companies, such an incident can threaten their existence.

The latest figures from the Federal Office for Information Security(BSI, in German) show that such scenarios are by no means exceptional: In January 2026 alone, around 4.61 million new malware variants were registered. That equates to 149,000 new malicious programs per day. Meanwhile, the BSI botnet index reached 800 points, indicating eight times more actively infected systems than in 2019.

What can companies do if an attack succeeds, despite numerous security measures? This is where business continuity planning comes into play – the strategy that ensures a company can continue to operate even if part of its IT infrastructure fails or is compromised. Without such a plan, a company must improvise when it matters most.

 

From a focus on protection to a resilience strategy

For a long time, companies operated under the simple principle that if they were protected enough, they wouldn't be attacked. Firewalls, virus scanners, and access restrictions were the tools of this fortress-like logic. However, this way of thinking has a fundamental flaw: it only works as long as the walls hold.

Today, more and more European security leaders are thinking differently. This new principle is called “Assume Breach.” In other words: Assume that the attack has already taken place. This is not pessimism, but rather a strategy. Those who ask, "How do we remain capable of acting if an attack succeeds?" rather than "How do we prevent every attack?" make fundamentally different decisions. 

This transformation is not just technical. Resilience means an organization can continue to function even when parts of it fail because employees know what to do. There are communication channels that are independent of the affected systems.

In Europe, where supply chains, energy supplies, and production processes are deeply intertwined with digital systems, a single failure can have far-reaching consequences.

Operators of critical infrastructure (KRITIS) – such as energy, transport, healthcare or financial systems – are a particular target of modern cyberattacks. In such cases, an IT failure can not only cause economic damage but also have wider societal implications. 

The economic consequences are sobering. The costs resulting from downtime, such as lost orders, contractual penalties, restoration costs, and reputational damage, often exceed the actual damage caused by the attack itself. Downtime is expensive. Often, it is more expensive than anything else.

Business continuity and disaster recovery (BCDR) is the organized response to this reality. There's no emergency folder gathering dust. It's not a crisis plan that nobody knows about. Instead, it involves concrete preparations to ensure that decisions can be made, delivered, and communicated even when the usual infrastructure breaks down. Companies that take BCDR seriously have a decisive advantage over attackers and the competition when it matters most.

 

BCDR as a core business decision

For a long time, business continuity was the responsibility of the IT department, including backup frequencies, storage locations, and recovery times. But those days are over because behind the dry acronyms RTO (Recovery Time Objective) and RPO (Recovery Point Objective) lie questions that strike at the very heart of a business.

  • How long can a production line remain idle before contracts fall through?
  • How many hours can a payment service provider be offline before customers lose trust?
  • How much data loss is economically tolerable?

These are not infrastructure parameters. They are management decisions and should be treated as such.

For European companies, there is an additional dimension: resilience must function properly. It must also be compatible with local requirements for data protection, governance, and regulation. Examples include DORA for the financial sector and NIS2 for critical infrastructure. In recent years, European lawmakers have made it unmistakably clear that resilience is not optional.

In Europe, therefore, resilience means not only getting back on your feet quickly, but also doing so on the right foundation.

 

New protective measures are required in the face of modern threats

Those who believe that a good backup is the answer to every attack underestimate how professionally today's attackers operate. Modern ransomware groups know that companies with intact backups have little reason to pay. So, they target the backups first.

Their approach is often alarmingly patient. Attackers can move undetected through a network for weeks. They map the infrastructure. They identify backup systems. Then, before launching their actual extortion attempt, they delete or encrypt them. The result is a company that believed it was prepared but wasn’t when it mattered most.

This leads to a rethinking of what a backup must be capable of:

  • Immutable backups cannot be altered or deleted after the fact, even if attackers have gained administrative privileges.
  • Physically or logically isolated storage environments ensure that compromised systems cannot serve as a bridge into the backup infrastructure.
  • Zero-trust principles, originally developed for network access, are increasingly being applied in the backup domain: No system is automatically trusted, not even the company’s own.

The concept is straightforward yet far-reaching: treat the recovery infrastructure as critical infrastructure. A company is only as resilient as its last clean, unassailable copy.

BSI-Standard 200-4: The roadmap for business continuity

The BSI Standard 200-4 (link in German) is a practical framework for establishing a business continuity Management System (BCMS) in a structured manner. The standard is designed to cater to both experienced and inexperienced users. Those new to the subject will find a clearly structured introduction. Those already operating a BCM will receive a normative catalog of specific MANDATORY and RECOMMENDED requirements.

Relevant for companies with an international focus: The standard maps to ISO 22301:2019, the globally recognized BCM framework. Therefore, those working according to BSI Standard 200-4 are not following a unique German path, but rather building on an internationally compatible foundation. 

Organization trumps technology

However, even the best backup infrastructure is of little use if no one knows who is in charge when an emergency strikes. This is not an exaggeration; it is a common reason why companies falter in crises despite being technically prepared.

When an attack is underway, it happens in real time. In real time, every unresolved responsibility comes back to haunt you.

  • Who informs the customers and when?
  • Who decides which systems are restored first?
  • Who is authorized to hire external service providers without first obtaining three signatures?
  • Who handles communication with regulatory authorities?

Every hour spent on internal coordination is an hour during which production stands still, contracts are jeopardized, and trust is lost. The economic damage accelerates with every delay.

Companies that take resilience seriously treat these questions as core components of their governance. For these companies, BCDR is embedded in risk management and compliance structures.

Responsibilities are anchored at the executive board level, and scenarios are regularly rehearsed. The goal is not to document weaknesses but to address them before they matter.

Resilience is not a state that is achieved once and for all. It is a process that must be continuously nurtured.

How to create BCDR strategy, step by step

A robust business continuity and disaster recovery (BCDR) strategy does not spontaneously emerge in the event of a crisis. Rather, it should be systematically developed and regularly tested. In practice, many companies follow a similar approach.

1. Identify critical business processes: Which systems and processes are business-critical? Production, ERP, payment processing, and customer portals often have the highest priority.

2. Conduct a Business Impact Analysis (BIA): The BIA assesses the financial losses that would result if certain systems fail, such as production downtime or contractual penalties.

3. Define RTO and RPO: Companies determine how quickly systems must be restored and the maximum amount of data loss they can tolerate.

4. Plan a technical recovery strategy: This includes backup strategies, alternative infrastructure, cloud recovery, and failover mechanisms.

5. Define the crisis management structure and responsibilities: An incident or crisis team must have clearly defined roles ranging from communication and IT recovery to decision making.

6. Conduct tests and exercises: Tabletop exercises and recovery tests demonstrate the effectiveness of plans in an emergency.

7. Update the strategy regularly: Take into account new systems, regulatory requirements, and threat scenarios continuously.

Resilience as a competitive advantage

Two companies in the same industry and of similar size are hit by the same cyberattack one day. The company without a robust emergency plan shuts down for three weeks. The company with a proven business continuity strategy was back up and running after 36 hours. The difference between the two is no technical secret – it’s preparation.

Europe is under economic pressure. Digitalization, geopolitical upheavals, and growing regulatory requirements increase complexity while decreasing tolerance for error. In this environment, resilience becomes a competitive advantage. Companies that can quickly resume operations after an attack earn the trust of customers, partners, investors, and regulators.

Business continuity is not a product or a one-time project, but rather an ongoing corporate capability. It must be continuously built up, tested, and developed further.

The key insight is that a company that is future-proof is not one that tries to prevent every attack; rather, it is one that regains operational capability faster than others.

Business Continuity FAQ

Many companies mistakenly believe that regular backups automatically ensure resilience. In reality, however, a backup alone is often not enough.

Typical vulnerabilities of traditional backup strategies include:

  • Backups are accessible on the same network as production systems
  • Administrator privileges allow backups to be deleted or encrypted.
  • Recovery processes have never been tested in a real-world scenario
  • Recovery takes longer than the defined RTO targets.

Modern attackers therefore often target backup infrastructures first. Without protective measures, such as immutable backups, network segmentation, or air-gapped architectures, backups can be rendered useless in an emergency. BCDR extends the traditional backup concept to include organizational, technical, and strategic measures.

SMBs are increasingly turning to specialized BCDR platforms to automate recovery and ensure business continuity. When making your selection, look for these features typical of modern BCDR solutions:

  • Automated backup and recovery processes
  • Immutable backup mechanisms
  • Orchestrated disaster recovery workflows
  • Cloud-based recovery
  • Continuous recovery testing
  • Monitoring of critical systems

Keep the following points in mind when making your selection:

  • Integration with existing infrastructure
  • Support for hybrid cloud environments
  • Compliance features for NIS2 or DORA
  • Scalability as data volumes grow

However, a suitable solution is not a substitute for a strategy. Technology is only one component of a functioning resilience strategy.

The evolution of business continuity strategies is increasingly influenced by new technologies.

1. AI-powered recovery analysis: AI models analyze logs and system statuses to accelerate recovery processes and automatically prioritize critical systems.

2. Automated disaster recovery orchestration: As recovery processes become more automated, the risk of human error in the event of a crisis decreases.

3. Zero-trust principles in backup: Backup systems are becoming more isolated and strictly authenticated to prevent tampering by compromised accounts.

4. Cloud-based resilience architectures: Many companies are adopting hybrid infrastructure models in which cloud resources serve as the recovery environment.

5. Regulation as a driver for BCM: Regulations such as NIS2, DORA, and the Cyber Resilience Act increase the pressure on companies to build resilience strategically.

BCM is relevant for all organizations whose business processes depend on IT systems. Highly regulated industries, such as finance, manufacturing, and critical infrastructure, are legally required to implement appropriate measures.

Author

Markus Zeischke

Markus Zeischke

IT-Autor & Senior Content Manager

The Digitale