If You Don’t Know Your MTCR, You Aren’t Asking the Right Questions
Quick test: Ask your CISO how long it would take to fully recover from a ransomware attack.
If the answer comes back in hours — “Our RTO is four hours” — you’re getting the wrong number.
A major retail company learned this the hard way in early 2025. Their security team detected a ransomware intrusion quickly. They contained it within hours. They had backups. They had a plan.
Full recovery took nearly three months.
The time wasn’t spent rebuilding servers. It was spent answering one question: Which data can we actually trust?
The Metrics That Stopped Working
For decades, disaster recovery planning has centered on two metrics:
RTO (Recovery Time Objective) — How fast can we restore systems?
RPO (Recovery Point Objective) — How much data can we afford to lose?
These metrics were designed for a different world — fires, floods, hardware failures. Scenarios where you grab the backup tape, restore it, and you’re back in business.
Ransomware broke that model.
Modern attackers don’t just encrypt your production systems. They go after your backups first — because that’s your escape route. According to Veeam’s 2025 Ransomware Trends Report, 89% of organizations have had their backup repositories targeted.
And even when backups survive intact, they may not be safe. Ransomware can sit dormant in your environment for weeks or months before detonating. That “clean” backup from last Tuesday? It might contain the same malware that took you down — just waiting to reactivate.
RTO tells you how fast you can restore. It says nothing about whether you should.
Enter MTCR
There’s a new metric emerging in boardrooms and security operations centers: Mean Time to Clean Recovery (MTCR).
MTCR doesn’t measure how fast you can bring systems online. It measures how long it takes to restore systems that are verified clean — tested, validated, and confirmed free of compromise.
That’s a fundamentally different question.
In the retail case, the company could have technically restored operations within days. But they couldn’t verify which backups were safe. Every restore candidate had to be isolated in a “clean room” environment, scanned for malware, validated for integrity, and tested before going back into production.
Multiply that across hundreds of systems. Three months.
They’re not an outlier. Industry data shows that less than 7% of ransomware victims recover within a day. More than a third take over a month — not because the data was destroyed, but because they couldn’t trust it.
The Plan You Have vs. The Recovery You’ll Get
Here’s where it gets uncomfortable.
According to recent surveys, 54% of organizations have a documented disaster recovery plan. That sounds reasonable — until you dig deeper:
- 57% of organizations that experience a disruption don’t have a business continuity plan at all
- Only 23% regularly update their BC plan to incorporate new threats
- 35% of disaster recovery tests fail
- 44% of businesses have no DR plan whatsoever
- 80% of organizations without a tested plan fail within 18 months of a major incident
Most plans that do exist were built for a pre-ransomware era. They assume the backup is clean. They assume restoration equals recovery. They assume four hours means four hours.
The reality: your RTO might say four hours, but your MTCR could be four weeks. Or four months. And if you’ve never tested for that scenario, you won’t know until you’re living it.
The Simulation That Changed Minds
A recent ransomware resilience workshop put executives through a simulated attack. No playbook. Real-time decisions. Escalating pressure.
The results were revealing.
Executives couldn’t quickly identify which systems were affected. There was no documented sequence for what to restore first. Even “immutable” backups had to go through validation before anyone would trust them.
And when the board got involved? The facilitators described them as “aggressively angry” — frustrated that no one could tell them when operations would actually resume.
The lesson: having backups isn’t the same as having recovery capability. And an RTO on paper means nothing if it’s never been tested against a realistic cyber scenario.
The Bottom Line
RTO and RPO were built for disasters where the backup was the answer.
Ransomware created a world where the backup might be the problem.
MTCR isn’t just a new acronym. It’s a fundamental shift in how boards should think about resilience — from “how fast can we restore?” to “how do we know it’s safe?”
If you can’t answer that question today, start asking it tomorrow.
