Most organisations think ransomware is just another disaster scenario. It isn’t.
Disaster recovery vs ransomware
Disaster recovery (DR) is designed for availability failures:
- Hardware or infrastructure issues
- Power or site outages
The assumption is: your data is intact but unavailable.
So the response is speed:
- Failover
- Restore
- Resume operations
Ransomware is a security incident:
- Data may be encrypted, altered, or stolen
- Backups may be compromised
- Attackers may still have access
The assumption here is the opposite: your environment is not trustworthy.
Why MSPs don’t include DFIR in standard DR services
There’s a common expectation that backup or DR providers will “handle ransomware.” In most cases, they won’t—and that’s by design.
DFIR isn’t bundled into BC/DR services because:
- It requires specialist skills (forensics, threat intel, malware analysis)
- It involves unpredictable effort and duration, unlike structured DR workflows
- It may require legal oversight and evidence handling
- It carries significantly higher risk and liability
DR services are engineered to be repeatable, automatable, and commercially predictable.
DFIR is none of those things—it’s investigative, variable, and often business-critical in ways that extend beyond IT recovery.
As a result, DFIR is typically delivered as a separate retained or on-demand service, not something included in standard recovery contracts.
What DFIR actually is
Digital Forensics and Incident Response (DFIR) is the discipline that handles cyber incidents properly. It combines investigation, containment, and controlled recovery.
In practice, DFIR covers:
1. Containment
- Isolate affected systems
- Disable compromised accounts
- Stop lateral movement
2. Forensics
- Identify the initial access vector (phishing, RDP, exploit, etc.)
- Map attacker activity across systems
- Determine what data was accessed or exfiltrated
- Preserve evidence for legal/regulatory use
3. Eradication
- Remove malware, persistence mechanisms, and backdoors
- Reset credentials and rebuild trust in identity systems
4. Clean recovery
- Restore from known-good backups
- Rebuild into a sanitised environment, not the original compromised one
5. Post-incident hardening
- Close gaps that allowed entry
- Increase monitoring and detection
This is specialist work—different tools, different skills, often legal oversight.
The gap in most service contracts
Backup and DR services typically include:
- Restore and failover
- Recovery orchestration
- DR testing
They do not include:
- Forensic investigation
- Threat hunting
- Evidence handling
- Breach assessment or reporting
That’s because DFIR is a separate service, often delivered via retainer or on-demand engagement.
Bottom line
DR gets you back from failure.
DFIR gets you out of an attack.
If you don’t explicitly plan for both, you’re only prepared for half the problem.