Key Takeaways:
- Defining a MVB/MVC state ensures organizations can quickly restore the most critical systems and processes after a cyberattack.
- Industry frameworks and compliance rules like NIST, CSF, or DORA all require this information.
- Veeam accelerates recovery to an MVB/MVC state through backup, clean room testing, and more features to then fully recover.
New approaches to existing practices, Minimum Viable Company (MVC) and Minimum Viable Business (MVB), are gaining traction in the Cyber Resilience space.
MVB or MVC refers to the minimum possible version of an organization that can still operate should an incident bring down systems and operations. They are critical concepts in cyber resilience planning and response. They define the bare minimum operations, processes, systems, and data an organization must restore to remain functional after a cyberattack.
According to the 2025 Veeam Ransomware Trends and Proactive Strategies report, 69% of organizations that suffered a ransomware attack said they thought they were prepared before being attacked. After an attack, that confidence dropped by 20%. Readiness goes beyond having a disaster recovery plan and an incident response plan, the report shows that prepared organizations treat cyber resilience as a core operational discipline. They integrate proactive defense strategies into their everyday IT workflows, ensuring that readiness and resilience is a continuous practice.
One of the key aspects of readiness for eventual disasters and cyberattacks is tracked back to years of improvements in governance, risk, and compliance (GRC) programs. This includes meeting a number of IT and cybersecurity frameworks, standards, and regulations. While the terms may vary, the principles behind MVB and MVC have been part of resilience and continuity planning for years.
Industry Frameworks, Standards, and Regulations for MVB/MVC
Defining the MVB or MVC for an organization is all about prioritization of systems and processes. When needed, the organization can look back to a plan with the essentials required to go back to the plan and identify what to recover first to reestablish minimum operation. This is not a new trend, GRC programs following IT and Security industry frameworks, standards and regulations have included the same concepts associated with business continuity. Here are a few examples of the best-known frameworks, standards, and regulations in relation to MVB or MVC.
- NIST Cybersecurity Framework (CSF) 2.0 emphasizes business-driven cybersecurity through its “Govern” function, which focuses on organizational cybersecurity strategy, expectations, and policy that inform and direct management of cybersecurity risk to achieve business objectives. It explicitly addresses business continuity and operational needs including supply chain risks.
- NIST SP 800-34 Contingency Planning Guide provides detailed guidance on contingency plans identifying critical business functions, establishing recovery priorities, and defining minimum operational capabilities during cyberattacks, natural disasters, or system failure.
- ISO 27001 Information Security Management requires organizations to identify critical business processes, information assets and supporting systems. It requires to implement controls proportional to business risk and operational requirements. Annex A Controls specifically address what services should be recovered to support critical business operations.
- ISO 22301 Business Continuity Management works alongside ISO 27001 to establish minimum acceptable levels of operation and recovery time objectives for critical business processes.
- Information and Communication Technology Risk Management Framework (ICT RMF) requires financial entities to establish a comprehensive framework that identifies, classifies, and documents all critical information and ICT assets. This directly leads to understanding and prioritizing what’s essential. ICT RMF is a core requirement for the latest Europea Union regulation, the Digital Operational Resilience Act (DORA) which is specifically designed for the financial sector focused on digital operational resilience. Under DORA entities must develop and maintain a formal ICT business continuity policy, approved and regularly reviewed by senior management.
“DORA is a landmark regulation by the European Union that aims to strengthen the digital resilience of the financial sector. It came into effect on January 17, 2025, and applies to a wide range of financial entities and their ICT third-party service providers.”
Recent news related to data sovereignty requirements where a country can require to turn off access to data can also disrupt operation resilience and result in organizations failing to comply with DORA.
These are just a few examples of how organizations with GRC programs following IT and Security industry frameworks, standards and regulations must plan for MVB/MVC scope in case of a major disruption.
From Cyberattack to Minimum Viable Business or Company State
If a ransomware attack results in the encryption of an organization’s systems and/or data, a swift and structured action is critical. Ransomware attacks in many cases affect a number of interconnected systems, so the effects go beyond a single source. A standard practice for organizations is for their security and IT teams to activate their incident response plan by immediately assembling the incident response team. Next, assessment and containment measures should be deployed to limit the spread. Containment refers to isolating affected systems, and while every case is different, it could include disconnecting networks and disabling compromised accounts.
A key step in response is determining which systems, data, and business functions are affected. This is the point where having documented guidance for prioritization and a defined recovery scope to reach MVB/MVC state is critical.
As the incident response continues, it is recommended to bring third party expert negotiators or incident response partners who specialize in cyber extortion such as Coveware by Veeam. A key aspect is to preserve forensic evidence to support investigation and potential legal action, as well as define a strategy if the organization decides to engage with threat actors.
Parallel to this, system recovery should begin and prioritizing restoration of critical operations according to the defined MVB/MVC is key. Restoration must come from clean, immutable backups to recover or rebuild environments.
Data Resilience Before, During, and After MVB/MVC
Data resilience platforms, also known as data backup and recovery platforms such as Veeam Data Platform, are fundamental to the recovery of a cyberattack and on achieving a MVB or MVC state first, to then facilitate a full recovery. Veeam allows organizations to bounce back from a disruptive event.
The MVB/MVC concept is about restoring the absolute essential functions of a business as quickly as possible to maintain critical operations. By prioritizing the restoration of data and applications supporting the core revenue-generating or legally mandated functions, data resilience platforms are the components to achieve MVB/MVC first and then continue to a full recovery.
Before MVB/MVC:
In addition to the previously recommended inventory and prioritization of processes, systems, and data, organizations must implement robust data resilience capabilities. Recovery functionality becomes essential when preparing for MVB/MVC operations. Organizations should ensure they have capabilities for virtual machine (VM) recovery, frequent snapshots and replication, immutable and air-gapped backups, automated orchestration of recovery, and clean rooms or isolated recovery environments.
During MVB/MVC:
When an organization enters an MVB/MVC state during a cyberattack, it has restored only essential operations. To progress toward full operational recovery, it must execute a series of coordinated activities. This includes restoring remaining systems, validating data integrity, applying security patches, and re-establishing trust in the IT infrastructure.
From a security standpoint, a forensic investigation should be conducted to determine the scope of the attack and prevent recurrence. Continuous monitoring is also critical to detect any lingering threats.
After MVB/MVC:
Full recovery after achieving MVB/MVC operation involves systematic restoration of non-critical digital assets, whether to existing infrastructure or to new on-premises, public, or hybrid environments. All disrupted processes must be restored, systems reintegrated, and end-to-end workflows tested to ensure seamless functionality.
Clear communication is also critical, internally, to keep staff informed, and externally update customers, partners, and regulators, especially if sensitive data was compromised.
Finally, a thorough post-incident review should be conducted to capture lessons learned, update incident response plans, and invest in long-term cyber resilience. This includes expanding backups coverage, refining architectural segmentation, and employee cybersecurity awareness training.
Bouncing Back with Veeam: Solutions for Resilient Recovery
Let’s look at just a few of the capabilities that Veeam provides to achieve MVB/MVC state quickly and then full recovery.
Unmatched recovery options with instant, orchestrated restores across workloads that minimize downtime and data loss while meeting aggressive RTOs and RPOs with confidence.
Veeam Cyber Secure provides expert-led best practices, architectural design, security assessments, and cyber extortion readiness and response that help with preparation and then reduce downtime, lower costs, and restore control when it matters most.
Veeam Clean Rooms, powered by Veeam DataLabs, validates backups in isolated, malware-free environments with network isolation, flexible deployment and automated testing via Veeam SureBackup and Secure Restore.
Veeam Recovery Orchestrator automates and tests end-to-end recovery across hybrid environments. It includes built-in audit documentation to simplify compliance.
Veeam Secure Restore enables organizations to verify that backup data is clean before it’s restored, helping prevent reinfection from malware. It integrates malware/antivirus scanning and YARA rule-based detection directly into the recovery workflow.
Veeam data resilience solutions are not just about saving data, they are strategic tools that enable organizations to define, practice, and execute a recovery strategy. This strategy is precisely what allows an organization to minimize the impact of a disruption by first ensuring the survival of its most vital functions (MVB/MVC) and then systematically rebuilding to full strength.
Final Thoughts on Implementing MVB/MVC for Cyber Resilience
Defining an MVB/MVC state is essential today due to the escalating cyberthreats landscape. Ransomware attacks are increasing in scale and sophistication, and full-scale environment restores are often slow and complex. Operational disruption can lead to lost revenue, lost customers, and even regulatory fines. For this reason, business continuity pressures from prolonged downtime make it more critical to have a well-defined and agreed MVB/MVC state, to then fully recover with Veeam capabilities.
FAQs
Why is defining an MVB/MVC state important for cyber resilience?
Defining MVB/MVC helps organizations prioritize which systems and processes must be recovered first after a cyberattack or outage. It enables faster, more focused recovery efforts, minimizing downtime, protecting revenue, and ensuring regulatory compliance.
How does Veeam support recovery to an MVB or MVC state?
Veeam provides fast, secure recovery options like instant VM restores, immutable backups, clean rooms, and automated orchestration. These tools help organizations recover essential workloads quickly and securely.
What industry standards and regulations align with MVB/MVC planning?
Frameworks, standards, and regulations like NIST CSF 2.0, NIST SP 800-34, ISO 27001, ISO 22301, and DORA support the core principles behind MVB/MVC by requiring organizations to identify and prioritize critical business functions, assets, and recovery objectives.
How do ransomware attacks impact an organization’s path to MVB/MVC?
Ransomware can cripple interconnected systems, making it vital to isolate affected environments, assess damage, and begin recovery from clean, verified backups. Having an MVB/MVC strategy guides teams on what to restore first, speeding up operational recovery.
The post Minimum Viable Business and Minimum Viable Company for Cyber Resilience: What You Need to Know appeared first on Veeam Software Official Blog.
from Veeam Software Official Blog https://ift.tt/OHSMdYU
Share this content: