No one recovers in a day: breach recovery times, in numbers

Cybersecurity conversations still focus on prevention. But new research commissioned by Absolute Security and conducted by Censuswide, based on a survey of 750 CISOs in the US and UK, zooms in on how long an organisation actually stays down when a breach does happen. 

And the numbers are worth looking at. 

More than half of organisations lost endpoint availability

The survey asked if CISOs had experienced an incident in the past 12 months that made endpoints unusable – and 55% said yes. 

These were incidents that rendered mobile, remote or hybrid endpoints inoperable, directly affecting how staff worked. Endpoints are where modern organisations operate much of the time, so when they fail, business stops. 

No one recovers in a day

The most notable finding in the report is that not one single CISO said their organisation could fully recover within one day. 

Instead, recovery times cluster firmly in the multi-day range:

• 24% said recovery took 1-2 days
• 57% said 3-6 days
• 19% said 7-14 days
• Fewer than 1% reported recovery taking longer than two weeks

Put differently, this means around three quarters of organisations take at least three days to recover once endpoints are knocked out. That’s a structural reality, and an expensive one. 

Downtime costs land in seven figures

Downtime is very much a financial issue.

Among CISOs who had to fully remediate after an incident:

• 53% said total costs were $1-2 million
• 45% reported $2-5 million
• Fewer than 1% exceeded $5 million
• 2% didn’t know the cost at all

That means 98% of respondents landed between $1-5 million. And these figures reflect recovery, not just incident response. They include rebuilding systems, restoring endpoints, operational disruption, and lost productivity – the ongoing impact that rarely features in breach headlines.

Everyone knows it will happen again

The CISOs in the survey also highlighted a forward-looking issue, with 53% believing their organisation is likely to suffer a cyber incident causing significant, costly downtime in the next 12-18 months.

Rather than pessimism, this is pattern recognition; if more than half of large enterprises lost endpoint availability last year (and nearly the same number expect it again), downtime isn’t an exceptional experience; it’s an operating condition that organisations need to be able to work with. 

Why the numbers matter more than the narrative here

Boards still (and probably always will) ask whether a breach could’ve been prevented. But CISOs today are increasingly living with a different question: how quickly can we get back on our feet? 

This data exposes a widening gap between expectation and reality. Leadership often assumes recovery is measured in hours. The evidence says days – sometimes weeks.

And that gap is where reputational damage, regulatory exposure, and personal accountability live. It’s also why resilience (not just security) is climbing the agenda. 

Enterprise leaders and CISOs need to work together to plan for downtime that lasts days, not hours. Incident playbooks and board conversations should reflect real recovery timelines (and when they do, it’s better for everyone). 

Ultimately, downtime should be made visible to all relevant stakeholders. For CISOs, this means tying recovery time directly to financial and operational impact so leadership understands the trade-offs. Nobody can work magic and restore an organisation to full operational order in minutes after a breach, and leadership needs to know that – and take responsibility for their role in building an organisation that can withstand downtime. 

Recovery time determines survival. And the numbers make it clear that resilience is less about if something breaks (it almost definitely will), and more about how long you can afford to stay broken.