What is Your Minimum Viable Company?

Posted by Andrew Ogilvie in Regulatory

For mid-size businesses, the conversation around cyber security has shifted. It is no longer a question of "if" a breach might occur, but "how" the business survives the immediate aftermath.

While traditional disaster recovery plans focus on a total return to normal, a more pragmatic approach is gaining traction among UK firms: the Minimum Viable Company (MVC).

What is meant by a Minimum Viable Company?

In the context of cyber resilience, an MVC is the "skeleton" version of your organisation. It defines the absolute minimum set of operations, data, and systems required to remain functional and legally compliant while the rest of the business is offline.

Defining your MVC means making difficult decisions before a crisis hits. If your entire network is encrypted by ransomware tomorrow, which three systems must be back online within four hours to keep the company solvent?

  • For a mid-sized manufacturer, this might be the production line controllers and payroll.

  • For a professional services firm, it may be the client document portal and core communication channels.

The "Confidence Gap" in UK Boardrooms

The urgency for this approach is highlighted by recent industry data. According to the 2025 Veeam Ransomware Trends Report, 69% of organisations believed they were fully prepared for an attack. However, following an actual incident, that confidence dropped by 20%.

For UK business owners, this gap suggests that many existing recovery plans are either too optimistic or too cumbersome to execute under pressure. By focusing on an MVC, management teams provide IT staff with a prioritized roadmap that reduces the risk of panic and "analysis paralysis" during an active breach.

Aligning with UK and Global Standards

While "MVC" provides a strategic framework, the principles are deeply embedded in the regulatory standards that many UK businesses navigate in 2026:

  • ISO 27001 & 22301: These international standards require firms to identify "critical business processes" and establish "minimum acceptable levels of operation."

  • DORA (Digital Operational Resilience Act): Although an EU regulation, DORA impacts UK financial entities and critical service providers. It mandates formal ICT business continuity policies approved by senior management.

  • NIST Framework: Widely used by UK tech firms, NIST focuses on "business-driven" security, ensuring recovery priorities align with commercial objectives rather than just IT preferences.

Moving from Attack to MVC

If a cyberattack occurs, the priority is containment - isolating affected systems and disabling compromised accounts. Once the threat is contained and the scope of the damage is understood, the transition to an MVC state begins:

  1. Prioritised Restoration: Instead of trying to restore all services at once, teams focus exclusively on the predefined MVC scope.

  2. Clean Room Testing: To avoid re-infecting the network, backups must be restored into an isolated "clean room" environment to be scanned for any lingering malware.

  3. Immutable Backups: Recovery is only possible if the backup data itself remains uncompromised. Using immutable (unchangeable) storage is now a baseline requirement for UK SMEs under 2026 standards.

The Path Back to Full Strength

Achieving your MVC state is the first milestone, not the finish line. Once the core business is "breathing" again, the focus shifts to a systematic restoration of non-critical assets, validating data integrity, and conducting a post-incident review.

For business directors, the MVC approach offers a strategic advantage. It protects the company's reputation and cash flow by ensuring that even in the worst-case scenario, the "lights stay on" for customers and regulators.

How We Can Help 

We provide proven UK-based cloud hosting, data storage and dual site Disaster Recovery solutions for your IT 

  • High Availability Database Clusters: keeping your core data available at all times.

  • Frequent Automated Data Backups: Automated, encrypted off-site backups stored exclusively in UK-based, secure data centres.

  • Long-term Secure Data Storage: Compliant, immutable storage for your most sensitive historical records and archives.

Contact us to explore your options.