COMMENTARY: MSSPs need to talk more plainly with customers about recovery. Prevention still matters, but no one can promise attackers will always be kept out. When ransomware hits, the big question is simple: can the business get its data and systems back quickly? That means backups have to be protected, recovery access has to be separate from normal admin accounts, and customers need to know how long recovery will actually take. For MSSPs, this is the opportunity. They can help customers move beyond alerts and tools and build a security plan that keeps the business running when prevention fails.
Most companies never get all their data back after a ransomware attack.
Veeam's 2026 report finds 72 percent never fully recover. For two decades, the security industry organized itself around a single assumption: hold the perimeter, the data is safe, the business keeps running. That assumption no longer holds, and the MSSPs who recognize the shift early will win the next several years of renewals.
AI changed the picture. Frontier models can now find unknown vulnerabilities in every major operating system and web browser. Tools that once required nation-state resources now cost a few dollars in tokens. Attackers no longer break in. They log in with stolen credentials and use the organization's own admin tools to delete production data before alarms sound.
Customers have noticed. They no longer accept a defense that only promises to hold the perimeter. The incident reports make clear that the breach is coming. They want to know how fast their hospital or their billing system comes back online, and with what data. That answer lives in the data layer.
Downtime is the Business Risk
Picture a building with sophisticated alarms but weak locks on the doors. Someone breaks in, the alarm goes off, and the notification means you’ve already lost. The industry has bought alarms for twenty years. The data layer is the locks.
IBM's 2025 report puts global cybercrime damages on track to reach $12.2 trillion by 2031 and the mean time from intrusion to containment at 241 days. The attacker spends eight months inside an environment the customer thinks is clean. No human-coordinated defense keeps up at that interval.
Behind those numbers, a mother waits on MRI results, a small business owner on a loan decision, a dispatcher routes first responders to an emergency. Hospitals have cancelled tens of thousands of appointments and switched to paper medication tracking.
Sophos puts the 2025 average ransomware payment at $1.2 million, the smallest part of the bill. Recovery time now surfaces on earnings calls.
Cyber Resilience Must Extend to the Data Layer
The frame MSSPs should walk customers through is the assumed-breach model: design every downstream decision as if the attacker is already inside, because the attacker usually is. Once a customer accepts that premise, the conversation stops being about how to keep them out and becomes about what they can reach once inside, and how quickly the customer can recover.
Data architecture and configuration decide the outcome.
Verizon's Data Breach Investigations Report puts misconfiguration behind one in four breaches. In March, the same intrusion hit two sites at a Fortune 100 company and deleted thousands of endpoints and virtual clusters. Same attack, same vendor, same product, same playbook. One site recovered in minutes while the other took days. The difference was architectural. Immutable snapshots survived at the site that recovered. Recovery credentials lived on a separate control plane that no compromised account could touch, even with global administrator privileges. Architecture contained the blast radius, not the response team's reflexes.
Almost every customer has backups. The MSSP question is whether those backups stay immutable, run on a separate control plane from production credentials, and restore operations within a recovery window that the business can survive. That window runs in minutes rather than days. The customer should know before the incident, not after.
Data Management Must Be an Active Defender
For the channel, this reshapes what MSSPs sell. Immutable snapshots, recovery environments that run apart from production, and rapid-restore architectures belong alongside endpoint detection, identity, and SIEM. The data layer determines whether the customer is back online by Monday morning or explains to their board why not.
MSSPs who win this decade tell customers how they will defend, how they will recover, and how long recovery takes. Recovery time objective becomes the service the customer buys. Attackers move faster with AI; the data layer is what works when prevention fails. Build the active defense layer first.s what works when prevention fails. Build the active defense layer first.
MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].