During a recent Ransomware incident, a law firm had many of terabytes of litigation data. Millions of individual 45kb tiff files. The firm decided to not pay the Ransom and so started the process of restoration. After two days of restoration, it was determined that the restoration of this one system was going to take two weeks to restore. The firm never tested a full restoration or bothered to calculate what it would take to restore the data. The time it would take to restore the data was more costly than paying the Ransom.
Restores have to be tested in full to truly understand the impact of your Disaster Recovery Plan.
Did you know that if you start restoring systems, you may be destroying evidence? You may be held liable and the worst-case scenario could be that the insurance company may not pay. Then your client's data shows up on the dark web, and the client is now suing you and your insurance company is holding you the CISO or IT Director responsible for destroying evidence. Then the state attorney general wants to know why a breach notification was not performed. More fines.
Anyone involved in the destruction of evidence can be held liable including your IT consultants. I heard one insurance company say to an IT consultant, I am coming after you for the destruction of evidence that would helped us understand that data was exfiltrated.