How to Prevent Disruption and Recover Quickly When it Matters Most

The Material Impact of Downtime

The cyberattack against Stryker Corporation was not just a breach. It was an operational disruption.

By targeting a trusted system like endpoint management, attackers were able to impact devices, disrupt critical services, and affect business operations at scale. In response, the Cybersecurity and Infrastructure Security Agency (CISA) issued guidance urging organizations to strengthen how these systems are secured, including platforms such as Microsoft Intune.

This incident reflects a broader shift in cyber risk. The downtime resulting from cyberattacks can severely hamper an organization’s ability to function effectively and potentially lead to compliance violations. In fact, 83% of organizations have experienced operational disruption following a cyber incident[1], highlighting how quickly security events can escalate into business disruption. In a recent study of 750 CISOs across organizations of all sizes, a vast majority reported 3–14 days to restore operations, while only a small percentage reported 1 day or less.[2] Furthermore, across Global 2000 companies, downtime is estimated to cost more than $400 billion annually — roughly 9% of total corporate profits.[3]

With so much at stake, securing systems through prevention is simply not enough. Organizations must employ robust cyber resilience and recovery mechanisms to limit the risk of lasting downtime to their business.

CISA’s Guidance on Endpoint Management

In response to the attack against Stryker Corporation, CISA published a set of advisories for U.S. organizations to follow, outlining steps to harden trusted software such as Endpoint Management against potential tampering and infiltration. CISA has outlined the following recommendations, while mentioning Microsoft Intune as an example given that it was utilized in the attack against Stryker Corporation:

• Use principles of least privilege when designing administrative roles.
  
  • Leverage role-based access control (RBAC) to assign the minimum permissions necessary to each role for completing day-to-day operations.
• Enforce phishing-resistant multi-factor authentication (MFA) and privileged access hygiene.
• Configure access policies to require Multi Admin Approval.
  
  • Set up policies that require a second administrative account’s approval to allow changes to sensitive or high-impact actions (such as device wiping), applications, scripts, RBAC, configurations, etc. 
• Follow the best practices highlighted by Microsoft for securing Microsoft Intune.

The Gap: Where Downtime Happens

This guidance is particularly pertinent today given the heightened geopolitical tension worldwide. Targeted cyberactivity often follows geopolitical escalation so organizations should assume an elevated risk for the foreseeable future. In addition to CISA’s recommendations, we at Absolute encourage organizations to take steps in reviewing their endpoint and network configurations and ensuring cyber resilience to limit the potential impact of downtime. Cyberattacks causing downtime are often initiated through seemingly rudimentary security lapses or exposures that are entirely avoidable. Examples include:

• Loss of reliable visibility and control across endpoints and network access due to remote and hybrid work policies.
• Mission critical security tools such as Encryption, Network Access, EDR, EPP or UEM stop functioning.
• Devices fall out of compliance due to outdated patches and security vulnerabilities leaving them susceptible to zero-day threats.
• Recovery processes in response to incidents are manual and slow, often requiring remote devices to be shipped back to IT to be fully restored and made compliant.

What Resilience Looks Like

To combat such challenges, we encourage organizations to strengthen their cyber resilience to establish the following outcomes:

Endpoint resilience: 

• Maintain persistent visibility and control across devices regardless of whether they are on or off the corporate network. Also, ensure connectivity even when devices are tampered with, reimaged or their hard drives are swapped.

• Automatically restore critical controls and apps such as Encryption, EPP/XDR, UEM, Patch and Vulnerability Management, and Network Access. Proactively monitor application health and automate the healing of apps whenever failures occur.

• Detect and remediate OS and applications and configuration drift through automated patching, vulnerability remediation, and configuration policies and workflows.

• Enable recovery of affected endpoints even if the OS is compromised through firmware-based remediation mechanisms. 

Access resilience: 

• Validate device health and compliance before granting access to the corporate network.

• Block compromised or misconfigured devices from gaining access to applications, corporate resources and sensitive data.

• Maintain secure access to critical applications during disruption through reliable and resilient connectivity.

• Ensure trust based on real-time posture while blocking malicious online content and the use of shadow AI apps.

Why Endpoint and Access Resilience Matter

Ensuring resilience across both endpoint and network access matters as endpoint compromise impacts access to critical applications, hampering productivity and causing downtime. Without the appropriate recovery and access control mechanisms in place, disruption spreads, causing material impact to business operations. To achieve the outcomes listed above, organizations can take the following practical steps right away:

• Validate endpoint configurations to monitor patch health and exposure to vulnerabilities.

• Test failure scenarios and implement automated policies to respond to potential device or security risk.

• Ensure security tools can be restored automatically whenever they fail or are unhealthy.

• Confirm network access reflects real-time endpoint health by implementing zero-trust and comply-to-connect principles.

• Identify recovery gaps by streamlining the restoration of affected endpoints, limiting the potential impact of downtime.
• Check out the following Knowledge Base article outlining best practices on preparing for targeted cyber security attacks.

Measuring Your Preparedness

Most organizations don’t know their readiness or impact of potential downtime on their business operations. To help gauge your organization’s preparedness, check out the following resources:

• Absolute 2026 Resilience Risk Index
• The Absolute Guide to Rehydration Economics Calculator

Absolute Cyber Resilience Platform

The Absolute Cyber Resilience Platform enables organizations to employ the necessary steps to stop downtime through resilient visibility and control tied to the firmware of endpoints and secure connectivity to the corporate network and critical applications. In the event of a widespread IT or security incident, the Platform’s recovery capabilities empower practitioners to restore compromised remote devices at scale even when the OS has been corrupted. All these features operate through Absolute Persistence technology embedded in the firmware of PCs shipped by over 28 global device manufacturing partners. To learn more, check out the interactive product tours of the Secure Endpoint and Secure Access products, reach out to Absolute Sales or request a demo.

Given the heightened global cyberactivity risk, organizations must stay vigilant before it’s too late. CISA’s guidance around the safe usage of trusted and legitimate products such as Endpoint Management is critical in employing security best practices. Embedding cyber resilience into your IT and security operations is equally vital in keeping your business running when an incident does strike. Ultimately, stopping downtime involves having the means to proactively prevent incidents as well as recover from them effectively if they do occur.

¹ Uncovering Downtime’s $400B Impact

² The CISO Board Prep Success Guide: The 4 Pillars of Business Resilience

3 Uncovering Downtime’s $400B Impact