Cybersecurity specialists warn that backup strategies are failing to keep pace with rising ransomware attacks and increasingly complex cloud infrastructures. The comments, made around World Backup Day, highlight gaps in how organisations prepare to recover from destructive incidents.
Vendors and incident response practitioners say many businesses still treat backup as a narrow IT function rather than a core part of resilience planning. Their environments now span multiple public clouds, on-premise data centres and software-as-a-service platforms, but backup tools and policies often remain fragmented across those layers.
Dana Simberkoff, Chief Risk, Privacy and Information Security Officer at AvePoint, said backup strategies are under strain as companies spread workloads across Amazon Web Services, Microsoft Azure, Google Cloud and a growing range of SaaS applications. As digital estates expand, organisations face overlapping tools, inconsistent settings and blind spots in recovery coverage.
Many organisations still rely on native backup features built into individual platforms. While those tools can protect local workloads, they do not always provide unified oversight across distributed infrastructure, leaving gaps when incidents affect several environments at once.
That is driving interest in platform-based approaches that treat backup, recovery and governance as linked disciplines. Firms are increasingly examining how backup policies interact with identity systems, infrastructure automation and newer application patterns such as containers and microservices.
Automation and agent-based technologies also bring operational risks. A misconfigured script or compromised orchestration tool can rapidly spread destructive changes across an estate, pushing backup planning higher up the agenda for risk and security teams.
World Backup Day has become a focal point for those discussions. Simberkoff described it as a chance for security and IT leaders to reassess whether their backup models still reflect the complexity of today’s infrastructure rather than the environment they had a few years ago.
“World Backup Day reminds us that backup has become significantly more complex as environments span AWS, Azure, Google Cloud, SaaS platforms, and on prem systems. Tool sprawl and rising cloud costs are pushing organizations to rethink point solutions that only protect individual platforms. Native tools often lack the visibility and consistency required to meet recovery objectives across distributed environments, leaving gaps in resilience when incidents occur. A modern infrastructure backup strategy must address fragmentation by delivering unified protection across multi cloud workloads and critical applications.”
Recovery planning now intersects with broader governance and control requirements. Security teams want consistent policies across cloud and on-premise systems that also reflect how data moves between services during normal operations.
Ransomware response experts say the consequences are clear when those elements are missing. Brandon Williams, Chief Technology Officer at Fenix24, said many organisations still confuse backup with replication and assume any stored copy of data will be enough in a crisis.
“Many organizations still view ‘recovery’ as being a one-size-fits-all solution. Recovering from a malicious threat actor’s behaviors, encryptions, and destructions is VERY different than recovering from an environment failure (storage failure, data center outage, etc.). Backup and Replication are not the same. Backups are the most important defense against mass destruction, ensuring you can put your data back. And not all backups are the same. Backups must be truly immutable (as compared against destructive acts of Threat Actors), you should have multiple copies of backup data, and the ORCHESTRATION of architecting, managing, protecting, testing, and hardening your ‘backup solution’ is critical to ensuring recovery. Backups serve little value if they aren’t recoverable. Recoveries should be tested rigorously. This is key to developing response playbooks and recovery procedures. Plan for real-world scenarios like: ‘What if Active Directory is offline? How are my recoveries impacted?’ ‘What if we can’t immediately delete or overwrite existing workloads prior to recovery? Do we have sufficient available storage to allow recovery?’ Reverse-engineering from a ‘known state’ is the best way to architect recovery, and this can positively impact backup strategies. Partner with an organization that lives in these ‘known states’ every day, one that regularly recovers organizations from their worst days following destructive security events. Leverage their insights into potential impacts, and then make certain your backup strategies address properly protecting your data and lead to assured recovery of your data.”
Williams said ransomware recovery differs sharply from recovery after hardware failure or a local outage. Attackers often try to corrupt or encrypt backups as well as production data, increasing the importance of immutability, segregation and rigorous recovery testing rather than simply retaining historic copies.
Fenix24 Founder and Chief Security Officer John Anthony said many organisations only discover weaknesses after a major breach. He cited Coalition figures showing that more than half uncover partial or complete failures in backup and recovery during significant incidents.
“On World Backup Day, I thought it pertinent to evaluate the importance of backups to ransomware recovery—and other mass destruction events like that seen at Stryker recently. According to Coalition [a cyber liability carrier], 58% of organizations discover a partial or complete failure of backup and recovery capabilities during significant breach. According to our own statistics, we know that 84% of Organisations we meet in breach for the first time and 86% of Organisations we meet in assessment for the first time, technically, do not have a single survivable copy of backups. To make matters worse of the 16% that do have a survivable copy, during breach, only half of them will have a timely recovery [due to technical limitations of the survivable copy]. We also know from our assessments of cyber resiliency that a whopping 76% of Organisations are knowingly not backing up all their known critical data, and more than 90% of Organisations will not meet their stated RPO and RTO objectives. Recovery is commonly complicated by the lack of clear, continuously updated data discovery, dependency mapping, and correlation of that discovered data and associated dependencies to recovery protection strategies.”
Anthony argued that organisations are statistically unlikely to design and maintain effective recovery orchestration on their own. He pointed to a spending imbalance between breach prevention tools and recovery services, leaving many firms underprepared for the operational and financial impact of a prolonged outage.
“It is statistically unlikely for an Organisation to get the orchestration of recovery right. To complicate matters, Organisations commonly attempt to ‘go it alone’ or take bad advice on how to recover; thus, exacerbating business interruption expenses—the single biggest expense during breach. The breach prevention industry is a $200B industry, and the Recovery industry is a roughly $20B one. Largely all companies are investing significantly in preventing breach while largely ignoring recovery. Backups coupled with the limiting of the destructive blast radiuses surrounding an Organisation’s data are the single most important security controls—and organizations really should prioritize this. Prioritizing recovery, however, does not look like what you might think. This doesn’t mean racing to the nearest backup technology vendor and choosing a new backup product. It also doesn’t mean purchasing ‘immutable’ backups. We commonly see that organizations that believed themselves to have immutable backups actually didn’t. Assurance of recovery is a careful, continuous orchestration of backup products, policies, processes, and people all informed, and hardened, to what threat actors are able and willing to do. Essentially, cyber resiliency is so much more than just purchasing a product and turning on some immutability features. We know that for recovery to be predictable, you need breach informed expert advice that knows how to architect, manage, administer, monitor, harden, test, assure, and measure recovery continuously. Call to action: Measure, leveraging breach informed technical realities, your backup and recovery survival—will you have a recovery? Understand and continuously test, harden, administer, manage, and architect, leveraging a partner that knows breach, your recovery capabilities, know how long it will take to recover. Continuously discover and monitor data and dependencies and correlate this to protection and rigorous testing, have confidence that all data is safe and recoverable at the RPO and RTO required. Reduce the blast radius of destructive acts by complicating IT access to systems—limit TA damage. Know your partners for breach, and have the assurance that they are breach informed, experienced professionals ready to recover at a moment’s notice—Have partners that know you, your systems, and your data intimately. Continuously harden, informed by breach, your resistance controls leveraged by IT—complicate IT access to systems to further limit TA progression.”
The warnings come amid rising attack volumes and more aggressive extortion tactics. Criminal groups increasingly combine data encryption, data theft and disruption of critical infrastructure in a single operation.
Crystal Morin, Senior Cybersecurity Strategist at Sysdig, said ransomware has become a test of how well organisations can restore systems under pressure. She pointed to the speed at which attackers exploit cloud vulnerabilities and stolen credentials.
“With more than 1.7 million ransomware attacks happening every day, organizational security ultimately comes down to how well you can recover. When all else fails, you fall to the level of your backups. However, recovery doesn’t begin in the middle of a breach. It starts long before. Your ability to bounce back is dependent on how well you’ve prepared to recover data and restore operations. Meanwhile, today’s ransomware landscape continues to expand, with attacks rising 53% year over year. And with 3.3 billion stolen credentials in circulation, threat actors often just need to log in. It’s a harsh reality. When vulnerability exploitation and cloud attacks can unfold in minutes, a tested and immutable backup is the difference between a temporary disruption and a lasting catastrophe.”
