Backup practices are under renewed scrutiny as cyber attacks and regulatory demands expose gaps in enterprise resilience strategies.
Organisations are facing pressure to reassess how they protect and recover data, as incidents continue to show that traditional backup approaches often fail under real-world conditions. Security leaders point to longstanding weaknesses in systems, processes and governance that increase exposure during attacks.
Technical debt
“For many organisations, ransom payments are the bill coming due for decades of unaddressed technical debt. Legacy backups never designed for cyber recovery are a liability. Identity sprawl, inconsistent patching, and untested recovery procedures all add interest to the final invoice. Neglecting AI resilience while forging ahead with AI implementations further compounds the risk,” said Niraj Naidu, Head of Sales Engineering ANZ, Rubrik.
“Unfortunately, urgency often isn’t triggered until there is a security event. At this point, it is often far too late,” said Naidu.
“Ensuring rapid recovery requires more than just backups, it demands a strategy of cyber resilience. One key component of this strategy is understanding your Minimum Viable Business. This is the smallest version of the business that can still function and serve customers when an incident compromises systems and operations,” said Naidu.
“Rather than attempt to restore everything, everywhere, all at once, this approach focuses on essential services for revenue generation and regulatory requirements,” said Naidu.
“It prioritises the minimum set of applications and data those services rely on, along with the infrastructure required to run them safely, even during degraded conditions,” noted Naidu.
“Paying a ransom is not a recovery strategy. Addressing technical debt helps ensure that’s one invoice you’ll never have to pay,” added Naidu.
The concept of a Minimum Viable Business reflects a shift in recovery planning. Companies are focusing on restoring only the most critical services first, rather than attempting full system recovery in a single effort. This approach aligns recovery priorities with revenue continuity and compliance requirements.
Regulatory shift
Across Southeast Asia, regulatory changes are increasing the consequences of poor data protection practices.
Singapore’s Personal Data Protection Act and Malaysia’s updated PDPA have introduced stricter requirements for breach notification and cross-border data transfers. Malaysia’s framework includes penalties of up to RM250,000 and prison terms of up to two years for failing to report breaches.
“World Backup Day is a timely reminder that backing up data remains one of the most fundamental yet consistently underprioritised disciplines in enterprise security,” said James Greenwood, AVP, Solution Engineering, Tanium.
“But in 2026, the conversation has to go further than whether organisations are backing up their data,” said Greenwood.
“In markets like Singapore and Malaysia, where data sovereignty and breach notification requirements have hardened significantly, the question is whether they can actually access, verify, and recover that data within the timeframes regulators now expect,” added Greenwood.
“From what we see across the region, many cannot,” noted Greenwood.
These requirements are changing how organisations view backup systems. Data protection is no longer limited to storage. It now includes the ability to prove recoverability within defined timelines.
Endpoint risk
Backup systems are increasingly tied to endpoint security, particularly in hybrid environments where legacy and modern systems coexist.
Unmanaged or unpatched devices can weaken the entire backup framework. Attackers who gain access to these systems may compromise stored data or disrupt recovery processes.
“A backup is only as trustworthy as the infrastructure protecting it,” said Greenwood.
“We regularly see organisations that have invested in backup solutions but have not applied the same rigour to patching, managing, and monitoring the endpoints that sit behind them. If those devices are not visible, not updated, and not tested, the backup itself becomes a vulnerability,” said Greenwood.
“Data sovereignty requirements make this even more acute, organisations must know precisely where their data is, who can access it, and whether the systems holding it are secure. That requires real-time visibility across every endpoint, not periodic manual checks,” added Greenwood.
Hybrid IT environments have increased operational complexity. Many organisations continue to run legacy systems alongside cloud infrastructure. This mix can create blind spots in monitoring and patch management.
Operational focus
Security teams are moving towards continuous validation of backup and recovery capabilities.
This includes testing recovery procedures, verifying data integrity, and ensuring visibility across all systems that interact with backup infrastructure. The goal is to demonstrate that recovery can be executed within required timeframes, rather than assuming systems will function as intended.
The shift reflects a broader change in enterprise security. Backup is becoming part of a wider resilience strategy that includes identity management, endpoint security and compliance readiness.
Click Here For The Original Source.
