From Backup to Cyber Resilience: Why IT Leaders Must Rethink Backup in the Age of Ransomware

-

 


With IT outages and disruptions escalating, IT teams are shifting their focus beyond simply backing up data to maintaining operations during an incident. One of the key drivers behind this shift is the growing threat of ransomware, which continues to evolve in both frequency and complexity. Ransomware-as-a-Service (RaaS) platforms have made it possible for even inexperienced threat actors with less or no technical expertise to launch large-scale, damaging attacks. And these attacks don't just encrypt data now. They exfiltrate sensitive information for double and triple extortion, alter or delete backups, and disable recovery infrastructure to block restoration efforts.

This is especially critical for small and midsize businesses (SMBs), which are increasingly targeted due to their leaner defenses. For an SMB generating $10 million in annual revenue, even a single day of downtime can cost $55,076, without factoring in the long-term impact on customer trust and brand reputation. While also considering the mounting pressure to meet compliance mandates, tightening regulations in sectors like finance and healthcare, and the evolving standards set by cyber insurance providers, it's no longer enough to simply back up critical data. Organizations need a cyber resilience strategy that enables them to maintain operations even during major disruptions.

Let's examine where traditional backup strategies fall short and how SMBs can build true cyber resilience to keep their businesses running when it matters most.

Why traditional backups are necessary but no longer sufficient#

For years, backup strategies have followed a familiar playbook: periodic snapshots of critical systems, defined recovery time objectives (RTO) and recovery point objectives (RPO), off-site replication and an occasional test restore. It's a setup that's served many IT teams well — after all, if restoring a lost file worked the last time, why wouldn't it work again?

However, here's the problem: that thinking is rooted in a time when failures were usually accidental — caused by hardware faults, human error or software issues. It doesn't account for today's reality: targeted, persistent cyberattacks that are designed specifically to destroy your ability to recover.

Attackers now routinely wipe or corrupt local backups, compromise admin credentials to gain control of backup systems and disable recovery infrastructure entirely. Many use double and triple extortion tactics, encrypting data, exfiltrating it and threatening to leak it publicly. Worse, the risk doesn't stop within your own perimeter.

Many ransomware campaigns now target supply chains to disrupt multiple organizations at once. As an IT leader, it's essential to recognize the operational risks introduced by third-party vendors in your supply chain. Consider asking:

  • How you plan to extend cyber resilience expectations to vendors and partners
  • What contractual clauses (such as HITRUST in healthcare) actually give you confidence in their backup and disaster recovery readiness

Frame the situation in terms of risk appetite.

  • Would your board tolerate a scenario where your backups were encrypted by ransomware? Ask the hard questions:
  • Are we willing to accept a three-day infrastructure rebuild just to restore from legacy backups?
  • Are we comfortable with a recovery that could take weeks, risking data loss due to untested systems?
  • Can we prove to auditors — and cyber insurers — that we can restore operations within the documented window?

If the answer is "no" to any of these, then it's time to rethink your approach to business continuity and resilience.

What is cyber resilience & why it's a strategic shift#

Backup focuses on copying data and restoring it later. However, cyber resilience goes one step further and keeps your business running even during an attack.

A resilient cyber posture integrates:

  • Immutable backups that are stored off-site in the cloud. These backups can't be modified or deleted by ransomware, unlike local systems that may be compromised if admin credentials are breached.
  • Automated, verified recovery testing to ensure your systems can actually restore under pressure. An untested backup is only a theory, not a plan.
  • Orchestrated recovery playbooks that rebuild entire services and applications, not just files. Solutions like Disaster Recovery-as-a-Service (DRaaS) help streamline this, enabling faster, more reliable business service restoration. 
  • Before taking a decision, also consider the budget vs. risk conversation: What costs your organization more — a week-long outage that stalls production, delays payroll or halts customer transactions, or investing in tooling that prevents it entirely?

  • Cyber resilience reduces both the likelihood of severe disruption and the impact when it occurs. Insurance may cover losses after the fact, but resilience ensures the business can still operate while the threat unfolds.

How to build a resilience-first strategy that protects your business operations#

Achieving cyber resilience demands a framework that connects IT readiness with business continuity. Here's how IT leaders can start building a resilience-first posture that aligns with operational priorities and board-level expectations:

1. Start with a business impact lens#

    Begin with a business impact analysis (BIA) to map IT systems to the functions they support. Not every system carries the same weight, but your enterprise resource planning (ERP), customer relationship management (CRM), e-commerce platforms and scheduling systems might be mission-critical. Identify:

    • Which systems are essential to revenue and service delivery?
    • What is the financial and reputational cost of each hour of downtime?

    This isn't just about RTO and RPO; it's about knowing which business services must stay online to prevent cascading disruptions.

    2. Layer defenses around critical recovery infrastructure#

      Your backup and recovery systems must be protected like production workloads — or better.

      • Enforce multifactor authentication (MFA) and use separate admin credentials for backup consoles.
      • Choose solutions that can detect ransomware activity early within backup environments.
      • Implement immutable backups and store them off-site, in the cloud, to reduce risk from both ransomware and physical threats.
      • Monitor logs and alerts for abnormal behavior. Early visibility buys valuable time during a breach.

      3. Automate backup verification and testing#

        A backup that hasn't been tested is unreliable. Confidence in your recovery plan should come from proof, not assumptions. Automate verification to ensure the recoverability of not just files but also full application-level services.

        Incorporate:

        • Automated backup testing to validate integrity.
        • Orchestrated DR runbook testing to simulate full recovery workflows.

        4. Develop and document recovery playbooks#

          Your recovery strategy should be step-by-step, clear and role-specific.

          • Define who restores what, in what order and where.
          • Include guidance for reconnecting staff to systems and resuming operations.
          • Train non-technical teams to respond appropriately.

          For example, if your retail POS goes down, how do store teams inform customers and process orders without eroding trust? Don't overlook crisis communications. Prepare your PR and leadership teams with clear internal and external messaging protocols. Silence and confusion create lasting damage.

          Pro tip: Prepare a board-level resilience scorecard#

          IT leaders should be ready to brief executives with metrics that matter. Create a one-page resilience scorecard that includes:

          • Recovery time estimates for key systems.
          • Dates of last successful recovery tests.
          • Evidence of test results and improvements.

          This becomes your conversation starter with board members, compliance auditors and cyber insurers — turning technical readiness into strategic credibility.

          Insurance and audit readiness: Turning resilience into ROI#

          Cyber resilience is a key lever in managing financial risk. Today's insurers and auditors demand clear evidence of preparedness before offering coverage or approving claims.

          Expect questions like:

          • Do you have immutable backups?
          • How often are restores tested — with proof?
          • Is backup infrastructure segmented from production?
          • Are cloud systems backed up independently?
          • What are your actual RTOs and RPOs?

          Being able to show documented proof — like logs, test reports, coverage maps or screenshots — can help reduce premiums and ensure claims align with your policy terms. This is also a strategic conversation with your CFO: "Investments in resilience don't just mitigate risk; they protect our ability to recover financially and unlock insurance value."

          Rethink backup as a core layer of your resilience#

          Cyber resilience is no longer just a technical initiative. It is a business-critical strategy that ensures your organization can function even while under attack. Now is the time to assess your resilience posture — identify gaps in immutability, testing and documented recovery. Know where you stand before disruption tests it for you.

          Reference: https://thehackernews.com/

          Comments

          Post a Comment

          Popular posts from this blog

          The Hidden Lag Killing Your SIEM Efficiency

          -
          Image
            If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
          Read more

          Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

          -
          Image
          Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
          Read more

          Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

          -
          Image
          The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
          Read more