For a long time, backup lived quietly in the background of IT. It was something we did for compliance, audits, or the occasional recovery scenario. If it worked, nobody noticed. If it failed, it was usually written off as bad luck or a technical issue.
That world no longer exists.
Today, backup sits right at the centre of an organisation’s security posture. In many ransomware incidents, it is the final line between recovery and prolonged, sometimes catastrophic, business disruption. Yet I still see too many organisations treating backup as an operational afterthought rather than a strategic risk decision.
Modern ransomware attacks are not random or opportunistic. They are patient, deliberate, and commercially driven.
Attackers no longer start by encrypting production systems. They take time to understand the environment, escalate privileges, and quietly target backups. Only once recovery options have been neutralised do they launch the visible attack. By then, the ransom is not a negotiation. It is leverage.
This is why organisations with “backups in place” still find themselves paying ransoms or suffering weeks of downtime. The real question is no longer whether you have backups, but whether you can trust them when everything else has failed.
One of the most common issues I see has very little to do with technology.
IT operations teams are rightly focused on restoring services quickly and keeping the business running. Security teams are rightly focused on containment, investigation, and reducing future risk. Both approaches are valid, but when they collide during an incident, progress slows, pressure increases, and decision‑making becomes fragmented.
Attackers exploit this gap. They do not care about reporting lines or internal responsibilities. They care about the space between them.
The organisations that cope best are the ones that address this tension before an incident occurs. They align IT and security around shared assumptions, shared playbooks, and a shared understanding of what recovery actually looks like under pressure.
There is a mindset shift that every organisation has to make.
If your resilience strategy is built on the assumption that perimeter controls will always hold, it is already out of date. Zero Trust has reshaped how we think about identity and access, but too often backup environments are still designed on trust and convenience.
You have to assume credentials will be compromised.
You have to assume administrative access will be abused.
You have to assume attackers will reach your backup systems.
If that feels uncomfortable, it should. Designing for failure is how you avoid catastrophe.
Not all backups are equal. In many environments, backup systems are still treated as trusted internal tools with shared credentials, broad administrative access, and very little monitoring. From an attacker’s point of view, that makes them a prime target.
Real resilience comes from separation. Backup software and backup storage should not live in the same trust zone. Attack surfaces should be minimised. Destructive access should be removed entirely.
Immutability is often talked about, but not always implemented properly. If a privileged user or compromised administrator can still delete, encrypt, or alter backups, then those backups are not truly immutable. In a real incident, attackers often have privileged access. Your design has to assume that reality.
Traditional backup models were created for a different threat landscape. They were designed to protect against data loss, not against adversaries actively trying to prevent recovery.
Resilience today is measured by outcomes, not policies.
How quickly can you restore critical systems.
How confident are you that recovered data is clean.
How effectively can the business continue operating while remediation takes place.
Testing becomes non‑negotiable. A backup that has never been tested is not a capability, it is an assumption. Until a restore has been attempted under realistic conditions, confidence is theoretical at best.
The most important change is this. Backup is no longer just an IT topic. It is a business continuity, financial, and reputational risk decision.
Cyber insurers understand this. Regulators understand this. Attackers certainly understand this. Boards and executive teams now need to engage with backup and recovery in the same way they engage with security strategy and risk appetite.
The organisations that recover fastest are not the ones with the most tools. They are the ones that have accepted that breach is a reality and have designed their backup and recovery strategy accordingly.
Over the years, I have seen too many organisations only discover the limitations of their backup strategy when they are already in crisis. What looked acceptable on paper often collapses under real attack conditions.
At Velocity Technology Group, we spend a lot of time helping organisations step back and ask some uncomfortable but necessary questions.
If credentials were compromised tomorrow, would recovery still be possible.
If backups were targeted first, would they still be trusted.
If IT and security had to respond together under pressure, would roles and decisions be clear.
The organisations that do best are not those hoping they will never be attacked. They are the ones that know exactly how they will recover when it happens.
If you are not completely confident that your current approach would stand up to modern ransomware tactics, reviewing it now is far easier than discovering its weaknesses during an incident.
jonathan.kropf@thevtg.com