Contact Us

Lessons from the Field, Part III: Why Backups Alone Won’t Save You

James Keiser, Director of Secured Managed Services West

 

 “Backups fail in practice, not in theory.”

 

Key Takeaways

  • Backups fail when they aren’t secured, tested, or built for real attacks.
  • Attackers often compromise backups before triggering ransomware.
  • Backups are recovery tools, not a complete security strategy.
  • True resilience means restoring stems in hours, not days.

Most organizations don’t realize their backup strategy is broken until they need it. 

Not because backups don’t exist, but because they weren’t secured, tested, or designed for how attacks happen today. 

World Backup Day is March 31, but this is something we see year-round. Organizations assume they are protected, only to find out during an incident that their backups are inaccessible, incomplete, or too slow to matter. 

The reality is simple: 

Backups fail in practice, not in theory. 

We’ve seen it repeatedly: 

  • Backups stored on the same network get wiped along with production systems
  • Attackers delete or encrypt backups before anyone detects the intrusion  
  • Recovery takes days or weeks, not hours  
  • Restore processes fail because they were never fully tested  

At CISO Global, we’ve helped organizations recover from ransomware, data corruption, and major outages. The difference between those that recover quickly and those that don’t is not whether backups exist. 

It’s whether they were built for a real incident.

 

The Problem Isn’t Backups. It’s Assumptions.

Most organizations assume: 

  • If backups exist, they are safe  
  • If something goes wrong, recovery will be fast  
  • Someone knows exactly how to restore systems  

Attackers target backup systems early, recovery processes are rarely tested under pressure, and responsibilities are often unclear. 

Backups are not a security strategy. They are a recovery tool. 

And recovery only works if it has been engineered, protected, and practiced. 

 

Backups: Your Safety Net, Not Your Security Plan

Backups are essential, but they are not enough. A resilient organization builds layers of protection, so it does not rely on backups alone. 

Here is what that looks like:

 
1. Immutable, Offsite, and Verified Backups

If attackers can access your backups, they will compromise them. 

  • Immutable storage prevents backups from being modified or deleted  
  • Offsite backups ensure data remains safe even if your network is compromised  
  • Regular testing confirms backups can be restored when needed  

    Take action: Ask when your last full restore test was completed. If there is no clear answer, that is a risk. 

     
    2. Zero Trust: Limiting Access to What Matters Most

    Many breaches succeed because attackers can move freely once inside the network. If backups are accessible, they become a target. 

    • Enforce least privilege access to backup systems  
    • Segment backups from production environments  
    • Require multi-factor authentication for all backup access  

    Take action: If an attacker compromises an admin account, could they delete your backups? 

     
    3. Ransomware Resilience: Recovery Under Pressure

    A ransomware attack is not the time to test your recovery process. 

    Organizations need to be able to answer: 

    • How quickly can we restore critical systems?  
    • Are our backups clean and free from compromise?  
    • Who is responsible for executing recovery?  

    In many cases, attackers spend days or weeks inside an environment before launching an attack, often identifying and targeting backup systems first. 

    Even with cyber insurance, recovery depends on your ability to demonstrate strong controls and execute quickly.

    Take action: Run a ransomware recovery simulation. Test your process under realistic conditions, not assumptions.

     
    4. Cyber Hygiene: Preventing the Need for Recovery

    The strongest backup strategy is one you never have to rely on. 

    That requires: 

    • Timely patching to reduce exposure  
    • Multi-factor authentication across critical systems  
    • Ongoing user awareness to prevent credential compromise  

    Backups cannot solve an active breach. If attackers still have access, recovery efforts will fail. 

    Take action: Identify where your environment is most exposed and address those gaps before they are exploited.

     
    5. Incident Response and Business Continuity

    Backups are only one part of recovery. Without a coordinated response, even strong backups will not be enough. 

    Organizations need to: 

    • Define roles and responsibilities in advance  
    • Test response plans through tabletop exercises  
    • Align recovery efforts with business continuity priorities  

    A prepared organization does not just have backups. It knows exactly how to use them under pressure. 

    Take action: When was the last time your leadership team walked through a full recovery scenario? 

     

    Resilience Is More Than Just Backups

    Backups are your last line of defense, not your first. 

    They only work if they are protected, tested, and integrated into a broader security and response strategy. 

    If you are relying on backups alone, you are relying on the most fragile part of your recovery plan. 

    At CISO Global, we help organizations move beyond assumptions and build resilience that works in real-world conditions. From backup validation to incident response planning, the goal is not just to recover, but to recover quickly and with confidence. 

    If you are not confident you could restore critical systems within hours, not days, it is time to change your strategy. 

    Learn How CISO Global Can help protect your business