The sophistication of cyber-attacks and the vast amount of data needed for AI applications call for more than just backups for recovery.

“Cyber resilience is no longer optional; it’s essential for business survival,” said Anthony Spiteri, Regional CTO APJ, Veeam. “Organizations that fail to modernize their backup and recovery strategies risk not only operational downtime but also reputational damage, regulatory penalties, and financial loss.”

Nigel Ng, Senior Vice President, Asia Pacific, Tenable, also shared why businesses must go beyond backups to strengthen their overall cybersecurity posture: “In an era defined by increasingly sophisticated ransomware and a rapidly expanding digital footprint, backups cannot be an afterthought. They must be rigorously tested, encrypted, and stored in secure environments that guard against unauthorized access.”

However, as digital infrastructures grow more complex with the accelerated adoption of AI in the cloud, backups alone are no longer enough.

Ng said: “It is critical for businesses to fully integrate backup processes within a broader exposure management framework that offers unified visibility across identities, data, cloud workloads, and AI assets. This approach helps organizations minimize their attack surface and significantly speed up recovery after a breach or ransomware event. Taking these proactive steps strengthens operational resilience, protects invaluable data assets, and ultimately helps preserve stakeholder trust.”

Veeam’s Spiteri added: “Cybercriminals have adapted, targeting backups themselves in ransomware attacks, making traditional backup strategies insufficient unless they are part of a larger data resilience framework.”

Furthermore, he pointed out, many small and medium-sized businesses are lagging behind their larger counterparts – they often rely on outdated backup methods, such as external drives, or misunderstand their SaaS vendors’ responsibilities regarding data protection.

“The modern cybersecurity landscape demands proactive data resilience, a strategy that ensures backups remain protected, accessible, and rapidly recoverable in the face of an attack.” 

Han-Tiong Law, Regional CTO, Asean and Greater China, Rimini Street, concurred that data protection requires more than just backups: “As cyberthreats continue to evolve, businesses must also evolve their security posture, implementing proactive measures that go beyond patching. With continuous monitoring, zero-day defense, and the ability to protect systems within seconds after a vulnerability is detected – all without disruption to the business – these are just a few ways organizations can help ensure their data and systems are in good health all year round.”

Data resilience

According to Spiteri, key components of a data resilience strategy include:

• Immutable backups: Cybercriminals are now targeting both data availability and confidentiality – two critical pillars of the CIA triad (Confidentiality, Integrity and Availability). With 87% of ransomware attacks in Q4 2024 involving data exfiltration, companies must ensure they have immutable backups that cannot be altered or deleted
• Automated threat detection: Backups should not be passive archives. Continuous scanning for anomalous activity allows businesses to identify and mitigate threats before they escalate
• Rapid recovery capabilities: A backup is only useful if it can be restored quickly. Organizations must regularly test recovery processes and implement orchestration to streamline business restoration

“The growing sophistication of ransomware attacks has exposed the limits of traditional backup strategies,” said Spiteri. “While backup software is commonly deployed, many organizations fail to implement a comprehensive data resilience strategy. Even the trusty 3-2-1 framework – which ensures robust data protection by maintaining three copies of data, stored on two different media types, with one copy offsite – now needs to be extended to 3-2-1-1-0.”

Crucial for recovery from ransomware, the additional 1-0 includes one immutable or offline copy, and importantly, the entire system is verified to have zero errors.

“Beyond simply having a backup, data resilience means ensuring regular testing, hardening, and conducting disaster recovery drills. Without these measures, businesses remain vulnerable to attack, with recovery efforts potentially leading to reinfection or extended downtime. In today’s threat landscape, data resilience isn’t just a technology issue; it’s a business-critical necessity to ensure continuity, security, and fast recovery when disaster strikes.”