Introduction: The market has shifted. What about your recovery strategy?

Imagine a midsize manufacturing firm on a quiet Tuesday morning. Ransomware has been in their network for days, moving through the environment. The lateral spread has been directed to their backup storage and has been set to poison the most recent restore points. The ransomware is now starting to encrypt their backup files and the IT team rushes to the restore console, only to realize they no longer have a backup solution.

The “backdoor” backup was once assumed to be a fail-safe. It is the first and only, element of the recovery strategy to have failed. The most unfortunate fact is that the organization in question had backups, but the backups were not resilient.

The cyber threat landscape of 2026 will be even more unrecognizable from the time when most enterprise recovery strategies were developed. Ransomware has evolved to a sophisticated multi-stage attack. Now, attackers move through the environment with the intent of unmapped destruction to the backup systems and the attack is only made visible once the attackers have fully mapped the environment.

The financial consequences of being caught underprepared continue to be severe. IBM's Cost of a Data Breach Report 2025 — drawing on data from 600  organizations across different industries — found that the average US breach now costs over $10 million, hitting an all-time high driven by regulatory penalties and extended recovery timelines. Two-thirds of breached organizations in the study were still actively recovering at the time of IBM's survey, with most requiring over 100 days to fully stabilize. The cost is not just financial — it is operational, reputational and increasingly regulatory.

By 2028, Gartner predicts that half of all CISOs will be asked to own disaster recovery in addition to incident response — a meaningful expansion of the security remit that signals a fundamental shift in how organizations think about operational continuity. The signal is clear: recovery is no longer a downstream IT concern. It is becoming a core accountability of security leadership.

The question is no longer whether your organisation will be targeted. It is whether you can keep operating when it is.”

The growing gap between backups and resilience

The illusion of readiness

The 2025 Veeam Ransomware Trends Report uncovered an especially interesting detail: how prepared companies believe they are and how prepared they actually are. This report surveyed 1,300 companies globally. Nearly all of the respondents believed that they were prepared for potential attacks. This belief quickly transformed after they experienced an attack. The most interesting detail of this case was the belief of the companies and the implications of that belief. Companies believed that they were prepared because they had plans and tools in place and assumed that the plans and tools had been put to the test and been validated, in real life.

The report also revealed that almost all companies have some sort of ransomware response playbook; however, many did not build the most fundamental operating controls into it. Examples of such controls could include backup verification or the specification of a chain of command for responses. An untested response playbook is not a response ability; rather, it is a response comfort.

When backups become the target

Traditional backup systems were designed to solve a finite number of problems (e.g., user error, hardware failure, acts of God). There were never any plans to design backup systems to address the most pressing question during an ongoing cyberattack: do I have a safe recovery point to which to back up without compromising the system by providing a malware-free recovery point?

Modern ransomware attacks are designed to exploit the architectural gap in backup systems. Before ransomware attacks encrypt a system, they neutralize modern backup systems by deleting shadow copies, destroying catalog data and ensuring the cleanest restore point is the oldest. According to Sophos's research, the organizations that suffered the most costly recoveries from a cyberattack were those with compromised backup systems. If a backup system is compromised during a cyberattack, recovery will be more expensive. The most important factor in determining the outcome of a cyber incident is the integrity of the recovery system.

The recovery from a cyberattack is improving and that is a reasonable conclusion.  Over the last several years, more organizations have recovered from ransomware attacks faster than the year before. Unfortunately, recovery outcomes do not improve for everyone. According to Veeam, only a few organizations that experienced a cyberattack in the past year have recovered the majority of their data. For most organizations, that figure is less than half. The recovery outcomes of the most and least advanced organizations do not differ due to budget. It is due to different recovery architectures and varying levels of recovery system validation and recovery planning.

Bypassing backups: A new threat

Extortion-only operations represent a new type of attack that cannot be thwarted through backup extension. There has been a steady increase in cyberattacks wherein, rather than encrypting the systems, cybercriminals steal sensitive data and threaten to reveal it to the public. Under these circumstances, it does not matter if there are any backup systems. An organization's ability to withstand the effects of such an attack depends on data and access management and on demonstrating that the risks of data exposure have been effectively contained. This is a serious gap in how most organizations define the scope of their protection and the traditional backup systems were never intended to fill this gap.

Shifting to a resilience-focused recovery approach

The companies that respond fastest to cyber-attacks share a fundamental attribute: they view the organization as a continuous function designed for the outcome of an event, rather than a temporary IT project within the organization.  A common set of behavior distinguishes resilient organizations from those that are caught off guard.

1. From coverage to assurance

   Backup coverage has traditionally been assessed as the percentage of systems with backup copies. What really matters in this regard is assurance: the ability to restore a workload that is not infected, in a critical business function, within the allotted period. This demands a high degree of continuous validation. The difference between a good backup system and a recovery system is the ability to conduct test restores, perform anomaly scans and document the process. According to Veeam's research, this practice, commonly called backup verification, is perhaps the most important differentiator between organizations that successfully recovered from an event and those that did not.

2. Architectural options for immutability and isolation

   Ransomware operators have a systematic approach to target backup systems. Therefore, the only solution to this architectural issue is having at least one copy of critical data that is entirely untouchable. This means that no process connected to a network can modify, delete, or re-encrypt the data, providing a level of air-gap and immutability. This storage system shifts the recovery calculus from the previous question of, “Is there data left to recover?” to, “How fast can we recover?” The latter question is preferred to answer during a crisis.

3. Focus on clean-room restoration design

   A restored backup that is ‘clean’ and free of malware is quite different from safe restoration. Infrastructure can retain hidden traces of malware after an attack. There are serious risks associated with restoring a data backup to a live system. This system is used to clear threats and is done without prior verification of the backup in a staging environment dedicated to quarantine. After conducting their 2025 survey, only a third of the participants, Veeam, confirmed that they used this type of quarantine environment. Based on this finding, we can assume that the majority were unknowingly reintegrating infected data into production environments. Clean-room recovery is a necessity for smaller organizations that are striving for survival, not just a feature for big enterprises.

4. Map dependencies before you need them

   Without a prior understanding of the dependencies between applications and systems and the order in which systems need to be restored, the recovery team makes critical decisions under pressure and with partial knowledge. Dependency mapping, coupled with crown jewel identification, prioritizes critical workloads and recovery validation is performed pre-incident. This layer of recovery management validates the connection of IT recovery to the Board's crisis management governance. When asked what the organization is doing to manage risk and remain operational, the answer should be drawn from an established playbook and not the result of adjudicated improvisation.

5. Test the plan until it becomes muscle memory

   The IBM Cost of a Data Breach Report 2025 states that organizations with end-to-end incident response plans test each phase of their incident response plans. These organizations save significantly more money per breach than those without a plan. AI and automation in the security domain shorten incident response times and reduce costs. The recovery and the return to activities in the face of a crisis, with a plan that is well known and rehearsed, is one of the most justifiable investments in the cybersecurity domain.

The regulatory dimension is here

The operational implications of recovery readiness have shifted to regulatory implications. The EU's Digital Operational Resilience Act (DORA) requires testing for operational resilience, incident response timeframes and the imposition of controls for risks posed by third parties, with the NIS2 Directive extending the same requirements to operators of essential services and other critical infrastructure. North America's SEC cyber disclosure rules have raised expectations on materiality and incident reporting is becoming even more prescriptive. The inability to provide for recovery and the corresponding governance framework expose an organization to greater risks and guarantee regulatory action.

Conclusion:

Cyber resilience, rather than being viewed as a purchase or a simple compliance requirement, is a change in an organization's operational mindset. Cyber resilience requires an intentional framework (an architecture), a cultural element and the prioritization of recovery, with and ongoing and consistent practice that is comfortably situated within the organization’s strategic positioning. Research in 2025 and 2026 has similar conclusions: the organizations that will remain intact after a cyber event are those that actively prepare for recovery.

At HCLTech, our data resilience portfolio is founded on a similar principle. VaultNXT creates the foundation of the immutable, air-gapped cyber vault. It provides a segregated environment with Zero Trust and continuous, AI-powered anomaly detection. VaultNXT ensures that, regardless of the environment's state, a forensically clean, isolated copy of critical data is always available. The environment is built to withstand the targeted backup behavior that modern ransomware operations have been known to employ.

RecoverNXT addresses the other half of the equation: orchestrated, clean-room restoration. It takes organizations from "we have a clean copy" to "operations are restored" using automated processes, pre-validated dependency maps and tested recovery runbooks. This process is practiced beforehand rather than created on the fly. Both solutions together meet the NIST Cybersecurity Framework and DORA’s operational resilience requirements, making them audit-ready for the regulatory scrutiny that will affect enterprise security teams in 2026.

The gap between having backups and actually being resilient is real, measurable and closeable. The data is clear. The practices have been established. The architecture is available. The only remaining question is whether organizations want to close this gap proactively or find out the gap’s true extent at the most inconvenient moment.

References

1. Veeam — 2025 Ransomware Trends and Proactive Strategies Report (April 2025)
2. Sophos — State of Ransomware in Enterprise 2025 (January 2026)
3. IBM — Cost of a Data Breach Report 2025 (IBM Newsroom, July 2025)
4. Gartner — Top Cybersecurity Trends for 2026 (Gartner Newsroom, February 2026)
5. Gartner — Predicts 2026: Cybersecurity Program Rebrands to Cyber Resilience (via Bitsight, December 2025)
6. HCLTech — Cyber Resiliency for Your Data (VaultNXT + RecoverNXT)