Computing Security explores how business can be better protected against the ravages of data loss and features Bridgeworks CEO & CTO, David Trossell for greater insights.
June 2025
The State of SaaS Backup and Recovery Report 2025 unveils a number of key kinds from more than 3,000 IT and information security professionals worldwide.
These include:
- 25% of organisations have no policies or controls in place to prevent malicious access too their back up infrastructure.
- More than 60% of organisations believe they can recover from a downtime event within hours. In reality, only 35% could.
- Only 40% of organisations expressed confidence that their backup and recovery solution can sufficiently protect critical digital assets in a disaster.
Why is there such a gulf between the imperative for organisations to implement the right Backup and Recovery plans and the reality of how inadequate the ‘solutions’ they do adopt often seem to be? Is there a common point of failure most organisations share and, if so, why is it happening – and often repeated farther down the line?
AFTER THE EVENT
“Unfortunately, many organisations don’t realise how robust their backup processes are until they need to use them, comments Jon Fielding, managing director, EMEA, at Capricorn. “Our own research mirrors the findings of the SaaS survey, revealing that only 50% of organisations were able to recover their data last year. A further 25% were able to perform a partial recovery, while 8% ere unsuccessful. Collectively, these findings expose an overconfidence among businesses in their ability to recover, demonstrating the importance of routinely testing backups to ensure they are fit for purpose.”
There are other factors that are exacerbating the problem of reliability, adds Fielding, with the SaaS report pointing to three of these: hybrid working, rapid cloud adoption and cyber threats.
“Hybrid working has placed much more on the end user, which can see backups performed manually, incorrectly or missed altogether,” he continues. “In fact, mobile workers were found to be actively putting data at risk in our survey, with 73” lacking the skills and technology needed to keep data safe, despite being willing to comply with security measures. Consequently, 60% of security decision makers said they expected their employees to put their corporate data at risk of a breach.”
Cloud migration and the widespread adoption of SaaS applications have also caused issues, due to the assumption that backup is included when it’s usually offered as an add-on.
Finally, cyber threats are said to be evolving, with threat actors now purposely targeting, backup repositories. The Apricorn survey found automated backup to both central and personal repositories surged to 30% last year, up from 19% the year before, and cognisant of this fact ransomware groups in particular are now actively targeting these to prevent recovery. “For this reason, it’s critical that businesses ensure they have a multi-layered backup policy that follows the 3-2-1 rule to spread the risk,” says Fielding. “This advocates rates there should be at least three copies of the data, stored on at least two different media, one of which should be offset and ideally off-line. In addition, the data should also be encrypted to ensure it remains unreadable, just in case it falls into the wrong hands.”
UK RECESSION FEARS
During a recession, budgets tend to be cut across the board, points out David Trossell, CEO and CTO of Bridgeworks. “So, with concerns that the UK may enter a recession, industry experts are keeping an eye on whether cybersecurity will maintain its course. While organisations increasingly recognise the importance of protecting their data, for the outset or murmuring of a recession this can quite often lead to highly risky decisions that could open opportunities for cybercriminals, because of lower investments in cybersecurity.”
He sites, by the way of an example, Pinpoint Search Group that found banking sector cybersecurity funding fell by more than half to $1.9 billion during the second quarter of 2023. Why? Fears of a recession and the expectation of a hike in interest rates. In 2022, cybersecurity funding sat at $4.3 billion.
“The gulf in cybersecurity investments and plans may be caused by uncertainty,” says Trossell. “It’s human nature to hold back funds whenever there’s the possibility that sales revenues may fall against a backdrop of rising costs. However, the costs of a data breach far outweigh the costs of investing in uptime, disaster recovery and regulatory compliance with, for example, GDPR.”
Effective cybersecurity doesn’t necessarily mean that an organisation must ditch its existing infrastructure, he adds. “To expedite backups and to restore data rapidly, for example, it can use WAN Acceleration, which mitigates latency and packet loss, while being able to send and receive encrypted data – unlike WAN Optimisation – cutting hours or days off the process. It is also essential to maintain air gaps to protect the most vulnerable and sensitive data.”
The most common points of failure are reduced investments in cyber-security, investment adversity and complacency. “It’s likely cause is economic and financial uncertainty, even though that gives cause to more investment in cybersecurity – not less.”
GLARING GAP
In today’s digital-first landscape, the imperative for robust backup and recovery planning has never been clearer, states Steve Wiggs, Hybrid Data Centre practice lead, MTI Technology, “Yet, in our work at MTI Technology-where we’ve delivered secure backup reviews fro 98% of NHS UK Trusts, we continue to see a glaring gap between this urgent and the underwhelming solutions many organisation adopt. Why does this gap persist? The truth is, most failure stem not from a lack of tools, but from fundamental misunderstanding of ownership, testing and threat evolution.
He offered three common points of failure:
False Confidence in Native Saas Tools “Mid-sized organisations relying on Microsoft 365, Google Workspace or Salesforce often assume these platforms provide complete protection. They don’t. Native tools typically offer limited retention, no legal hold compliance and little recourse in ransomware scenarios.”
Inadequate Testing “A backup is only as good as its last successful restore. Yet few organisation perform routine testing. Without validation, issues like configuration drift or silent corruption go unnoticed until disaster strikes. This lack of discipline is a critical, repeated mistake.”
Security Vulnerabilities “Modern ransomware increasingly targets backups. Without immutability, isolation and zero-trust controls, backup environments become a liability, rather than a lifeline. In 2024, backup-specific attacks surged by 140% a wake-up call few have fully addressed.
“Backup and recovery are often treated as IT hygiene tasks, not board-level risks,” adds Wiggs. “Without strategic prioritisation, decisions default to “built-in” tools or checkbox compliance. This perpetuates a cycle of under-investment, inadequate protection and slow response times. To close the backup gap, organisations must treat recovery not as an IT task, but as a core resilience strategy. First, implement the 3-2-1-1-0 rule – ensuring immutability, isolation and zero-error validation. Secondly, automate testing to detect issues early, not during a crisis. Thirdly, secure backup infrastructure with zero-trust access, encryption and AI-powered anomaly detection. Finally, elevate backup to a board-level priority. Without executive ownership, backup remains underfunded and reactive.”
Click here to read the article on Computing Security, pg 26-27.
