A new report finds that roughly one-third of UK businesses aren’t backing up all sensitive data, and only 45% follow the “3-2-1” backup rule (three copies, two media types, one off-site) or maintain immutable, tamper-proof backups. Experts say that, while preventing every cyberattack is unrealistic, a robust recovery plan is well within reach — and current under-investment leaves many firms dangerously exposed.
Sources: OnPar Tech, IT Pro
Key Takeaways
– Many firms operate under a false sense of security: having a backup system doesn’t guarantee recovery, especially when backups are incomplete or improperly stored.
– The majority of businesses fail to follow best practices like the 3-2-1 rule or to use immutable storage — increasing the risk that a breach or ransomware attack could destroy both live data and backups.
– True resilience requires not just prevention, but a tested recovery plan: regular verification, diversified backup locations/media, and immutable copies are essential to avoid catastrophic data loss.
In-Depth
In recent years, organizations have poured time and money into threat detection, malware protection, and cloud migration. Yet a glaring vulnerability remains under-addressed: data backup and recovery. According to a recent article, about one-third of UK firms fail to back up all their critical data — from virtual machines to unstructured files — putting them at major risk if disaster strikes. Shockingly, only 45% of businesses comply with the widely accepted “3-2-1” backup rule (three copies, two different media, one off-site). Even fewer use immutable backups — write-once, tamper-proof storage that can’t be altered or encrypted by ransomware.
This isn’t mere tech-geek paranoia; there are real consequences. Firms that lose data often take weeks or months to restore operations — if they can at all — costing not just money, but reputational damage and broken customer trust. In the UK alone, one firm cited reported that more than 800,000 businesses lost data over a five-year span, costing over £1 billion annually, with small-to-medium businesses bearing the brunt.
Many IT practitioners admit they’re overly optimistic: a survey of backup professionals found 60% believe they could fully recover data within 24 hours — yet only 35% actually can. That gap between expectation and reality reflects a broader problem: complacency. Business leaders assume backup systems are inherently reliable once configured, and move on. But backup systems degrade, storage media fail or become corrupted, configurations go out of date — and worst of all, backup infrastructure can even get targeted in cyberattacks with ransomware aimed specifically at backup repositories.
Over-relying on default cloud-provider retention policies is a frequent misstep. These often keep deleted data for only 30 to 90 days. If a breach goes unnoticed for longer — or attackers immediately delete or corrupt primary and backup data — restoring everything may be impossible. Without a disciplined, tested recovery process and off-site, immutable backups, many enterprises are effectively uninsured against digital catastrophe.
That’s not to say prevention doesn’t matter — cybersecurity hygiene, patching, and threat detection remain vital. But prevention alone won’t guarantee survival. What’s needed is the recognition that recovery is just as important as defense. Immutable backups, diversified storage (on-premises, off-site, cloud), regular restore drills, and clearly defined disaster-recovery policies are not optional extras — they are the foundation of real business resilience.
In an era when cyberattacks and ransomware increasingly target recovery infrastructure itself, neglecting these safeguards is not just irresponsible — it’s dangerous. Organizations that want to remain standing when the worst happens must stop assuming “it won’t happen to us,” and start preparing as though it already has.