Why 'backup' is dead... and what comes next
We attended an AI event recently. Our guest presenter, Broderick Smith, nailed it when he said:
“I often hear security teams saying that Data Governance is a subset of CyberSecurity, and I think the reality is the opposite. CyberSecurity is a subset of Data Governance.”
It’s a line that has stuck with us because it perfectly captures a mindset shift that’s overdue in many organisations.
If you still think of backup as a standalone function — something separate from security, risk, or governance —it’s time to rethink.
Backup Isn’t Recovery
For years, ticking the “backup” box was enough. You’d run a job, capture a log file that said “backup successful”, and everyone slept a little easier. The problem? That log file was never a guarantee that you could actually restore the data.
Even before ransomware became a daily headline, recovery was a pain point. Failed restores, missing backups, corrupted files — we’ve seen it all. And now? The threat is dramatically worse.
Modern Disasters Aren’t What They Used To Be
Once upon a time, disasters were simple:
A server failure.
A database corruption.
Someone accidentally nuked a file share.
Today, disaster usually means one thing: a cyber attack. Ransomware attacks are specifically designed to destroy your ability to recover. Modern attackers aren’t just encrypting production data — they go hunting for your backups. If they can encrypt those too, your only choice is to pay the ransom.
📊 94% of ransomware attacks in 2024 targeted backup repositories. (Source: Sophos)
Backup Alone Is No Longer a Viable Strategy
This is the key shift: backup ≠ resilience. In today’s world, resilience means:
Continuous protection of critical systems.
Immutable storage so attackers cannot alter, encrypt, or delete your backups.
Automated, tested recovery processes. If you haven’t tested it, you cannot assume it works.
Backup vs. Continuous Protection vs. Long-Term Retention vs. Archive
(This stuff matters — and most orgs blur the lines badly.)
The Compliance Wake-Up Call
Regulators and auditors no longer accept “we had a backup log” as good enough.
Frameworks like APRA CPS 234, ISO 27001, GDPR, NIST CSF, and others increasingly expect organisations to prove:
That data can be restored fast.
That recovery has been tested, not just assumed.
That backup systems are protected from ransomware, insider threats, and failure.
The Good News: Technology Has Moved Faster Than Most People Realise
Most backup platforms today support:
Immutability — data that cannot be altered, even by administrators.
Automated recovery testing — simulate full restores regularly without human effort.
Continuous data protection — protecting data as it changes.
The problem isn’t technology. It’s a mindset. Most organisations still configure their backup tools the same way they did ten years ago.
Backup Is Dead. Resilience Lives.
If you're still asking, “Is our backup working?”, you're asking the wrong question.
The right questions are:
“Can we recover — fast — from an attack?”
“Are our backups protected from ransomware?”
“Are our recovery processes automated, tested, and proven?”
“Do we know the difference between short-term recovery, long-term compliance, and real-time protection?”
How ITAaaS Can Help
This is the work we do every day. No products. No vendor bias. Just architecture advice from experts who’ve seen where this goes wrong. We help you:
✔️ Review your current backup and recovery architecture.
✔️ Design for continuous protection and automated recovery.
✔️ Benchmark against regulatory requirements and cyber risks.
✔️ Run recovery readiness workshops to prove it works.
➡️ Ready for a reality check on your recovery strategy?
Download a copy of our Business Resiliency and Recovery Assessment Service overview.
Reach out and book a short introductory call sales@ITArchitectaaS.com.au
