In 2026, the data protection stakes continue to fundamentally shift. Backups are a key component of defence against a modern type of attack, as they reduce downtime, prevent data loss, and enable reliable recovery.
The cyber threat landscape has entered an era of fully automated, AI-generated ransomware that probes systems 24/7 at an unprecedented speed and scale. According to Crowdstrike’s 2026 Global Threat report, in 2025 there was an 89% increase in attacks by AI-enabled adversaries year-over-year, with the average breakout time – the time it takes an attacker to move from the initial entry point to deeper into the system – falling to just 29 minutes. This is a 65% increase in speed from 2024.
There is even a new term for the modern approach: vibe hacking uses Large Language Models to automate and scale intrusions, and it has created a stark digital divide. On one side are organisations whose systems have kept pace with AI-enabled threats. On the other are those still treating backup as a legacy insurance policy rather than a strategic differentiator.
In the event that AI-driven attacks encrypt or manipulate data, a contemporary robust backup strategy has become crucial for the rapid recovery of data and systems. Regular, up-to-date snapshots reduce the time required for recovery, thereby minimising business disruption, but they themselves need to be protected so that they cannot be deleted or changed.
Historic rules for historic infrastructure
Against the backdrop of AI-based threats, attacks designed to cripple the organisation as quickly as possible (wiperware attacks) and new regulatory requirements, organisations have to rethink their backup and resilience strategy. Production workloads previously operated on high-performance primary storage. Backups were stored in a different location – often on specialised backup hardware, designed to store as much data as possible without a great emphasis on data recovery speed. The logic was: isolation reduces risks, speed of backup is what matters most and restore speeds matter less since we’ll generally only need to recover a small amount of data when mistakes happen.
Modern approach to solve for modern issues
The approach discussed above is obviously not fit for purpose anymore and if companies cling to it without rethinking the underlying assumptions, this can now increase risk rather than reduce it.
For the modern global enterprise, the conversation must evolve from simple data protection to true multi-layered cyber resilience. This integrates traditional prevention with lightning-fast recovery, ensuring that if an attack succeeds, the business recovers in minutes or hours, not days or weeks. In an age where AI agents drive real-time customer interactions, downtime is no longer just an inconvenience, it’s a board-level crisis and a threat to brand survival.
For 24×7 global organisations, recovery targets are now clearly defined (and in many cases even enshrined in regulation) and organisations may have to recover the “minimal viable business” in a matter of hours, not days. Standard backups, or frankly any method that requires data movement at the time of recovery will fail to meet the RTO requirements of the modern enterprise. Immutable snapshots on data storage systems that can directly be used to run services are the only way to achieve these recovery objectives, since no data movement is required.
This does not eliminate the need for isolation though. A thoughtful multi-layered resilience architecture should involve:
- Immutable and indelible snapshots on the production storage systems. This is the fastest way to recover critical systems if still available, since no data movement or network reconfiguration is required.
- Storage level data replication to disaster recovery systems. This is to provide a recovery environment in case of physical disaster, power or networking outage.
- Storage level data replication and immutable snapshots of the data required to run the Minimum Viable Business in a Secure Isolated Recovery Environment (SIRE) or “clean room”. This should involve isolated networks to allow for data to be recovered and sanitised if needed without connection to what may be an infected production network.
Backup: a 365-day mandate
Organisations must move beyond treating data protection as a one-off priority and instead ensure they assess this critical issue consistently throughout the year.
Ransomware recovery SLAs (Service Level Agreements) have become a new gold standard. In many regulated industries globally, the ability to restore critical services in a matter of hours is no longer a goal – it is a baseline requirement. This shift is being accelerated by a global wave of resilience mandates like DORA and NIS 2 in the EU. Regulators are no longer just asking, how organisations can prevent an attack, but how fast they are able to recover. This means, for modern enterprises an outdated backup strategy isn’t just a technical risk, it is now a major compliance failure. If their primary storage is locked down for a forensic investigation by insurers or law enforcement, they need a strategy that provides an alternative, operational environment immediately.
