Security vendors love to sell you the shiny stuff. Endpoint detection, AI-driven threat hunting, zero-trust architectures with names that sound like Marvel villains. But ask any incident responder what actually saves a company from ransomware, and they’ll tell you something boring: backups. Specifically, backups that work, are tested, and aren’t reachable from the network being held hostage.
The dirty secret is that prevention will eventually fail. The question isn’t whether you’ll get hit but how quickly you can recover. And recovery is a backup problem, not a firewall problem.
Why backups get treated as an afterthought
Backups don’t generate sales meetings. There’s no quarterly board slide bragging about your snapshot retention policy. They sit in the operations budget, get cut first when finance squeezes, and rarely get tested because testing is tedious and nobody wants to be the person who broke production while validating restore procedures.
Worse, modern IT often treats cloud sync as a backup. It isn’t. If ransomware encrypts your files and your cloud folder syncs the encrypted versions, you’ve just paid a subscription to replicate the damage. True backups are immutable, versioned, and isolated from the production environment. Most organizations have something they call a backup that fails at least one of those tests, and they only find out the day they need it.
What actually works
The 3-2-1 rule still holds: three copies, two different media, one offsite. Add immutability and air-gapping for ransomware-grade protection. Object-lock storage on cloud providers can prevent even an admin with stolen credentials from deleting backups within the retention window.
But hardware and software are the easy part. The harder part is testing restores on a regular cadence. A backup you’ve never restored is a hope, not a plan. Run quarterly drills where you actually rebuild a system from cold storage and time how long it takes. The number will surprise you, and your recovery time objective will quietly get more honest.
The economics nobody runs
Compare the cost of a robust backup program against the average ransomware payment, the lost revenue during downtime, and the regulatory fines that follow a breach. Backups are almost always cheaper by an order of magnitude. Yet companies routinely spend more on a single threat intelligence subscription than on the backup infrastructure that would save them if that intelligence missed something.
The asymmetry is wild. A perimeter tool has to work every single time. A backup only has to work once, on the worst day of your year. Which one deserves more investment?
The bottom line
Backups aren’t glamorous, and they won’t get you promoted. But they’re the only control that genuinely makes ransomware survivable. If your security budget has gleaming tools at the perimeter and a dusty tape drive in the corner, you’ve got it backwards. Test your restores, isolate your copies, and treat backups as the last line that has to hold. Because eventually, it will be.
Leave a Reply