Is your backup strategy leaving you exposed?

June 17th, 2026
Kaseya
Backup

The wrong approach to backup strategy could leave you at risk of extortion

In a previous blog about cloud complacency and the risks to Microsoft 365, we discussed the dangerous assumption that if data is “in the cloud,” it must be backed up and protected.

But that’s at odds with the cloud providers’ model of shared responsibility.  They make it clear that customers need to organise their own backups. 

So you’ve done your due diligence. You understand the model, you’ve implemented backups and you feel protected. You’re safe now, right?

Perhaps not.

Bad actors are after those backups, and due to evolving threats, how you backup is just as important.

The cloud has become the SMB’s data centre

For years, organisations have embraced cloud services for their flexibility, scalability and ease of management. As a result, businesses haven’t just added cloud services — they’ve effectively moved their data centre into it. According to Cloudtech, over two-thirds of data workloads and data now live in the cloud.

The problem is bad actors know this, and they have adapted to it.

According to the CrowdStrike 2024 Global Threat Report, there has been a 75% increase in cloud intrusions, with 62% of intrusions coming from the abuse of valid accounts.

The trend is clear. Rather than relying solely on malware, attackers are increasingly targeting identities and exploiting legitimate access. And with AI, they’re accelerating and iterating these attacks faster than ever before.

The objective is no longer simply to encrypt data. It’s to gain control of critical business systems and create leverage for extortion.

Attackers are following the data

As data moved into cloud platforms and SaaS applications, the attack surface shifted with it. Today’s bad actors increasingly adapt their tactics to target identities and then compromise  backups, which means recovery strategy becomes just as critical as prevention.

If an attacker gains control of a privileged account, they can frequently bypass traditional security controls and gain access to production systems, administrative tools and backups. From there, they may disable, modify or delete recovery points, dramatically increasing the impact of an incident.

The results are sobering: 94% of victims have their backups targeted by attackers. Bad actors understand that for many businesses this was their “insurance policy,” and if that’s taken away, they have nothing to fall back on. That leaves them vulnerable to extortion.

If attackers control your tenant, they control your backups

As the old adage says: don’t put all your eggs in one basket.

A common design flaw in cloud environments is storing backups inside the same tenant and security boundary as production workloads. When that happens, backups often inherit the same identities, permissions and administrative controls as the systems they’re intended to protect. If an account is compromised, then so are the backups.

You can’t rely on providers like Microsoft to stop such intrusions. They may help you put measures in place to mitigate breaches, but at the end of the day they’re just responsible for the availability of the platform. The data, identities, configurations and how those services are used ultimately remain the customer’s responsibility.

Perhaps most importantly, cloud platforms cannot determine intent. If a request is made using valid credentials and sufficient permissions, the platform has no reliable way of knowing whether the action is being performed by an authorized employee or an attacker using stolen credentials.

Building for resilience

This is where cyber resilience comes in. It’s not just about preventing incidents. It’s about designing environments so that when something does happen, you can contain it, recover quickly and keep the business running.

When we talk about cyber resilience in the cloud, it really comes down to a few foundational principles.

Strong identity and access controls reduce the likelihood of compromise, but resilience also requires protecting the backups themselves through immutability and isolation.

Once again, a 3-2-1-1-0 is the strongest defence:

  • 3 copies of data (to protect against data loss)
  • 2 different formats (stored on at least two media types)
  • 1 off-site copy (to protect against physical disasters)
  • 1 immutable copy (ensuring ransomware-proof backups)
  • 0 doubt you can recover (regular testing guarantees reliability)

Using technologies like WORM (write once read many) storage or immutable snapshots means even if an attacker gains admin privileges, they can’t easily modify or delete your recovery points.

Testing your recovery is vital

This is the ‘0’ in the 3-2-1-1-0 approach. It’s not just about having backups. It’s whether you can recover when something goes wrong. If you haven’t tested it, validated it and proven you can restore quickly, you’re really just hoping it works when you need it most.

And that’s where the challenge begins. Many organisations assume they’ll be able to recover, but without a tested disaster recovery plan, that assumption becomes a gamble.  Companies without one often take weeks to recover from an attack.

The three questions that you need to be able to answer are:

  • Are my backups actually usable?
  • Where can I restore my workloads if the primary environment is compromised?
  • How much of the recovery process can be automated rather than rebuilt manually under pressure?

If you can’t answer those questions confidently, then you leave your data vulnerable to ransom.

Read Datto’s The ultimate guide to BCDR: Why backup and disaster recovery matter

One Complete Platform for IT & Security Management

Kaseya 365 is the all-in-one solution for managing, securing, and automating IT. With seamless integrations across critical IT functions, it simplifies operations, strengthens security, and boosts efficiency.

Get a demo Explore Kaseya 365

One platform. Everything IT.

Kaseya 365 customers experience the benefits of the best IT Management and Security tools in a single solution.

Explore Kaseya 365

Your success is our #1 priority

Partner First is a commitment to flexible terms, shared risk and dedicated support for your business.

Explore Partner First Pledge

2026 Kaseya State of the MSP Report

Kaseya - 2026 State of the MSP Report - Web Graphic - 1200x800-UPDATED

Get 2026 MSP insights from 1,000 plus providers and learn how to grow revenue, adapt to market pressure, and stay competitive.

Download Now

Explore Categories

Server backup: Types, methods and building a backup strategy

Server failures don’t announce themselves. A ransomware attack encrypts your data overnight. A failing drive corrupts a week’s worth of

Read blog post

Best server backup software in 2026: Top solutions for MSPs and IT teams

Compare the best server backup solutions in 2026, ranked for MSPs and IT teams on recovery speed, ransomware protection, and ease of management.

Read blog post

Backup Testing: Why Most Businesses Find Out Too Late That Their Backups Don’t Work

According to the 2026 Kaseya State of the MSP Report, 79% of MSPs now offer backup and recovery as a

Read blog post