Ian Sanderson

A blog about my adventures in IT

What is your 2026 data protection and cyber recovery strategy?

by · 13th May 2026

Background

Back in 2020, I wrote that ransomware was getting smarter and that relying on a single, always-online backup target was going to end badly sooner or later. That core idea still holds up.

What has changed is the speed, scale, and adaptability of modern attacks.

11:11’s own Cyber Trends Report 2025 is a useful reference point here. It found that 82% of organisations experienced a significant cyberattack in the past year, 57% endured two or more attacks, and over 80% of IT leaders agreed their companies were overconfident in their cyber incident recovery abilities.

The same Cyber Trends Report 2025 also found that 74% of IT leaders believe integrating AI into their business could increase vulnerability to cyberattacks, while 30% still do not test recovery plans annually.

Today, attackers are not just encrypting data. In many cases, they are stealing it first, threatening to leak it, and using AI to help with reconnaissance, credential harvesting, malware development, and even the wording and timing of extortion demands. We are also seeing the first known examples of AI-powered ransomware tooling, even if some of it is still early-stage or proof-of-concept.

So the question is no longer just “Do you have backups?”

It is:

  • Can you recover if your backup server is compromised?
  • Can you recover if your identities are compromised?
  • Can you recover if the attacker steals data instead of encrypting it?
  • Can you recover into a clean environment you can trust?
  • Can you prove the data you are recovering is actually clean?

As before, this is not a one-size-fits-all best practice guide. Every environment is different. But the layered thinking is still sound, and arguably more important now than it was in 2020.

What has changed since 2020?

In 2020, the big concern was ransomware deleting backup files and then encrypting production data. In 2026, that still happens, but the attack surface is wider.

A few modern realities stand out:

1. Data extortion can matter more than encryption

Some groups now focus heavily on stealing data and extorting the victim without necessarily bothering to encrypt everything. If your recovery plan assumes the only problem is encrypted files, you are planning for yesterday’s incident.

2. AI lowers the bar for attackers

AI has lowered the skill threshold for developing malware and running sophisticated campaigns. We have already seen cases where AI was used to help create ransomware variants with anti-recovery and evasion capabilities, and other cases where agentic tooling was used to automate reconnaissance, credential theft, data analysis, and ransom demand creation.

3. Identity is now part of the recovery problem

If an attacker owns your admin identities, your backup console, vault policies, SaaS apps, and even your AI tools may all be in scope. IBM noted that over 300,000 ChatGPT credentials were exposed in 2025, underlining that AI platforms themselves are now part of the enterprise attack surface.

4. The time to respond is shorter

IBM’s 2026 X-Force Threat Intelligence Index reported that vulnerability exploitation became the leading cause of attacks in 2025, accounting for 40% of incidents observed by X-Force. That means the window between exposure and impact is shrinking. Recovery planning must assume you may have less time than you think.

What is still relevant?

Quite a lot, actually.

One of the clearest examples is Veeam’s long-standing 3-2-1 guidance, which has matured into 3-2-1-1-0.

In simple terms, that means:

  • 3 copies of data
  • 2 different media types
  • 1 offsite copy
  • 1 copy that is immutable or offline
  • 0 backup errors, verified by testing and health checks

That evolution matters because modern attacks do not just target production data; they target backup chains, management planes, credentials, and recovery confidence. The extra “1” is about making sure at least one recovery copy cannot be tampered with easily, and the “0” is about proving the data is recoverable before you need it.

3-2-1 to 3-2-1-1-0 evolution diagram

Figure 1: Evolution of the classic Veeam 3-2-1 rule into 3-2-1-1-0, adding immutability or offline isolation and backup verification.

The original message of data protection in depth still works: multiple independent layers, each with its own hardening, each giving you another chance when the previous one fails.

The following points are just as relevant now as they were then:

  • Least privilege on the data itself still matters. If users and service accounts only have the access they genuinely need, the blast radius is smaller.
  • Nearline backups are still useful for fast operational recovery, but they are not enough on their own.
  • Backup repositories still need their own hardening. Not domain joining them, locking down firewalls, and restricting access paths remains sensible advice.
  • Offsite copies are still your insurance policy when local recovery paths fail.
  • Immutability still matters. Object lock, delayed delete, hidden recycle-bin style protections, and other controls that stop immediate deletion are more important than ever.
  • Air-gapped copies are still one of the last lines of defence because offline media cannot be remotely encrypted or deleted.
  • SAN snapshots are still not backups, but they may still save your bacon in the right scenario.
  • A backup is still only as good as the last time it was tested.

Before getting into the modern recovery layers, Figure 2 below shows what a more resilient recovery stack looks like in practice.

modern cyber-resilient recovery stack diagram

Figure 2: A modern cyber-resilient recovery stack, showing how production, nearline, immutable offsite, air-gapped, and clean-room recovery layers work together against ransomware, identity compromise, exfiltration, and AI-assisted attacks.

Data protection in depth for today’s threats

If I were refreshing the original model for 2026, I would describe the stack like this, working from the inside out.

Data Protection in Depth 2026

Figure 3: Data Protection in Depth 2026

1. Data and identity

In 2020, I started with the data. I would still do that, but today I would place identity right next to it.

If attackers can phish a user, escalate privileges, and reach your control plane, they do not need to smash every server in sight. They can simply use legitimate paths faster than your team can react.

So start with:

  • least privilege for users, admins, and service accounts
  • separate admin tiers
  • phishing-resistant MFA where possible
  • tight controls around backup admin accounts
  • separate authentication paths for your most critical recovery services and copies

The basic principle is simple: do not let the compromise of production identity automatically mean the compromise of recovery identity.

2. Nearline backups

You still need something quick to recover from for day-to-day operational issues: deleted files, accidental changes, routine restores, and common outages.

But nearline backup should now be treated as a convenience layer, not the final safety net.

Assume an attacker will try to:

  • enumerate the backup environment
  • disable services
  • delete jobs or restore points
  • target known backup processes
  • use stolen admin credentials rather than brute force anything

That means your nearline platform needs hardening, monitoring, and separation from general-purpose admin access.

3. Offsite immutable copies

This was important in 2020, and it is non-negotiable now.

You want at least one copy that is off your main blast radius, uses separate trust boundaries, and cannot be immediately altered or purged by the same credentials used to manage production.

This can take different forms, but the principles are the same:

  • separate authentication
  • immutability or delayed deletion
  • limited admin surface
  • no casual visibility from the primary backup platform
  • clear retention policies aligned to your recovery objectives

4. Air gap or true isolation

Air gap still matters.

Tape is not fashionable, but “offline” is still a very compelling security feature. If you do not use tape, the broader lesson still applies: keep at least one recovery path genuinely isolated from day-to-day administrative reach.

The more agentic and automated attacks become, the more valuable true isolation becomes.

5. Clean-room recovery

This is one of the areas I would add most strongly today.

Fast recovery is no longer enough. Clean recovery matters more.

If data has been encrypted, tampered with, or quietly staged for extortion, the real challenge is not just powering systems back on. It is recovering into an isolated environment, verifying what is clean, and only then promoting data or workloads back to production.

That means having a clean-room style recovery option with strict network isolation and controlled validation steps, not just a restore button.

6. Recovery documentation and out-of-band essentials

One thing many teams still underestimate is how messy recovery becomes when trust in the environment is gone.

You need core recovery information stored out of band: credentials, contact trees, key procedures, configuration details, validation steps, and evidence you can trust. Internally, I think of this as a digital jump bag: immutable, separately authenticated, audited, and versioned so you can rely on it when everything else is suspect.

If your recovery plan lives only inside the environment that has just been compromised, that is not much of a recovery plan.

The practical takeaway

If I had to boil this down, my 2026 view is this:

  • Do not rely on a single vendor, a single copy, a single trust boundary, or a single management plane.
  • Build layers.
  • Harden each layer.
  • Assume attackers will target the data, the backups, the identities, and the people operating the platform.
  • Assume they may steal data rather than encrypt it.
  • Assume AI will help them move faster than before.

Then design recovery around three questions:

  1. Do I still have a copy?
  2. Can I trust the copy?
  3. Can I restore it somewhere safe and prove it is clean?

If the answer to those three questions is yes, you are in a much better place than most.

Conclusion

The original idea of data protection in depth still stands. In fact, I would argue it has aged rather well.

What has changed is that the modern threat is no longer just ransomware in the traditional sense. It is identity compromise, data theft, extortion, automation, and increasingly AI-assisted attack chains.

So yes, nearline backups, offsite copies, air-gapped media, hardened repositories, snapshots, and regular testing are all still relevant.

But in 2026, I would add four more priorities to the list:

  • separate identity for recovery
  • immutable offsite copies
  • isolated clean-room recovery
  • evidence that the recovered data is clean

Because these days, it is not just about recovering quickly.

It is about recovering safely, cleanly, and with confidence.

Sources

 

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.