{"id":29548,"date":"2026-04-02T07:36:52","date_gmt":"2026-04-02T06:36:52","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=29548"},"modified":"2026-04-02T07:36:55","modified_gmt":"2026-04-02T06:36:55","slug":"backups-the-last-line-of-defense-against-ransomware-part-1","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/04\/backups-the-last-line-of-defense-against-ransomware-part-1\/","title":{"rendered":"Backups : The Last Line of\u00a0Defense\u00a0Against Ransomware\u00a0– Part 1\u00a0"},"content":{"rendered":"\n

In 2025, ransomware attacks remained a persistent threat and increasingly targeted backup systems (21% of attacks targeted backups in 2021, compared with 90% in 2025 [<\/span>1] <\/span>). Protecting backups, now also subject to strengthened regulatory requirements such as NIS 2, has therefore become a top priority in addressing this threat.<\/span> <\/span><\/p>\n

This article presents four complementary approaches to strengthening end-to-end backup security:<\/span> <\/span><\/p>\n

    \n
  1. Continuously ensuring the availability of usable backups <\/strong><\/li>\n
  2. Strengthening the security of the backup infrastructure against attacker takeover <\/strong><\/li>\n
  3. Protecting backups against logical destruction <\/strong><\/li>\n
  4. Identifying residual risks in light of the measures implemented <\/strong><\/li>\n<\/ol>\n

     <\/p>\n

    This article is published in two parts: the first focuses on approaches 1 and 2, followed by a second publication covering approaches 3 and 4.<\/span> <\/span><\/p>\n

    The recommendations presented do not replace those set out in ANSSI guidelines, which define the fundamental principles of backup [<\/span>2]<\/span> practices.<\/span> <\/span><\/p>\n

    \"Renforcer<\/span><\/p>\n

    Figure 1: Strengthening Backup Security Through Four Approaches <\/em><\/p>\n

     <\/span><\/p>\n

    1. Continuously ensuring the availability of usable backups<\/span><\/b> <\/span><\/h1>\n

    To guarantee the availability of usable backups, it is essential to apply fundamental best practices.<\/span> <\/span><\/p>\n

     <\/span><\/p>\n

    Ensuring backup completeness and consistency<\/span><\/b> <\/span><\/h2>\n

     <\/p>\n

    In the context of a ransomware attack, the primary objective of backups is to provide a reliable data source enabling the reconstruction of the information system. Backups are truly effective only if they contain all the elements required for full recovery. This notably includes businesscritical data, configurations of business applications and systems, installation sources, as well as critical operational data such as password vaults, licenses, and operational documentation.<\/span> <\/span><\/p>\n

    Backup completeness alone is not sufficient. The need for data consistency points across backups originating from different sources (e.g., a document management system (DMS) database and its associated files) must also be taken into account. Conducting a preliminary analysis helps facilitate data resynchronization across different repositories during the recovery phase.<\/span> <\/span><\/p>\n

    In addition, it is necessary to maintain backups of the infrastructure itself to enable identical reconstruction. These backups must include the backup catalog, software installation sources, encryption keys, and all other required secrets. A copy of configuration parameters should be stored in a separate location, such as an offline environment, distinct from the primary infrastructure, in order to limit the risk of a shared compromise.<\/span> <\/span><\/p>\n

     <\/p>\n

    According to the Cyber Benchmark conducted by Wavestone across more than 170 assessed organizations, approximately <\/span><\/i>90%<\/span><\/i><\/b> of the organizations observed perform regular data backups.<\/span><\/i> 
    Among organizations that perform regular backups:<\/span><\/i> <\/span><\/p>\n