Backups Only Matter When They Survive Attack
By: Marc Schwartz, President of Ozone IT Services
Most companies say they have backup coverage. Far fewer can prove they can recover quickly, cleanly, and completely when it matters. That distinction is not academic. IBM says the global average cost of a data breach was $4.44 million for the March 2024–February 2025 period. IBM also notes that cyber insurance can help lessen the financial impact of breaches, but it is not a substitute for resilience.
That is why backup strategies should be treated as a business continuity discipline, not a routine IT task. Veeam’s product messaging is direct: “Backups are your last line of defense.” In the same 2025 research set, Veeam reports that 69% of organizations experienced at least one malware incident in the past year, 89% saw backup repositories targeted during those incidents, and only 32% were using immutable repositories or services before restoring.
Those numbers should change how leaders think about MSPs, internal IT teams, and specialist backup vendors. The issue is not simply whether backups exist. The issue is whether someone is actively owning backup integrity, patching, immutability, restore testing, and recovery readiness every day. Veeam’s own 2026 guidance says traditional backups recover data but do not detect active threats, which is exactly why backup and security cannot be treated as separate silos.
CISA says it even more plainly: “Perform and test backups.” Its guidance also emphasizes that organizations should validate backup integrity before restoration and test backup procedures, so critical data can be rapidly restored after ransomware or a destructive cyberattack.
That is the heart of the decision for modern businesses. An IT services MSP may work for you. In-house staff may be enough. A dedicated backup specialist may be fine. But whichever model you choose, it must come with clear accountability, routine verification, current software versions, hardened storage, and documented restore testing. If the work is not being checked, the backups are not a safeguard; they are an assumption.
Cybersecurity leaders have spent years warning that recovery is part of defense. The companies that understand this do not ask, “Do we have backups?” They ask, “Can we restore business operations on demand, under pressure, without making the breach worse?”
That is the real security test. Contact Us
Take Action
Start with an assessment. Ask your team and your MSP: when was your last successful restore of ERP/OT? Who validated it independently?
If you can’t answer confidently, schedule an independent recovery readiness assessment now—test one workload this quarter and quantify your real recovery time and data loss exposure.
Chris Mackin is Vice President of Sales at Ozone IT Services with more than 25 years of experience designing and delivering cybersecurity and IT solutions that help organizations reduce risk, protect revenue, and operate with confidence. He is a trusted advisor to business and technology leaders, known for aligning Backup as a Service (BaaS), Patching as a Service (PaaS), and security infrastructure strategies to real-world operational and financial goals.
