Hard copy files might seem like relics of the past, with digitalisation shifting documentation away from print. However, digital data loss can happen in an instant — whether due to human error, hardware failure, or cyberattacks. Many individuals and organisations still fail to implement regular backup routines, and accidental data loss remains a common issue. While backups help mitigate these risks, they have increasingly become prime targets for cybercriminals seeking to destroy or encrypt them for ransom.
Backups are essential, but they are not a cybersecurity strategy on their own. Cyberthreats continue to evolve, and attackers are increasingly seeking to compromise backups, leaving organisations without a safety net. They remain vulnerable to cyberattacks, which is why a properly implemented cybersecurity strategy is needed to keep them safe. It is a timely reminder that backup systems require proactive protection — and that backups alone simply aren’t enough.
The rising threat to backups
Cybercriminals are adapting, and backups are now high-value targets. A staggering 94% of companies hit by ransomware in 2024 reported attempted backup compromises, according to Sophos’ “The Impact of Compromised Backups on Ransomware Outcomes” report, released in March 2024. Across all industries, 57% of these attempts were successful, allowing attackers to disrupt recovery efforts and increase ransom demands.
Success rates varied by sector, with energy, oil/gas, and utilities (79%), and education (71%) experiencing the highest rates of backup compromise. Meanwhile, IT/technology and telecoms (30%), and retail (47%) saw comparatively lower success rates.
A prime example is the ransomware attack on Japanese media conglomerate Kadokawa Corp by BlackSuit, which resulted in 1.5 TB of stolen data, including user information and business partner details. With over 250,000 users and a significant stock decline, the incident underscores how backup compromises can lead to severe financial and reputational damage.
Insider threats and compromised credentials pose significant risks to backups, providing attackers with direct access to critical data. Malicious insiders or external threat actors using stolen credentials can bypass security measures, manipulate or delete backups, and render recovery impossible. This is particularly concerning in ransomware attacks, where victims are twice as likely to pay the ransom if their backups are compromised.
Improving access controls, implementing multi-factor authentication (MFA), and using privileged access management (PAM) tools are commonly recommended steps to reduce the risk of insider threats and credential-based cyberattacks targeting backup systems.
The role of privileged access management in backup security
Privileged access management (PAM) helps protect backup environments by limiting access to those with specific, approved credentials. By enforcing stricter controls over who can interact with backup systems, PAM tools can reduce the likelihood of attackers exploiting stolen credentials to delete, alter, or encrypt backups — tactics commonly used in ransomware incidents.
Several practices associated with PAM can enhance backup protection, including:
- Zero-trust enforcement: Verifying all users and devices before granting access.
- Session monitoring and audit logs: Identifying suspicious activity in real time.
- MFA requirements for backup access: Preventing unauthorised logins even if credentials are compromised.
These steps may strengthen an organisation’s ability to maintain control over its backup systems and respond to potential threats more quickly.
Best practices for securing backups with PAM
Reducing risk in backup environments begins with enforcing least-privilege access — allowing backup permissions only to those who require them. Limiting administrative control narrows the potential attack surface and lowers the likelihood of insider threats. Securing privileged credentials through password vaulting and regular rotation helps prevent attackers from exploiting weak or static credentials to breach backup systems.
Continuous monitoring and auditing of backup access can provide visibility into unauthorised activity, helping organisations detect and respond to potential threats in a timely manner. A multilayered authentication approach — combining MFA, password-less access, and device security checks — adds further safeguards.
To enhance security posture, organisations may also consider aligning access management with their broader disaster recovery and incident response plans. Integrating PAM tools with security information and event management (SIEM) platforms can offer greater insight into access patterns and support proactive risk mitigation efforts.
Back up the backups
Routine backup reminders highlight the need not just to store data, but to protect access to it. In an environment where attackers are increasingly targeting backup infrastructure, access management plays a growing role in helping organisations avoid operational disruption.
Organisations should take proactive steps to secure their backups by enforcing least-privilege access, implementing MFA, continuously monitoring activity, and integrating PAM into their disaster recovery plans. By doing so, businesses protect their critical data, ensuring that backups remain a reliable lifeline against cyberthreats.
Commit to not just backing up — but locking down access to the most valuable digital assets.
