Without a robust backup and recovery strategy, organisations risk significant data loss, workflow disruptions, reputational damage, fines, and lawsuits in the case of a data breach or ransomware attack. Yet, many businesses are still struggling to master their data protection challenges: Nearly a third of IT professionals are currently losing sleep over their backup and recovery preparedness, according to a new Kaseya survey of over 3,000 IT professionals worldwide.
Amid a fast-changing business landscape characterised by growing cyberthreats, hybrid work and rapid cloud adoption, the survey explored how organisations are protecting their most critical digital assets. It found that just 40% of respondents felt confident in their backup systems – and many are less prepared for IT disasters than they believe.
Here are some of the key findings from the survey report, titled State of Backup and Recovery Report 2025: Navigating the Future of Data Protection, which revealed the key challenges shaping data protection strategies for organisations of all sizes.
Multi-cloud strategies dominate
In the age of hybrid IT infrastructures, having just a single backup solution is a thing of the past. Over 50% of workloads and applications are currently run in public cloud environments, with this figure expected to grow to 61% in the next 24 months. In line with this, the survey found that most businesses now use a multi-cloud strategy to enhance their backup resilience and flexibility. On average, organisations have more than three backup solutions, which only adds to the complexity of managing those diverse IT environments.
Reliance on cloud services can also create new risks. For example, nearly half of organisations backup copies to the public cloud, utilising platforms like Azure Blob. However, while nearly 90% of respondents said they use native data protection tools for Azure, many are in fact badly prepared for major disasters, as 60% of these setups lack true disaster recovery capabilities for Azure virtual machines (VMs).
Confidence in current backup systems is low
When asked about their ability to protect critical data in the event of a crisis, a third of respondents admitted to having nightmares about their backup and recovery preparedness. Another 30% worry that their organisation doesn’t have a good enough backup and recovery solution in place.
Given this level of dissatisfaction, it is not surprising that over half of respondents plan to change to a different primary backup solution in the next 12 months. However, organisations are encountering major challenges in trying to switch. Price is one of the main issues: Budget constraints and a lack of resources force businesses to compromise on the robustness of backup solutions as well as the frequency of testing or the scope of their data protection strategies.
Ease of use, disaster recovery execution and backup or disaster recovery testing were named as other top challenges when switching backup solutions.
Security is a major concern
As the volume of sensitive business data grows, robust security measures become even more critical for protecting backups and addressing any vulnerabilities. Already, businesses are working hard to protect their sensitive data, with 75% of respondents saying their organisation has policies and controls in place to secure workloads across the public cloud, endpoints, SaaS apps, and servers.
On the other hand, this means a quarter of workloads still lack essential safeguards. This gap represents a significant risk, especially as businesses continue to operate in increasingly hybrid environments.
The methods employed for securing sensitive staff and service account credentials – a critical aspect of backup system integrity – also vary widely. Nearly one-third (33%) of businesses use dedicated password managers, while 22% use document storage solutions such as SharePoint or Confluence. Relying on such solutions could introduce security risks due to limited access controls and potential vulnerabilities in these platforms.
IT documentation software is another common tool used by nearly 20% of businesses. About 15% indicated that they use personal password managers or browser-based password managers, which offer convenience but lack advanced security features – while 5% admitted they do not manage credentials at all.
Where backup copies are stored
Organisations typically leverage both cloud and on-premises solutions to store their backup copies. The public cloud dominates as a storage option, with 44% of respondents backing up data to public cloud services. Around 40% use a second site or private cloud to physically separate backup data and enhance their resilience.
Just over 30% of businesses rely on the vendor’s cloud for backup storage. While this demonstrates a high level of trust in integrated backup solutions, outages on the vendor’s end due to technical glitches, hardware or software failures could prove disastrous if there is no third-party backup solution in place. And about 30% of businesses still depend on traditional disk storage, which, while reliable, lacks the flexibility and scalability of cloud-based options.
Alarmingly, around 2% of respondents fail to store a backup copy offsite, leaving their data highly vulnerable to disasters such as fires, floods or ransomware attacks.
Backup processes are time-intensive
Many businesses face significant challenges in optimising their backup processes and are struggling with time-consuming management tasks, infrequent testing practices, and response inefficiencies. Over half of respondents said their IT teams spend more than two hours per day or more than 10 hours per week monitoring, managing, and troubleshooting backups – an issue that is exacerbated by having multiple backup tools.
At the same time, organisations fall short when it comes to testing. Only 15% of respondents said they conduct backup tests daily. Around 25% test weekly, and 24% test monthly, suggesting that most businesses operate with a level of risk that could jeopardize recovery in the event of a disaster.
Similarly, only 11% of businesses perform daily disaster recovery tests. A significant minority have much longer recovery testing cycles — 21% quarterly and 13% annually — indicating that they may not be fully prepared for unexpected downtime events. Additionally, about 12% of businesses test their recovery capabilities on an ad-hoc basis only or not at all, leaving them highly vulnerable to prolonged outages.
A lack of preparedness
Infrequent testing results in a marked lack of preparedness for downtime events, with many organisations unable to deal with them as swiftly as expected. Asked about recovery times, 60% of respondents believed they would be able to recover in under a day. However, only 35% could do so in reality when hit by an on-premises outage in the past 12 months.
As the volume of data stored in SaaS applications continues to grow, quick recovery of lost SaaS data is equally essential for minimising downtime and meeting industry regulations. However, only around 40% of respondents could recover lost SaaS data in hours, with others requiring days or weeks (35%). Even more concerning, 8% were unsure of their recovery time, and 2% didn’t believe they could recover any lost SaaS data.
Additionally, an alarming 40% of respondents believe they would need days or weeks to recover lost public cloud data, potentially leading to significant operational disruptions, while 8% do not back up their public cloud data at all.
Planning and testing is the only way forward
These findings highlight the need for a comprehensive backup and recovery strategy, which must include a solid plan for scalability and backup policies to ensure the enhanced security of backup systems. As data protection continues to become more complex and critical, businesses will have to adopt more robust tools to safeguard their data across on-premises, cloud, and SaaS platforms.
As part of this, organisations should assess and prioritise their most critical data and applications to ensure they are adequately protected and recoverable. Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) must align with business continuity plans to minimise downtime and data loss during disruptions.
The next step is to implement consistent backup policies across all on-premises, cloud, and SaaS environments. These policies should be reviewed and updated regularly to reflect changes in technology, regulations, and priorities. As data grows, it’s important to ensure that the backup strategy can evolve with changing workloads and storage needs.
To fortify backup systems, multilayered security measures with encryption and strong access controls, backed up by staff training, are vital, as is ransomware protection with immutable and air-gapped storage. Regular audits will help address any vulnerabilities in the backup infrastructure.
Finally, from human error to natural disasters to ransomware attacks, the only way to know systems are working is to test them repeatedly. Regularly – and automatically – testing backups is therefore critical to maintaining data integrity and ensuring recovery readiness during a disaster.
The findings of this report send a very clear message: Data protection requires continuous investment, innovation and vigilance. As data volumes grow and threats evolve, businesses that prioritise data protection will not only safeguard their critical assets, they will also make sure they can continue to thrive.
Frank DeBenedetto is the General Manager of GTM, MSP Suite at Kaseya
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
