Your backup strategy is outdated: Here’s what leaders must change in 2026

For over a decade, ransomware has shaped how organisations manage cyber-risk. Recovery plans once relied on backups to restore encrypted data. This approach is now outdated, as some attackers deploy destructive malware that erases systems entirely, making recovery impossible even with backups.

 

Wiper malware, previously limited to geopolitical conflicts, is now a mainstream threat. In June 2025, researchers identified PathWiper, a destructive strain used against a Ukrainian critical-infrastructure operator. Infosecurity Magazine reported the malware’s sole purpose was “irreversible data destruction,” with no ransom demand.

This increase in attacks reflects a broader trend. The Sandworm group, associated with NotPetya, intensified its destructive activities in 2025. SecurityWeek reports Sandworm used wipers such as ZEROLOT and Sting against Ukrainian government, logistics, energy, and grain-sector organisations. In 2025, Sandworm launched about 20 wiper campaigns, underscoring the growing frequency and scale of these attacks.

One attack targeted Ukraine’s grain industry, erasing data from agricultural systems essential to national exports. Recorded Future’s The Record described these as deliberate efforts to “cripple civilian economic infrastructure”

These cases demonstrate that destructive attacks are now frequent and deliberate, aiming to disrupt operations rather than seek financial gain. If attackers access your backups, the data is permanently lost. Wipers often target snapshots, cloud archives, and networked backups, so many organisations can no longer depend on backups as their last line of defence.

 

To maintain resilience, organisations must prepare for the possibility of total data loss. This requires using backups that cannot be altered or deleted, such as write-once-read-many (WORM) repositories, air-gapped vaults, or cloud tools such as AWS Backup Vault Lock or Azure immutable storage. These solutions prevent anyone, including administrators or attackers, from modifying or deleting backup data.

 

Begin implementation with a phased approach: first, assess current backup structures for vulnerabilities; second, select immutable backup solutions suited to your needs. Start deployment with critical systems and expand gradually. Testing is essential.

 

Regular tabletop exercises or live tests ensure immutability measures are effective and accessible during emergencies. By turning storage recommendations into actionable steps, organisations strengthen their defences. Consider attempting to delete a "protected" backup as a practical test to confirm your resilience measures work in practice.

 

Detection methods must also advance. Behaviour-based endpoint detection and response (EDR) tools that identify destructive actions, such as mass overwrites or unauthorised backup access, offer strong protection against early-stage wiper attacks. Integrity monitoring and storage anomaly detection can reveal unusual deletions or tampering before damage spreads.

 

 To integrate these methods, organisations should first assess existing security protocols for gaps, then align EDR tools with current platforms for compatibility. Training security teams on these tools is essential for effective adoption. Finally, establish a clear incident response plan that leverages these detection capabilities to help leaders assess feasibility and resource needs.

 

Resilience extends beyond technology. After NotPetya, the limitations of insurance for destructive incidents became evident. In the Mondelez vs. Zurich case, Zurich denied a major claim, citing NotPetya as a “warlike action.” An analysis by the Université de Genève indicates that many policies exclude the destructive, state-linked attacks that are now prevalent.

Organisations unable to obtain traditional insurance can consider parametric insurance, captive insurance, or business-interruption policies that specifically cover destructive malware and nation-state attacks. When evaluating alternatives, assess coverage scope, insurer financial stability, and policy exclusions related to cyber-attacks. Also, review claim process efficiency and the insurer’s experience with cyber claims. These criteria enable leaders to make informed risk transfer decisions.

 

The implications are clear: destructive attacks undermine the core principles of modern cyber-resilience. Backups alone are no longer sufficient. True resilience requires multiple defence layers, immutable storage, strict access controls, early behaviour detection, and insurance aligned with state-linked destructive threats. To put these insights into practice, schedule a "destructive-attack drill" this quarter. This proactive step can significantly improve your organisation’s preparedness, ensuring lessons are learned before data and systems are compromised.

 

To secure board support, emphasise the business impact of these risks, showing how they threaten reputation, operational continuity, and financial stability. Present these improvements as strategic investments in the company’s future. Use case studies and data to illustrate both effective mitigation and costly oversights in similar organisations. Recommend forming a cyber-resilience committee at the board level to oversee strategy and resource allocation, ensuring cyber-security remains a governance priority.