By Matthew Oostveen
We have entered the era of fully automated, AI-generated ransomware that probes systems 24/7 at an unprecedented speed and scale. According to Crowdstrike’s 2026 Global Threat report, in 2025 there was an 89% increase in attacks by AI-enabled adversaries year-over-year, with the average breakout time – the time it takes an attacker to move from the initial entry point to deeper into the system – falling to just 29 minutes. This is a 65% increase in speed from 2024.
This “vibe hacking”- the use of large language models to automate and scale intrusions – has created a stark digital divide. On one side are organisations whose systems have kept pace with AI-enabled threats. On the other are those still treating backup as a legacy insurance policy rather than a strategic differentiator.
For the modern global enterprise, the conversation must evolve from simple data protection to true multi-layered cyber resilience. This integrates traditional prevention with lightning-fast recovery, ensuring that if an attack succeeds, the business recovers in minutes or hours, not days or weeks. In an age where AI agents drive real-time customer interactions, downtime is no longer just an inconvenience, it’s a board-level crisis and a threat to brand survival.
Recovery at speed and the evolution of IT architecture rules
For decades, infrastructure teams followed a strict rule: never mix backup and production data on the same hardware. Historically, this was both a physical security and a performance necessity, as backup processes would often choke the resources needed to run high-performance applications live.
In 2026, the massive throughput of high-performance flash has rendered this performance excuse obsolete. What’s more, physical separation no longer equals security. An air-gapped system that’s online, network-accessible and admin-managed is not meaningfully isolated regardless of vendor.
However, while we can technically run backup and production data on the same platform, in a world where recovery speed has become the primary risk metric, the traditional IT architecture rules have necessarily evolved into a mandate for ‘logical separation’.
True resilience following an attack requires a secure isolated recovery environment (SIRE). This means having a data set that is beyond the reach of attackers and logically disconnected from the rest of the estate, creating an environment for forensics, cleaning and high-speed recovery of the organisation’s most critical services.
Instead of asking “are production and backup on the same system?” a better question is “Is the backup environment physically isolated and write-protected against system failure?”
We must move beyond the World Backup day (March 31) to ensure this critical issue is constantly assessed throughout the year. Ransomware recovery SLAs (service level agreements) have become a new gold standard. In many regulated industries globally, the ability to restore critical services in a matter of hours is no longer a goal – it is a baseline requirement.
This shift is being accelerated by a global wave of resilience mandates. From DORA in the EU, CPS 230 in Australia and MAS’s TRM guidelines in Singapore, to the BCB’s Resolution 85 in Latin America, regulators are no longer just asking ‘how do you prevent an attack?’ but ‘how fast can you recover?’ For the modern enterprise, an outdated backup strategy isn’t just a technical risk, it’s now a major compliance failure. If your primary storage is locked down for a forensic investigation by insurers or law enforcement, you need a strategy that provides an alternative, operational environment immediately.
The writer is CTO & VP, APJ, Everpure (formerly Pure Storage)
Disclaimer: The views expressed are the author’s own and do not reflect the official policy or position of Financial Express.