Modern resilience in hybrid IT: why backup alone is no longer enough

Today, data is the backbone of business. At the same time, it is also one of its weakest points. Data volumes are growing exponentially, companies are increasingly dependent on the availability of IT services, and hybrid IT is becoming the standard. At the same time, security incidents are increasing, regulatory pressure is growing, and the demands on business continuity are higher than ever. 

Backup is not the goal. Recovery is. 

We still see that reliable backup is not something companies can take for granted. That is why we keep emphasizing Veeam’s golden backup rule. But there is also a second common scenario. Backup is running. The backup job ends with a “completed” status, and for many companies, that is where the story ends. But during an incident, no one asks whether your data is stored “somewhere on the side.”

The real questions are: when will critical systems be running again, how much data will be lost, and whether recovery will happen safely. That is exactly where the difference lies between backup and true resilience. The modern approach is therefore shifting from data archiving to fast operational recovery. 

Hybrid IT requires a new approach

oday’s companies commonly combine on-premises infrastructure, private cloud, public cloud, and SaaS services. This brings flexibility, but also significantly greater complexity. Each environment has different SLAs, different management requirements, and different risks.

The goal is therefore clear: to have a unified backup and recovery strategy across all environments. Without it, it quickly becomes obvious that while you may have backups, you do not have a functional scenario for fast recovery. That is why companies need to move beyond simple data archiving toward protecting business continuity. 

Modern data protection

Traditional backup models usually relied on local storage, manual administration, and recovery processes that could take hours or even days. The modern approach looks different: 

• off-site backups,
• automation and monitoring,
• regular recovery testing,
• ransomware protection through immutability.

In practice, this may mean, for example, a production VMware environment, automated backups through Veeam Backup & Replication, a local NAS for smaller and faster restores, and an off-site copy in a cloud repository protected by Hardened Repository functionality or S3 object storage with the ability to enable the immutability mentioned above. Such a solution no longer protects only data. It protects the business. 

At the same time, every company should be able to answer two questions. How long can our service be unavailable? And how much data can we afford to lose?

The first answer defines RTO (Recovery Time Objective), the second defines RPO (Recovery Point Objective). Without these parameters, it is very difficult to decide what is enough to back up, what requires replication, and where a disaster recovery scenario already makes sense.

Where do companies fail most often? 

• recovery is never tested,
• all backups are stored in the same location,
• the company does not know its RPO and RTO,
• backups are not protected against ransomware,
• no one is responsible for the DR plan.

Real confidence

Having a backup does not automatically mean you can actually restore it. That is why it is important to test recovery regularly. One example is Veeam SureBackup, which can verify backup recoverability in an isolated environment without affecting production. That is a crucial difference between “we have backup” and “we have verified recovery.” 

When backup is not enough

If you want to restore the entire operation quickly, it is not enough to think only about data. You also need to address disaster recovery (DR). The difference is simple. Backup means you will not lose your data because you have copies of it. Disaster recovery ensures that after a major outage, attack, or failure, you can restore the entire IT environment and bring the company back into operation. Backup protects data. DR protects business continuity. 

That is exactly why Disaster Recovery as a Service (DRaaS) makes sense. Critical virtual machines are replicated to a DR location, and in the event of an outage, operations can be quickly started in a cloud environment. The advantage is substantial: you do not pay for your own secondary data center, only for readiness. This means that even a company without a backup site can have a scenario prepared for a fast return to operations. 

Modern strategy

If backup is meant to truly protect the business, it must be part of a broader resilience strategy. Today, that strategy should be built on several core principles. 

The first is a combination of local and cloud backup. A local copy helps with fast operational recovery, while a cloud copy provides protection in the event of a larger incident, site outage, or compromise of the primary environment. 

The second pillar is regular recovery testing. It is not enough to believe that backups exist. You need to verify that you can actually start systems from them and return them to operation. 

The third area is automation. Alerts, reports, and monitoring help detect problems early while reducing dependence on manual interventions, which often fail in crisis situations. 

Immutable and separated storage also plays an important role. If an attacker gets into production, they must not be able to compromise the backup through the same path. That is why separating backups and protecting them against deletion or encryption is so critical. 

And finally, there must be a clearly defined DR plan and responsibilities. Who decides when to activate the scenario? In what order are systems restored? How is the return to normal operation evaluated? Without clear answers to these questions, even good technology remains only half utilized. 

Conclusion

Backups remain the absolute foundation. Without them, resilience cannot even be discussed. At the same time, however, in today’s hybrid world it is no longer enough just to store data. Companies need to know how quickly they can return to operation. That is why the focus is now shifting from backup to resilience. 

It is not just about having a copy of data, but about combining technologies, processes, and people in a way that helps bring the business back to normal. We also covered why the mere existence of backups is not enough and why demonstrable recoverability is equally critical in our previous article on major European cyber incidents in 2025 and the lessons that can be drawn from them.