The uncomfortable truth from IDC's research: When ransomware strikes, most organizations have no idea if their backups are clean, compromised, or even there at all.
I sat down with Johnny Yu, Research Manager at IDC, to dig into data that should keep every CISO and IT leader awake at night. What he shared validated something we've been saying for months: the gap between having backups and actually recovering from an attack is wider than anyone wants to admit.
And the numbers prove it.
Half of All Organizations Watch Their Last Line of Defense Crumble
Let's start with the stat that made me pause the recording. IDC's Future Enterprise Resiliency & Spending Survey Wave 11 found that organizations hit by ransomware suffered from the following backup shortcomings:
25% didn't have backup or disaster recovery at all
25% had backups that weren't attacked (lucky, not good)
20% had backups targeted, but attackers failed to compromise them
30% had their backups successfully attacked and deleted
Read that last line again. Nearly one-third of ransomware victims lost their insurance policy when they needed it most.
"The whole point of backups is to be like that insurance policy, not just against natural disasters, but against hackers, against malware,” Yu told me. “And it was attacked, and it was successfully deleted. So there's no fallback in most of these cases. Your only out is to pay the ransom."
That’s a pretty bad outcome.
The Double Extortion Trap: When Recovery Isn't Enough
But here's where it gets worse.
Even organizations with intact backups face a brutal reality: two-thirds of ransomware victims experience data exfiltration. Half of those see sensitive, valuable data stolen2.
This is the double extortion playbook. Encrypt the data, steal a copy, then offer victims a choice: pay to decrypt, or pay to prevent your customer data from appearing on the dark web. Or both.
The problem? Most organizations are playing a coin flip. They don't know what was stolen until it's too late. They can't assess the sensitivity of exfiltrated data. They're negotiating blind.
"If you don't have any sort of intelligence on your data, if you don't know what got stolen, then you're basically in a coin flip situation," Yu explained. "Are you really going to go for that coin flip scenario or wouldn't it be better to know what you have so you know what’s been stolen?"
The Ransom Payment Paradox
Here's the part that surprised me most: among organizations that experienced ransomware, 86% of those who paid a ransom saw it work1. Not an endorsement, but a reflection of an uncomfortable truth: ransomware is a business and bad actors have customer service incentives.
But speed? That's another story entirely.
Forty percent of organizations were down for multiple days. Another 40% suffered more than a week of downtime2. The decryption tools ransomware operators provide aren't exactly optimized. Some organizations paid the ransom and still found it faster to restore from backup.
Think about that math. You paid. You still lost days. Your attackers got their payday and you got... a slightly less catastrophic outcome.
That’s the paradox: you don’t get what you pay for.
Why Traditional Recovery Fails Under Pressure
This is where the webinar got real. When an attack hits, organizations using traditional backup strategies face a gauntlet:
Scope the attack: Which systems were touched? How bad is the damage?
Find patient zero: When did the breach start? Days ago? Weeks? Months?
Identify clean backups: Out of thousands of restore points, which ones can you trust?
Rehydrate and scan: Mount each backup, scan it, find malware, repeat
Assess data exposure: What sensitive information leaked? What do you need to report?
Only after all of that can you start restoring.
"If you're stepping in after detonation, you're already way too late to fix a lot of those problems," Johnny noted. "Recovery is definitely going to take longer. It's going to be a lot more stressful because you're still doing this while things aren't working. Your business overall is losing money over that period of time."
Three Pillars That Actually Matter
This is the insight that changes everything. The fastest cyber recovery time objectives aren't achieved during an attack. They're built beforehand.
What if your platform has been continuously analyzing every backup as it's created? Identifying anomalies. Scanning for threats. Classifying sensitive data. Flagging clean restore points. Building all the answers you'll need before you need to ask the questions.
That's the architectural difference between reactive and proactive recovery, between days of downtime and hours, and between paying ransoms and restoring with confidence.
"The stopwatch doesn't start once the attack happens," Yu said in the session. "You should already be doing this work proactively ahead of time. The bad guys are spending a lot of time and effort in the lead-up to the attack. We need to be putting that same level of effort and preparation, assuming things will go bad."
Johnny broke down what organizations need into three non-negotiable pillars:
1. Absolute data survival (traditional backup handles this)
2. Guaranteed data integrity (can you trust what you're restoring?)
3. Rapid recovery (how fast can you get back online?)
Most organizations nail pillar one. Pillars two and three are where the gaps live. That's where organizations find themselves paying ransoms they could have avoided, suffering downtime they could have prevented, and reporting breaches they could have contained.
What Best Practices Actually Mean in Practice
The frustrating part of IDC's research is that many of the vulnerabilities that enable successful attacks against backups are completely addressable with known best practices:
39% didn't have air-gapped backups
28% lacked encryption for backup data
22% had no immutable backups2
"These aren't new technologies," Johnny emphasized. "It's just so surprising that these common vulnerabilities not only can be addressed, but it's like we've had this technology for a long time."
But technology alone isn't enough. Zero trust principles, immutability, encryption, and air gaps are the foundation. What separates resilient organizations from those that pay ransoms is having the intelligence layer built on top: anomaly detection, threat hunting, sensitive data discovery, and continuous validation.
Cyber Resilience Maturity Self-Evaluation
Take this short questionnaire to determine your current maturity level.
Get Started ⇒
Where the Market Is Heading
Looking ahead, Johnny sees three major shifts coming:
Service-oriented offerings filling the skills gap: "The tools are there, the skills are not," he noted. Organizations know they need cyber recovery capabilities but lack the expertise to implement and operate them effectively.
AI enablement cuts both ways: AI will enhance detection and recovery capabilities, but attackers will exploit AI systems just as aggressively.
Post-quantum cryptography preparation: What seems like a government-only concern today will become mainstream as quantum computing advances.
The Question Your Board Is Actually Asking
Here's what it comes down to. Your board isn't asking whether you'll be breached. They're asking how fast your cyber RTO is when it happens.
Because breaches are inevitable, prevention will have gaps. Attackers only need to be right once. You need to be right every single time.
Those aren't good odds.
The organizations winning this fight aren't the ones with the most security tools. They're the ones that assume breach, prepare proactively, and build recovery speed into their architecture from day one.
They're doing the work before that 3 AM call comes in. They're answering questions before anyone asks them. They're turning what would be weeks of downtime into hours.
Want to Go Deeper?
The full webinar with Johnny Yu covers significantly more ground, including:
The timeline of how attacks actually unfold in modern environments
Breakout time statistics that will change how you think about detection
The collaboration challenges between IT and security teams
Practical steps to implement proactive recovery strategies
What to expect in the next 18 months of cyber recovery evolution
Watch the full on-demand webinar here to get the complete picture and see the data visualizations that make these numbers hit even harder.
Because at the end of the day, you can't prevent the unpreventable. But you can control how fast you recover. That's not just a technical decision. It's a business survival decision.
And the clock is already ticking.
1 Rubrik Zero Labs. The State of Data Security: A Distributed Crisis
2 IDC. Future Enterprise Resiliency & Spending Survey Wave 11, IDC, Dec 2023