IMAGINE a typical workday suddenly unravelling. A critical system goes down, employees are locked out, customer orders stall and phones begin ringing incessantly. Amid the chaos, someone offers reassurance: “It’s fine, we have backups.”
That reassurance, however, can be dangerously misleading.
Exabytes chief operating officer Guan Tian Lai said many organisations conflate having backups with being able to recover.
“Backups only tell you that a copy of your data exists. They do not guarantee that your business can resume operations within an acceptable time or with minimal disruption.”
A False Sense of Security
World Backup Day, marked on March 31, serves as a timely reminder for organisations to safeguard their data. But stopping at backups alone can create a false sense of security.
Guan said the more important question organisations should ask is not whether data is backed up, but whether systems, services and workflows can be restored when it matters most.
“We often see businesses assume they are prepared simply because backups are in place. In reality, disaster recovery is about restoring the entire environment — access, applications, dependencies — not just files.”
Many organisations only discover gaps in their recovery strategy when disruption strikes. Incidents can stem from human error, misconfiguration, credential compromise or service provider outages — all of which are increasingly common in Malaysia’s digital landscape.
This concern is echoed by the Malaysia Computer Emergency Response Team (MyCERT), which has reported a rise in ransomware-related incidents in early 2026, highlighting the growing sophistication of cyber threats.
Understanding What Really Matters
At its core, backup is about data storage, while disaster recovery is about business continuity.
Two key benchmarks define this capability: Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Guan stressed that these are business-driven decisions rather than purely technical considerations.
“RTO and RPO define what the business can tolerate. How long can you afford to be down? How much data can you afford to lose? Without clear answers, recovery becomes guesswork,” said Guan.
He added that organisations that fail to define or test these targets risk prolonged outages despite having backups in place.
When Backups Fall Short
In real-world incidents, failures rarely occur because backup files are missing. Instead, they arise from gaps in execution and planning.
Guan said that one of the most common issues is the lack of restoration testing.
“Many teams monitor backup completion but never test whether those backups can be restored quickly and correctly. This creates a false sense of confidence.”
Dependencies further complicate recovery. Restoring a database alone is insufficient if supporting systems such as identity services, DNS and network configurations are not brought back in the correct order.
“Recovery is not a single action. It is a sequence. If you restore components out of order or overlook dependencies, the system may not function even if the data is intact,” he added.
Separating Backup from Recovery
Guan said one of the most overlooked risks is the lack of separation between production and backup environments.
“Many organisations believe they are protected because their backups are stored offsite. But if the same credentials control both production and backup systems, attackers can compromise recovery just as easily.”
He said that in such scenarios, attackers do not need to destroy backups to cause disruption.
“They can simply block access or delete backup sets using compromised credentials. The weakness is not the location of the backup, but the lack of separation in access control.”
From Theory To Practice
To build genuine resilience, organisations must adopt a more structured and practical approach to recovery.
Guan emphasised the need to identify Tier 1 systems — the critical components required to restore operations.
“Identity and access systems should come first, followed by network services such as DNS, before moving on to core business applications. Without these foundations, recovery becomes significantly more difficult,” he said.
He also stressed the importance of defining realistic RTO and RPO targets for each system, as well as ensuring backups are protected from tampering and supported by multiple recovery points.
Equally important is the creation of a clear runbook to guide teams during incidents.
“A good runbook defines who makes decisions, who leads recovery, what gets restored first and how communication is handled. In a crisis, clarity is everything,” he said.
A Shift in Mindset
While World Backup Day highlights the importance of safeguarding data, Guan said organisations must move beyond basic measures.
“Backups are necessary, but they are not sufficient. What matters is whether you can recover quickly, safely and predictably.”
*Full article from New Straits Times.
