Backups Not Enough, Firms Told to Strengthen Recov­ery Plans

KUALA LUMPUR: Malay­sian busi­nesses are urged to move bey­ond rely­ing solely on data backups and instead pri­or­it­ise full dis­aster recov­ery (DR) read­i­ness to with­stand dis­rup­tions in 2026.

Backups vs. Recovery

Malay­sian web host­ing com­pany Exa­bytes chief oper­at­ing officer Guan Tian Lai said many organ­isa­tions often mis­take hav­ing backups with being pre­pared, and that backups only con­firm that data cop­ies exist, not that oper­a­tions can be restored effect­ively.

“Backups are not the same as recov­ery. Backups tell you a copy of data exists. Dis­aster recov­ery determ­ines whether you can restore access, ser­vices, and oper­a­tions within an accept­able time and with accept­able data loss.”

“The gap between those two is where Malay­sian busi­nesses lose hours, money, and cus­tomer trust, even when they believe they did the right thing,” he said in a state­ment on Fri­day in con­junc­tion with World Backup Day.

Guan said most organ­isa­tions only dis­cover weak­nesses in their dis­aster recov­ery plans dur­ing an actual incid­ent. Com­mon causes of down­time in Malay­sia include human error, sys­tem mis­con­fig­ur­a­tions, cre­den­tial com­prom­ise and ser­vice pro­vider out­ages.

“These exposes the same weak­ness: recov­ery is rarely designed, tested, and owned as a dis­cip­line,” he said.

He also poin­ted to rising cyber­se­cur­ity threats includ­ing ransom­ware as a grow­ing con­cern. Malay­sia’s national incid­ent response centre has repor­ted an increase in ransom­ware-related incid­ents in early 2026, along­side broader warn­ings that cyber threats are becom­ing more soph­ist­ic­ated with increased cloud and arti­fi­cial intel­li­gence adop­tion.

Recov­ery Time Object­ive (RTO) and Recov­ery Point Object­ive (RPO)

Guan stressed that busi­ness lead­ers must under­stand two key met­rics in dis­aster recov­ery plan­ning — Recov­ery Time Object­ive (RTO) and Recov­ery Point Object­ive (RPO).

RTO defines how long a busi­ness can tol­er­ate down­time, while RPO determ­ines how much data loss is accept­able.

“These are not IT terms. They are busi­ness decisions. If your billing sys­tem can be down for eight hours, that’s an RTO decision. If your orders can only lose five minutes of data, that’s an RPO decision.

“And if you’ve never defined those tar­gets or never tested whether you can meet them, then “hav­ing backups” may not pro­tect you from dis­rup­tion,” he said.

He added that fail­ures dur­ing incid­ents are often not due to miss­ing backup files, but weak­nesses in exe­cu­tion. These include untested res­tor­a­tion pro­cesses, over­looked sys­tem depend­en­cies, unclear recov­ery pri­or­it­ies and restric­ted access dur­ing emer­gen­cies.

Backup-as-a-Ser­vice (BaaS) and Dis­aster Recov­ery-as-a-Ser­vice (DRaaS)

Guan also cau­tioned against con­fus­ing Backup-as-a-Ser­vice (BaaS), which focuses on data stor­age, with Dis­aster Recov­ery-as-a-Ser­vice (DRaaS), which ensures full res­tor­a­tion of busi­ness oper­a­tions.

To improve resi­li­ence, he recom­men­ded that organ­isa­tions identify crit­ical sys­tems, define recov­ery tar­gets, secure backup integ­rity and develop clear recov­ery run­books out­lining roles, pri­or­it­ies and com­mu­nic­a­tion plans.

Reg­u­lar test­ing is equally import­ant, with at least two dis­aster recov­ery drills annu­ally and one full res­tor­a­tion test to ensure pre­pared­ness.

“World Backup Day is a reminder to back up data, but the more import­ant ques­tion is whether busi­nesses can recover. A backup is neces­sary, but it is not suf­fi­cient,” he said.

He added that con­duct­ing a dis­aster recov­ery drill can provide more insight into an organ­isa­tion’s resi­li­ence than routine sys­tem mon­it­or­ing.

“Because the real risk is not that something breaks, but that when it does, there is no prac­tised way to restore oper­a­tions quickly and effect­ively,” he said.

Full article by The Borneo Post (Sarawak).