There is a growing disconnect between how confident organisations feel about cyber resilience and the reality of recovery outcomes, according to Veeam Software’s recently released Data Trust and Resilience Report 2026.
The report is based on insights from more than 900 senior IT, security and risk leaders globally.
Veeam said while the information is not broken down by country or region, core challenges highlighted in the global findings are consistent with what it observes across markets including SA.
These challenges include: high confidence in recovery that is not matched by proven outcomes; increasing ransomware and regulatory pressure; growing complexity driven by cloud and AI adoption; and a need for better visibility, testing and executive alignment around data resilience.
The research found that while 90% of organisations express confidence in their ability to recover from a cyber incident, fewer than one in three ransomware victims fully recovered their data.
On average, organisations recovered just 72% of affected data following a ransomware attack.
Asked why organisations struggled to fully recover, Veeam pointed to several contributing factors, including:
- Incomplete visibility into data and systems.
- Recovery processes that are assumed rather than tested, leading to failures during real incidents.
- Security controls that exist on paper but are not consistently enforced.
- A lack of executive alignment on what “full recovery” actually means.
Anand Eswaran, CEO of Veeam, said: “Confidence in recovery from a ransomware attack is high, but the data tells a different story – and AI is only widening that gap. Even the most sophisticated organisations are discovering that confidence in recovery and proof of recovery are fundamentally different capabilities.
“Data resilience is still the hard requirement: knowing what data you have, where it lives, who can access it and proving you can restore clean, trusted data fast when attackers – or operational failures – put the business under pressure. The infrastructure for deploying AI has rapidly outpaced the ability to secure it. Organisations need end-to-end capabilities to understand, secure, protect, govern and ensure their data is resilient at machine speed.”
The report explains this disconnect as a difference between perceived readiness and validated capability.
Many organisations base confidence on:
- Having backups and recovery time objectives (RTOs), but outcomes depend on whether recovery is validated end-to-end.
- RTOs that are not fully aligned with business continuity needs.
- Prior experience with smaller incidents rather than large-scale ransomware events.
This gap widens as environments become more complex, particularly with hybrid cloud, software as a service and AI-driven data usage.
The company said the report provides a relevant benchmark for South African organisations, particularly as AI adoption accelerates and regulatory expectations continue to rise.
Backup systems targeted
Hendrik de Bruin, security consultant for Africa at Check PointSoftware Technologies, said modern ransomware operations are no longer limited to the encryption of primary production data only.
“Increasingly, we're seeing attackers deliberately target and sabotage backup systems, either through encryption, deletion or by corrupting backup catalogues to remove the victim’s ability to recover without paying. This potentially explains the disconnect highlighted in the research. Attackers are acutely aware that resilient backups undermine ransom leverage and therefore design their campaigns specifically to neutralise them before triggering encryption,” said De Bruin.
He added that this tactic is not theoretical and has been observed repeatedly in SA.
“During the reported June 2024 ransomware attack on South Africa’s National Health Laboratory Service, attackers not only encrypted operational systems but also deleted and destroyed backups, severely impacting the organisation’s ability to restore services during a public health crisis,” said De Bruin.
These incidents demonstrate how ransomware actors intentionally remove recovery options to maximise pressure, even against critical national infrastructure, he added.
“Compounding this risk, ransomware groups frequently deploy persistence mechanisms that allow them to regain access even after systems are restored. This includes hidden accounts, remote access tools, web shells or compromised credentials that survive initial remediation. Recovery is no longer a single technical event but a security operation that must address backup integrity, identity compromise and hidden footholds simultaneously."
Share
