A significant portion of UK organizations cannot fully recover data from backups
Let’s talk about something that should be simple but usually isn’t, whether your business can actually recover its data when it matters most. The answer, for nearly one-third of UK companies, is a blunt “no.” Recent research from Censuswide, surveying 200 IT security decision makers, shows that 31% of organizations failed to fully recover their data following a breach or incident, even though they had backups in place. That’s real failure, in real situations, at real companies.
What does that tell us? It tells us the average recovery strategy is broken, or at best, unreliable. These are not edge cases. These are mainstream businesses missing the mark on one of the most basic cybersecurity fundamentals. Having backups isn’t enough. If you’re not regularly verifying your restore process, you might not have a recovery option when a breach hits. The false sense of security that comes from simply “having backups” sets companies up for hard losses, in time, money, and trust.
Full recovery results were up slightly, 58% of companies in 2025 say they recovered everything, compared to 50% last year. That’s progress, but it’s not close to where it needs to be. We live in a world where breaches are inevitable. Assuming you’ll never need to recover data is just bad math. Recovery speed and completeness should be board-level discussions, not afterthoughts buried under day-to-day operations.
Jon Fielding, Managing Director for EMEA at Apricorn, puts it well. “If the net is full of holes, you’re still going to hit the ground hard.” Replace the net. Test it. Take a hard look at your worst-case recovery scenario and work backward. Because in reality, recovery is only possible when backups are complete, secure, and routinely tested under stress. That’s how real resilience is built.
Remote work and employee behavior elevate data breach risks
The shift to remote work isn’t new. But the risks that come with it are still underestimated. According to the same Censuswide survey, 61% of IT security leaders said remote or mobile work increases the likelihood of data breaches. It’s not hard to understand why. Outside the office, there’s less control, weaker monitoring, and far more chances for gaps to open.
This isn’t just about lost devices or unencrypted Wi-Fi connections. The bigger problem is human behavior. Nearly half of the organisations surveyed, 46%, reported that employees knowingly exposed sensitive data within the past year. That puts your data at risk not due to negligence, but due to decisions, people bypassing protocols, sending critical files through unsecured channels, or using unsanctioned tools to “get things done faster.”
That level of exposure can’t be solved by software alone. It’s a leadership problem. Executives need to set expectations around accountability and enforce standards without creating friction. Security training must be continuous, not just something checked off once a year. Tools must be integrated cleanly into workflows so people don’t look for workarounds. Culture matters, because the choices your team makes every day determine your real security posture.
These stats are a signal for action. If your team is working remotely and your data is flowing beyond the network perimeter, it’s not enough to monitor endpoints. You need a clear plan for how data is accessed, moved, and shared, along with policies employees understand and follow. When people understand the stakes, they act differently. But only if leadership makes that a priority.
Backup systems themselves are increasingly targeted by attackers
We’re seeing a clear shift in how cybercriminals operate. It’s not just your primary systems they’re going after anymore. They’re now aiming directly at your backups, the systems you rely on when everything else fails. In the latest Censuswide survey, 18% of IT leaders said that attacks on backup systems were the main cause of a data breach. That’s not a side concern. That’s the failure of what should be the last layer of defense.
Too many organisations still treat backup environments as secondary priorities. Less monitoring. Fewer controls. But attackers have figured that out, and they’re exploiting it. If your backups are connected to your production network, unencrypted, or easily accessible with compromised credentials, they become soft targets. In that scenario, even a well-executed backup strategy won’t matter, because those backups won’t be there when you need them.
The security architecture needs to evolve. Backup repositories must be isolated, encrypted, access-controlled, and audited just like your live systems. For executive teams, that means approving budget for secure infrastructure, not just for storage, but for backup-specific intrusion detection, recovery testing under real-world breach scenarios, and multi-layer access control. If your security roadmap isn’t treating backups as attack surfaces, it’s incomplete.
Cybersecurity isn’t static. Threats evolve, and today’s attacks are designed to neutralize your response options. Losing access to backup data during a breach compounds the damage and drags recovery timelines beyond tolerable limits. That’s avoidable, if executives are willing to question assumptions and reevaluate how backup integrity is being ensured across the organization.
Automated backups are gaining traction and improving resilience
More businesses are moving toward automated backup systems, and the data confirms it’s the right direction. According to the latest Censuswide survey, 44% of organizations now use automated backups to both personal and central repositories, a significant increase from 30% the year prior. In total, 85% are using some form of backup automation. That’s momentum worth paying attention to.
Automation eliminates a major point of failure: human error. Manual backups can be forgotten, misconfigured, or skipped entirely. When automation is well-implemented, it ensures consistency and precision, two things that matter most in critical data protection. But automation alone isn’t what matters. It has to be tied to a clear framework. Right now, the 3-2-1 backup rule is gaining attention: keep at least three copies of your data, across two different media types, with one offsite. Simple and effective, especially when combined with encrypted, offline storage.
For C-level leaders, what automation really brings is operational confidence. It shrinks uncertainty. It reduces dependence on individual execution. And it frees up your security and IT teams to focus on higher-impact problems. But consistency and monitoring have to be part of the system. Just because it runs automatically doesn’t mean it’s working perfectly. You need visibility and validation. And the ability to test restores regularly, without guesswork.
Jon Fielding, Managing Director for EMEA at Apricorn, said it clearly: “Implementing automation removes the need for human intervention, reducing risk and ensuring secure backup of data.” He’s right. The threat landscape is getting more sophisticated. Reaction time matters. Process reliability matters. And automated backups, rightly designed and regularly reviewed, are one of the few controls that can actively reduce exposure without increasing workload. For most businesses, that’s progress worth scaling.
Key executive takeaways
- Data recovery gaps are common and costly: 31% of UK organisations fail to fully recover data from backups due to inadequate processes. Leaders should mandate regular testing and validation of backup systems as a core part of breach readiness.
- Remote work is raising breach exposure: 61% of firms see remote and mobile work as a growing security risk, and 46% report employees knowingly compromised data. Executives should invest in ongoing security training and enforce clear data handling policies.
- Backup systems are now targets: 18% of breaches were caused by direct attacks on backup infrastructure. Decision-makers must treat backup environments as critical assets and apply the same security controls used on primary systems.
- Automation is improving resilience: 85% of companies use some form of automated backup, and adoption is rising. Leaders should pair automation with strong oversight, including consistent restore testing and implementation of offline, encrypted storage.
