Are your backups beyond the attacker’s reach?

Data resilience is often measured with a simple question: Do we have backups?

The real question today is whether those backups are truly beyond the attacker’s reach. Traditional backups, in fact, usually are not.

Ransomware has changed. Increasingly, attackers don’t begin by encrypting systems but they enter quietly, spend time inside the organisation, copy sensitive data, and only later decide how to apply pressure. Sometimes they encrypt. Sometimes they simply threaten to publish what they have taken.

In either case, one reality remains constant: once attackers gain meaningful access to your environment, everything inside it becomes vulnerable, including your backups.

When backups sit too close

Most organisations have backups. They run automatically. They replicate. They pass recovery tests. But.

If backup systems are closely connected to the same environment that has been breached, they may fall within the same sphere of control. An attacker who gains administrative access can often reach far more than intended. In real-world incidents, backup data has been deleted, encrypted, or quietly damaged before organisations even realised there was a breach.

In this situation, resilience depends on the location of your backups. 

Separation is what creates safety

The purpose of an offsite backup is not simply to store a copy of data. It is to create separation. 

Offsite means that when backup data is isolated from production systems (protected from everyday credentials and inaccessible from the primary network) it remains intact even if the rest of the environment is compromised.

That separation creates something invaluable during an incident: certainty.

When systems are suspected, when credentials are exposed, when trust inside the organisation has eroded, leadership needs one thing above all else: their business-critical data back.

Data theft has raised the stakes

The rise of data-only extortion has shifted attention toward exposure. Regulations such as GDPR and NIS2 focus on the protection of sensitive information, not just operational downtime. If data leaves your control, reporting and regulatory consequences follow.

But this evolution does not make backups less important.

In fact, it makes architectural discipline more critical. If attackers spend weeks inside an environment before detection, internal systems cannot automatically be trusted. Rebuilding infrastructure, restoring services, and proving operational integrity may all depend on having an untouched copy of your data elsewhere.

Offsite backups cannot undo exposure. But they prevent exposure from becoming the undoing.

Control, sovereignty, and confidence

For European organisations, backup strategy is also about jurisdiction and control. Knowing where recovery data physically resides (and under which legal framework) reduces uncertainty during crisis response. Sovereign, offsite storage strengthens both operational resilience and regulatory clarity. This is something that SpaceTime's data storage specialises on.

Doomsday calls?

Attackers will continue to evolve. They may encrypt selectively. They may prioritise theft. They may combine both. But once they control your primary environment, anything within it can be manipulated.

Which brings us back to the only question that truly matters:

Not “Do we have backups?”

But “Are our backups beyond the attacker’s reach?”

Not to sound too dramatic, but when systems fail and trust is compromised, survival depends on what remains untouched.