Attackers will eventually find a way into your systems, and by now, they also know where the backups are stored. Synology organized a webinar on this topic, emphasizing the need to make backups a priority.
Companies that survive a ransomware attack never do so because they prevented the attack. They survive because they were able to recover quickly enough. Yet most companies are still geared toward the first scenario: priority on prevention, with backup as an afterthought. That is no longer sufficient.
AI makes phishing and ransomware more dangerous
AI isn’t just changing how companies work; it’s also changing how cybercriminals attack. Synology describes AI in the context of cybersecurity as a double-edged sword, and that is no exaggeration.
The most common causes of cyber incidents have become more dangerous due to AI. Phishing emails are no longer poorly translated form letters. Generative AI analyzes all available info on the web, social media posts, and communication styles to write emails that appear to come from a colleague or another acquaintance.
At the same time, this lowers the technical barrier for attackers. In the past, setting up a convincing attack required specific knowledge or time. Today, a text prompt is enough. Exploiting leaked passwords is also becoming smarter. Attackers automatically adapt their behavior to bypass detection systems: attempting to gain access to multiple accounts across different locations and times. The timing is no longer accidental.
The backup is the next target
Classic backup strategies are aimed at human error or disasters, but ransomware works differently. In recent years, attackers have also been targeting the recovery environment, knowing that an unusable backup forces companies to pay. According to Synology, cyber resilience rests on three pillars: protection, isolation, and proven recoverability. That last term deserves more explanation. A backup that technically exists but is unusable in practice offers no real protection.
Two concepts are becoming increasingly important here. First, there is WORM technology (Write Once, Read Many), where stored data can no longer be modified or deleted, even by administrators. Second, there are air-gapped backups: systems that are automatically disconnected from the network once a backup is complete. Ransomware cannot encrypt systems it cannot reach.
Test, test, test
How often a backup is made is less relevant than how fast and reliable the recovery process is. Yet most companies hardly test their recovery procedures, which comes back to haunt them at crucial moments. This is a problem, as modern ransomware groups remain undetected in a network for an average of weeks before they strike. During that period, corrupt or infected files can slip into backups unnoticed. If you never test, you’ll only find out at the worst possible moment.
During the webinar, Synology demonstrates automated verification where backups are launched in an isolated sandbox to check if systems actually work after recovery. This aligns with the growing use of the 3-2-1-1-0 principle: three copies, on two different media, with one off-site location, one air-gapped copy, and zero unverified backups.
Complexity becomes a risk
Many companies today use multiple backup tools: one for the cloud, one for endpoints, and one for virtual machines. Each platform has its own login credentials, policies, and interfaces. Synology cites the example of an organization working simultaneously with Veeam, Acronis, and CommVault. The result is less ideal than you might expect: there is more to manage and there are more attack surfaces. Centralization is therefore no longer a simple choice, but a security decision that must be made. The scalability of these environments makes this feasible for larger companies as well.
The pressure to take cyber resilience seriously also comes from European regulations. NIS2 and GDPR impose data protection obligations on companies. Regulators are focusing less on the total prevention of incidents and more on resilience. For financial institutions, the Sheltered Harbor guidelines go even further: they require an isolated, offline, and non-corrupted backup replica that is immediately deployable for recovery.
The question is not ‘if’, but ‘when’
The core of Synology’s message isn’t particularly reassuring, but it is honest: the question is no longer whether an attack succeeds, but whether your business can keep running if both the production environment and the recovery infrastructure are targeted at the same time.
The answer lies not in a single product or technology, but in an approach that combines protection, immutable storage, isolation, and verified recovery. Companies that still view backup as an emergency insurance policy will eventually have to let go of that notion the hard way.