The digital-first world has raised the stakes for businesses, with constantly evolving cyberthreats challenging the boundaries of traditional business continuity and disaster recovery (BCDR) strategies. Cyberattacks are becoming more advanced, targeting the most vulnerable link — your end users. At the same time, businesses are navigating the complexities of a hybrid cloud era, balancing the migration of some data to the cloud while strategically retaining other assets on-premises. Finding the sweet spot between functionality, security and cost is a critical challenge for organizations in 2025. Adding to the mix are tightening regulatory pressures, including stricter compliance mandates and tougher requirements for cyber insurance.
At a time when the business and cybersecurity landscapes are rapidly changing, protecting your organization’s data and ensuring business continuity requires a proactive, agile and cyber-resilient approach that goes beyond mere preparation.
Curious about what it takes to stay ahead? Read on as we explore the top BCDR trends to watch out for in 2025 and learn how to transform your backup strategy into a robust foundation for resilience and long-term success.
Building security-centric backup: Resilience against evolving threats
The way businesses manage and protect their data is undergoing great change, with backup systems now squarely in the crosshairs of increasingly sophisticated cyberthreats. To stay ahead, businesses must embrace a security-centric approach to backup, combining advanced defense mechanisms with intelligent, proactive solutions. Here’s what your organization needs to know:
The growing threat landscape
Ransomware and user-based threats are evolving at an alarming rate. While encrypting production systems was a popular tactic, cybercriminals are now targeting backup environments as well. They aim to eliminate recovery options by deleting, encrypting or tampering with backups, forcing businesses to pay ransom demands. According to The State of Ransomware Report 2024, nearly 95% of organizations that experienced ransomware attacks revealed that attackers tried to access and compromise their backups.
Beyond ransomware, cybercriminals now focus on exploiting human vulnerabilities with highly targeted, well-crafted social engineering attacks, exposing organizations to data theft, operational downtime and regulatory penalties.
Phishing and stolen or compromised credentials remained the top two attack methods for the second year in a row, according to the Cost of a Data Breach Report 2024. These methods were also among the four most expensive types of incidents, costing businesses, on average, $4.81 million (compromised credential attacks) and $4.88 million (phishing attacks) per incident.
Integrated defense strategies: Backup meets security
Keeping backup and security separate is no longer practical. Modern threats require a convergence of these disciplines to deliver resilience and enable swift, targeted responses to potential threats. Today’s top-of-the-line IT solutions come equipped with advanced features designed to detect, mitigate and respond to suspicious activity while enabling quick recovery in the event of a disaster.
For example, Kaseya 365 User, a groundbreaking subscription-based offering, brings together key components of IT security and backup that empower businesses to effectively prevent, respond to and recover from threats targeting end users.
The seamlessly integrated solutions in Kaseya 365 User automatically monitor, detect and respond to threats in Software-as-a-Service (SaaS) applications while securely backing up your data daily. Alerts can be triggered for suspicious actions, allowing your IT team to take quick action to stop potential threats before they escalate. Automated workflows lock compromised accounts, preventing attackers from accessing your organization’s sensitive data. Its robust backup and recovery solution gives you 100% recovery confidence from disruptive incidents.
A security-centric backup strategy isn’t just about recovery — it’s about resilience. By combining intelligent monitoring with automated defenses and proactive alerts, your organization can protect its end users and data from even the most determined adversaries.
Confidence in the cloud remains mixed: Navigating the hybrid cloud era
As organizations increasingly adopt cloud technologies, the question of what to migrate — and what to keep on-premises — remains a complex and strategic decision. With cloud workloads expected to surpass 60% of an organization’s IT stack in the coming years, according to the State of Backup and Recovery Report 2025, it’s clear the cloud is a compelling choice for many but not all workloads.
Data types likely to migrate
Certain types of data are naturally suited for the scalability, accessibility and cost efficiency of the cloud:
Non-sensitive analytics data: As per the State of Backup and Recovery Report 2025, 24% of respondents plan to move non-sensitive analytics data to the cloud. Data used for reporting and business intelligence often lacks sensitive attributes, making it a low-risk candidate for cloud migration.
IoT and edge data: IoT and edge data (21%) closely follow, as the cloud can efficiently handle the large volumes of decentralized data generated by IoT devices and edge computing environments.
Sales and orders data: Another 21% of respondents in the survey said their organization plans to migrate sales and orders data to the cloud. With high transaction volumes and the need for global access, sales and orders data benefits from the cloud’s flexibility and real-time processing capabilities.
Data types unlikely to migrate
Despite its advantages, the cloud isn’t a one-size-fits-all solution. Some data types are best kept on-premises due to security, regulatory or operational concerns:
Personally identifiable information (PII) and protected health information (PHI): Strict compliance requirements, such as GDPR and HIPAA, often necessitate tighter control over sensitive personal data. Nearly 20% of organizations said they plan to retain PII and PHI on-premises.
Corporate financial data: Concerns about confidentiality and compliance lead many organizations to keep financial records within highly secure, in-house systems. Close to 20% of respondents plan to keep corporate financial data on-premises to mitigate the risk of breaches and unauthorized access.
Sensitive intellectual property (IP): Protecting trade secrets and proprietary designs from cyberthreats or unauthorized access often requires keeping IP data off the cloud. About 20% of businesses plan to store sensitive data, such as intellectual property and research, on-premises due to concerns about data sovereignty and security.
Top use cases driving cloud adoption
The State of Backup and Recovery Report 2025 highlights the key drivers behind the increasing adoption of public cloud solutions. Close to 40% of businesses utilize the cloud for collaboration, leveraging its scalability and flexibility to empower teams to work seamlessly in remote and hybrid work environments. Disaster recovery (37%) is another popular use case, highlighting the cloud’s critical role in safeguarding businesses against downtime and data loss. Data warehousing (32%) and Database-as-a-Service (DBaaS) (32%) emerge as pivotal use cases, enabling businesses to modernize their data architectures and enhance data management.
The critical need for cloud-based workflow coverage
As businesses continue to migrate to the cloud, it is critical to ensure the safety and security of SaaS and cloud-based workflows. In the State of Backup and Recovery Report 2025, the respondents revealed several methods their organizations use to protect cloud workloads.
Nearly 30% of respondents reported storing backups within their production subscription. While this approach offers simplicity and convenience, it also risks a single point of failure. If the primary subscription is compromised, both production and backup data could be at risk.
About 30% of organizations rely on third-party vendors for redundant backups, which provide enhanced protection and add a layer of security. Similarly, 24% maintain backups in a separate subscription account within the same cloud provider, offering some level of isolation while avoiding third-party involvement.
The report also reveals a concerning gap — 8% of organizations do not back up their public cloud data at all. If disasters strike, these organizations won’t be able to recover their data. Relying solely on native backup options or neglecting backups altogether poses significant risks to business continuity.
Navigating the complex regulatory world
Like data protection and cybersecurity, the regulatory landscape continues to evolve rapidly, placing greater demands on organizations to maintain compliance across various frameworks. As industry regulations become stricter, businesses must proactively adapt to ensure their data protection and recovery strategies align with current and emerging standards.
Key compliance standards shaping the industry
Network and Information Security (NIS2): The NIS2 Directive is a successor to the NIS Directive that emphasizes strengthening cybersecurity measures and incident response capabilities, targeting sectors critical to the economy and society, such as energy, healthcare and transport. According to the European Commission, its member states had until October 17, 2024, to adopt the Directive into their national laws.
NIST SP 800-209: A comprehensive guideline for securing storage infrastructures, addressing encryption, access controls and restore capabilities to minimize risks.
Payment Card Industry Data Security Standard (PCI DSS): Focused on safeguarding payment data, PCI DSS mandates strong encryption, regular vulnerability assessments and strict access controls for organizations handling cardholder data.
CIS Controls: These best practices provide actionable steps to enhance cybersecurity, including data backup integrity and secure configurations for cloud and on-premises environments.
ISO/IEC 27000 Series: These standards are widely recognized for information security management. They guide organizations in implementing policies and technologies to protect sensitive data.
Digital Operational Resilience Act (DORA): The EU Act, which will come into effect in January 2025, applies to EU-based financial institutions and mandates resilience in IT operations, requiring robust data recovery, incident reporting and risk management measures.
A look ahead: Trends driving backup and disaster recovery strategies
The growing sophistication of ransomware and targeted attacks requires smarter, automated defenses, including a focus on building a strong human firewall. Hybrid cloud environments continue to evolve, compelling businesses to strike a balance between scalability, security and cost efficiency. Industry regulations are becoming even more stringent. To stay compliant, your organization must implement cutting-edge solutions and adopt a more robust data protection approach.
Traditional backup and disaster recovery strategies are no longer enough for today’s complex data protection challenges and advanced threats. Your organization must move beyond simple recovery and incorporate advanced defense mechanisms to enhance the security of your critical assets and recover quickly in the event of a disaster.
Download the State of Backup and Recovery Report 2025 to discover the current trends in backup and recovery and how they are transforming the data protection landscape. Unlock key insights from over 3,000 IT professionals, security experts and administrators worldwide to build a cyber-resilient business.