Article

Immutable Backup and Recovery Proof in a CSRB, NIS2 and DORA World

Surviving the Audit: Immutability, Evidence and Recovery | Covenco & Veeam Webinar

Written by: Gurdip Sohal,
Data Management Director, Covenco

The old reassurance was simple: ‘we have backups’. The executive question is different: if operations are hit, can we recover critical services in a way that stands up to customer, insurer, auditor and board scrutiny?

That is the shift behind the UK Cyber Security and Resilience Bill, NIS2 and DORA. Backup is still part of the picture, but the standard has changed. Organisations are being pushed to show that recovery is real, tested and defensible, not simply assumed. The pressure is moving from ‘do you back up?’ to ‘can you prove you can recover?’

For the board and senior IT leadership, that changes the conversation. Recovery is no longer a background IT process. It is now part of operational resilience, accountability and risk management.

Why backup is no longer enough

A successful backup job proves one thing: data was copied.

It does not prove that critical applications can be restored in the right order. It does not prove that the restore point is clean. It does not prove that users can get back to work. And it does not prove that the right evidence can be produced inside a 24-hour or 72-hour reporting window.

That gap matters. Current reporting expectations point to an initial notification within 24 hours, followed by a fuller report within 72 hours. Against that, the average breach lifecycle remains 258 days, including 194 days to identify and 64 days to contain. That is not a paperwork problem. It is an operational readiness problem.

This is why recovery proof matters. It means being able to show that the business can recover from a verified point in time, within realistic recovery objectives, and with enough documentation to stand up to customer, insurer, auditor or regulator scrutiny.

Why immutable backup now sits on the critical path

Attackers know exactly where to apply pressure. Backup infrastructure is no longer an afterthought because attackers stopped treating it as one years ago.

Research cited in the webinar shows that 94% of ransomware victims had their backup repositories targeted. When backups are compromised, recovery becomes slower, more expensive and far less certain.

That is why immutability matters. If recovery data can be altered or deleted, the organisation may not have a recovery path at all. But immutability is only part of the answer. A stronger recovery posture also depends on MFA for administrative access, separation of duties, four-eyes authorisation for destructive actions, and segmentation between production and backup environments. The principle is simple: if production is compromised, recovery assets must not fall with it.

The technical stack also has to support the governance story. Telemetry, timestamped testing output and audit-ready reporting are what turn controls into usable evidence.

Recovery depends on decisions made before the incident

Backup without classification is not a recovery strategy.

Many organisations still treat recovery as a generic technical process. In reality, it is a prioritisation exercise. What must come back first? What can wait? What may not need restoring at all? If those decisions are not made in advance, the first hours of a breach are wasted on debate rather than recovery.

A practical tiering model helps here. Tier 0 covers core infrastructure and dependencies. Tier 1 covers essential business services and regulated data. Tier 2 supports broader operational systems. Tier 3 is archival. Without that structure, recovery becomes slower, noisier and harder to defend.

That matters because backups do not guarantee outcomes. Research cited in the session shows that 57% of ransomware victims recovered less than half their data despite having backups. It also shows that 60% of organisations believe they can recover within hours, while only 35% actually do. The gap is not optimism. It is the absence of tested recovery design.

Recovering a server is easy to talk about. Recovering the business is the part that exposes whether the planning was real.

Why this is no longer just a regulatory issue

This is not only about formal scope.

If you supply services, software or infrastructure into regulated organisations, you inherit pressure to demonstrate the same resilience standards. That is already happening through procurement, due diligence and renewal reviews. Recent breach data shows that 30% of confirmed breaches involved a third party, double the previous year.

Insurers are applying the same pressure from a different angle. Cyber insurance claims have risen sharply, and insurers increasingly want proof, not promises. Immutable backups, documented restore testing, defined RTOs and RPOs, privileged access controls and usable audit logs now matter as much in renewal and claims conversations as they do in formal audit.

That is why resilience work is becoming easier to justify. The same evidence base supports audit readiness, insurer scrutiny and customer assurance.

Where Covenco adds value

Many organisations already own capable backup technology. What they lack is the operational layer that turns it into a recovery capability that stands up under pressure.

That is where Covenco fits.

Covenco helps clients build a managed, layered and testable recovery model around Veeam that aligns to business priorities and scrutiny requirements. That includes managed backup and recovery, 24/7 threat monitoring, SOC and SIEM integration, gap assessment against resilience frameworks, and incident recovery using clean room capability on fresh infrastructure, on-site or in the cloud.

That managed layer matters because the skills gap is real. UK research cited in the session shows that 50% of businesses have a basic cyber security skills gap, with a further 33% facing an advanced gap. Most internal teams are already stretched keeping core systems stable. Asking them to also build an audit-ready recovery posture, maintain testing discipline and produce evidence on demand is a big ask.

Covenco is ISO 27001 certified, a Veeam Platinum Partner, and has been delivering managed IT and infrastructure services since 1989. It also brings a purpose-built off-site backup data centre, air-gapped tape capability and ring-fenced hardware stock for recovery scenarios.

What good looks like now

A stronger recovery posture is not about collecting more copies of data for the sake of it.

It means immutable backup for critical workloads. It means clearly defined recovery tiers and recovery objectives. It means regular restore testing with evidence retained. It means telemetry that feeds monitoring and audit. And it means recovery plans that account for infrastructure, access, sequencing and clean recovery targets, not just retention settings.

The 3-2-1-1-0 principle remains a useful shorthand: three copies of data, two media types, one off-site copy, one immutable or air-gapped copy, and zero unverified backups. That final zero is the point most organisations still miss. ‘Zero’ means no recovery surprises.

Fill in the form below to access the recording.

Watch the webinar on demand

Fill in your details below to get instant access to the recording of ‘Surviving the Audit’, including practical insight on immutability, recovery evidence and what auditors, insurers and regulators are really looking for.

Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.