Security leaders overconfident about ransomware recovery
Few manage to recover all their data, and many experience business disruption
Organizations are massively overestimating their ability to recover from a ransomware attack, with most failing to recover all their data.
According to Veeam's Data Trust and Resilience Report 2026, while nine-in-ten security leaders believe they can recover quickly, only 28% manage to fully restore their data.
On average, organizations recovered just 72% of affected data following a ransomware attack, while another 29% have ended up with data loss, downtime, or business disruption.
For cyber incidents generally, amongst organizations that fell victim in the past 12 months, more than 40% reported customer or constituent disruption. Around the same number reported financial loss or revenue impact, and 38% reported extended downtime of critical systems.
The researchers suggest that confidence in recovery is often boosted by the use of testing and planning – but that the frequency and realism of those tests are limited by operational and business pressures.
"Confidence in recovery from a ransomware attack is high, but the data tells a different story – and AI is only widening that gap," said Anand Eswaran, CEO of Veeam. "Even the most sophisticated organizations are discovering that confidence in recovery and proof of recovery are fundamentally different capabilities."
AI is only making things worse, thanks to new data flows, new attack surfaces, and new governance challenges. More than four-in-ten (43%) of respondents said AI tool adoption was outpacing their ability to secure data and models, and 42% have limited visibility into all the AI tools or models used across the organization, with a quarter saying shadow IT and unauthorized AI tool usage are a primary concern.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Four-in-ten said their security policies haven't yet been updated to include AI-specific risks, such as the use of generative AI.
The organizations that are doing well in terms of recovery, said Veeam, are those that have clear visibility into enterprise data and AI risk in production and in backup data, along with realistic testing and validation.
They also actually enforce security controls, rather than relying on policy alone, and have executive alignment on ownership, reporting, and what recovery actually means.
"Data resilience is still the hard requirement: knowing what data you have, where it lives, who can access it, and proving you can restore clean, trusted data fast when attackers – or operational failures – put the business under pressure," said Eswaran.
"The infrastructure for deploying AI has rapidly outpaced the ability to secure it. Organizations need end-to-end capabilities to understand, secure, protect, govern, and ensure their data is resilient at machine speed."
Last summer, Check Point's 2025 Cloud Security Report revealed that while nearly two-thirds of organizations suffered a cloud security incident in the past year, only 6% of incidents were remediated within the first hour, with 62% of enterprises taking more than 24 hours to fully recover.
Meanwhile, research from cybersecurity firm ESET found that 53% of UK businesses had fallen victim to at least one cyber attack over the last year, with 43% saying that this had had a long-term impact on business growth.
Costs included the extra staff time needed to deal with an attack, cited by nearly two-thirds of businesses, with others including ransom payments, stolen or lost funds, legal and regulatory costs, disruption to operations, and the cost of bringing in third-party expertise along with higher cyber insurance premiums.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
The NCSC wants to build an AI-powered 'Cyber Shield' to protect the UK from hackersNews The aim is to create a national, sovereign defence capability to protect government agencies and critical infrastructure
-
IBM targets data center efficiency gains with new z17 and LinuxONE offeringsNews Cost, data center footprint, and performance improvements are coming for IBM Z and LinuxONE customers
-
Hackers are posing as Interpol to target small businesses – here's what you need to knowNews Small businesses are warned to think twice before clicking on links
-
‘Every hour ransomware goes undetected drastically increases its potential blast radius’: Hackers are breaching networks and laying low for longer – and nearly half of firms don’t realize until data is stolenNews An ExtraHop survey found more intrusions are going undetected, leading to longer dwell times
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes