Security leaders overconfident about ransomware recovery

Organizations are massively overestimating their ability to recover from a ransomware attack, with most failing to recover all their data.

According to Veeam's Data Trust and Resilience Report 2026, while nine-in-ten security leaders believe they can recover quickly, only 28% manage to fully restore their data.

On average, organizations recovered just 72% of affected data following a ransomware attack, while another 29% have ended up with data loss, downtime, or business disruption.

For cyber incidents generally, amongst organizations that fell victim in the past 12 months, more than 40% reported customer or constituent disruption. Around the same number reported financial loss or revenue impact, and 38% reported extended downtime of critical systems.

Latest Videos From

The researchers suggest that confidence in recovery is often boosted by the use of testing and planning – but that the frequency and realism of those tests are limited by operational and business pressures.

"Confidence in recovery from a ransomware attack is high, but the data tells a different story – and AI is only widening that gap," said Anand Eswaran, CEO of Veeam. "Even the most sophisticated organizations are discovering that confidence in recovery and proof of recovery are fundamentally different capabilities."

AI is only making things worse, thanks to new data flows, new attack surfaces, and new governance challenges. More than four-in-ten (43%) of respondents said AI tool adoption was outpacing their ability to secure data and models, and 42% have limited visibility into all the AI tools or models used across the organization, with a quarter saying shadow IT and unauthorized AI tool usage are a primary concern.

Four-in-ten said their security policies haven't yet been updated to include AI-specific risks, such as the use of generative AI.

The organizations that are doing well in terms of recovery, said Veeam, are those that have clear visibility into enterprise data and AI risk in production and in backup data, along with realistic testing and validation.

They also actually enforce security controls, rather than relying on policy alone, and have executive alignment on ownership, reporting, and what recovery actually means.

"Data resilience is still the hard requirement: knowing what data you have, where it lives, who can access it, and proving you can restore clean, trusted data fast when attackers – or operational failures – put the business under pressure," said Eswaran.

"The infrastructure for deploying AI has rapidly outpaced the ability to secure it. Organizations need end-to-end capabilities to understand, secure, protect, govern, and ensure their data is resilient at machine speed."

Last summer, Check Point's 2025 Cloud Security Report revealed that while nearly two-thirds of organizations suffered a cloud security incident in the past year, only 6% of incidents were remediated within the first hour, with 62% of enterprises taking more than 24 hours to fully recover.

Meanwhile, research from cybersecurity firm ESET found that 53% of UK businesses had fallen victim to at least one cyber attack over the last year, with 43% saying that this had had a long-term impact on business growth.

Costs included the extra staff time needed to deal with an attack, cited by nearly two-thirds of businesses, with others including ransom payments, stolen or lost funds, legal and regulatory costs, disruption to operations, and the cost of bringing in third-party expertise along with higher cyber insurance premiums.