Beyond Backups: Rethinking Resilience for Public Companies in an Era of Cyber Risk and Regulatory Scrutiny

Business Insights
Written By Greg Virgin

This article was previously published in The AI Journal

Each year, World Backup Day offers a timely reminder for organizations to evaluate their approach to data protection. But for public companies—where operational resilience, cybersecurity posture, and regulatory compliance are under constant scrutiny—the conversation must go far beyond a simple backup checklist. It’s not just about whether your data is backed up; it’s about whether your backup, cybersecurity, and data privacy strategies are aligned with the business outcomes you’re expected to protect.

In a world where cyber incidents can trigger financial restatements, reputational damage, and executive-level accountability, the ability to restore a lost server is table stakes. Public companies must think bigger: Can we restore critical business functions in a way that meets our fiduciary, operational, and regulatory responsibilities? That’s the new bar for resilience.

It Starts with Visibility: The Role of Asset Inventory

Every effective data protection strategy begins with a complete and accurate understanding of what you’re protecting. Today’s IT environments are complex—spanning cloud, on-premises infrastructure, SaaS platforms, remote endpoints, operational technology (OT), and even smart IoT devices. Yet too often, organizations still operate without a real-time asset inventory.

For public companies, this is more than an operational oversight—it’s a strategic risk. You can’t protect what you don’t know you have, and you can’t prioritize recovery without understanding how each asset contributes to the business. This is why a modern asset inventory must go beyond cataloging hardware and software. It must be dynamic, comprehensive, and continuously updated, reflecting real-time changes in the environment.

More importantly, each asset must be assigned to a critical business function in real time, enabling your organization to maintain an evergreen business impact analysis (BIA). This is the foundation for aligning your data protection and recovery strategies with the actual needs of the business. Without this alignment, it’s all too easy to find yourself backing up systems that don’t matter—or worse, failing to protect the ones that do.

Backup Without Context Is Not Resilience

Traditional backup strategies often focus on data volumes, storage tiers, and recovery point objectives (RPOs). While these metrics are still relevant, they miss the broader question: What is the impact on the business if this data or system is unavailable? That’s where business context becomes critical.

For public companies, this context is the difference between a minor incident and a material disclosure. It’s the distinction between recovering a file server and restoring an entire revenue-generating process. By mapping assets to business functions—and maintaining that mapping in real time—you gain the ability to set intelligent, risk-informed priorities for backup frequency, storage policies, and recovery plans.

This business-function-centric approach is also critical in navigating today’s complex regulatory environment. Whether you’re responding to SEC rules around cybersecurity disclosures, GDPR mandates for data integrity, or industry-specific compliance obligations, regulators are increasingly asking not just if you protect your data, but how that protection supports operational continuity and responsible governance.

Cybersecurity and Data Privacy: Two Sides of the Same Resilience Coin

Data backups are a crucial safeguard, but they must be part of a larger cybersecurity and privacy strategy. Backup systems themselves are increasingly being targeted by ransomware and wiper malware, making it critical to protect your backup infrastructure and your backup data as well as your live systems.

At the same time, public companies face growing expectations around data privacy. It’s not enough to simply retain data—you need to ensure that what’s backed up complies with privacy regulations. This means having clear retention policies, minimizing sensitive data exposure, and ensuring the right to be forgotten can be enforced, even across archived and backed-up environments.

The intersection of data protection, cybersecurity, and data privacy is becoming a governance issue. Boards and executive teams must treat resilience as a strategic objective, with clear accountability and measurable outcomes. That means investing not just in backup infrastructure, but in the processes and tools that ensure alignment between IT operations and business impact.

From Compliance to Competitive Advantage

For public companies, resilience is no longer just about surviving a disruption—it’s about thriving in an increasingly uncertain environment. The organizations that will lead in this next era are those that turn compliance into a competitive advantage by building transparency, agility, and trust into their core operations.

This requires a cultural shift as much as a technological one. IT teams must collaborate with business units to define critical functions, risk tolerances, and recovery expectations. Cybersecurity teams must work alongside compliance officers to align technical safeguards with regulatory mandates. And executives must champion resilience as a board-level priority, not just an operational concern.

Moving Forward: The Playbook for Modern Resilience

So what should public companies be doing now to elevate their data protection strategies?

  1. Implement a dynamic, real-time asset inventory that includes IT, OT, and IoT systems and updates continuously.

  2. Map each asset to a critical business function, enabling real-time business impact analysis and informed recovery planning.

  3. Align backup strategies with business priorities, ensuring you’re protecting what matters most.

  4. Secure your backups, with segmentation, encryption, and immutability controls.

  5. Test your backups regularly, not just for file recovery, but for end-to-end restoration of business services.

  6. Ensure backup practices comply with privacy and regulatory requirements, including retention, access controls, and the ability to support data subject rights.

  7. Report regularly to executive leadership and the board, making resilience a core part of governance.

Conclusion

World Backup Day is a great reminder to check the basics, but for public companies, it’s time to look beyond the basics. Backup without context is not enough. Cybersecurity without recovery is incomplete. And data privacy without resilience is a liability.

The path forward is clear: build a living map of your environment, tie it to what matters most to your business, and ensure your protection strategies are always aligned with impact. Resilience isn’t just about bouncing back—it’s about staying ahead.

Greg Virgin
Next

Building an Accurate IT Asset Inventory: A Foundation for Cyber Resilience