Backup strategies that adapt to threats, regulations, and more

As World Backup Day 2026 highlights the critical role of robust data protection, enterprises across Asia-Pacific are redesigning backup and recovery practices to counter escalating ransomware, multi-cloud complexity, and stringent data sovereignty rules.

The Asia Pacific Data Backup and Recovery Market is forecast to expand at a compound annual growth rate of 10.8% through 2031, driven by digital transformation and cyber resilience needs.

Disaster Recovery as a Service (DRaaS) in the region is projected to grow even faster, from US$2.96 billion in 2025 to US$9.78 billion by 2032 at 18.6% CAGR, as organisations prioritise rapid recovery and compliance.

Veeam’s 2025 Ransomware Trends Report underscores the urgency: 69% of organisations globally (including significant APAC representation in broader surveys) still face cyber-attacks, with many struggling to recover substantial portions of data despite improved defences.

Isolated Recovery Environments (IREs) are shifting from niche tools to boardroom mandates across Asia Pacific, particularly in financial services, critical infrastructure, and manufacturing.

An exclusive FutureCIO interview reveal a shift toward selective, identity-centric, and sovereign-aware strategies.

Prioritising sub-minute RTOs without overspending

CIOs are moving away from uniform sub-minute recovery time objectives (RTOs) across all workloads. Chee Pin Chua, vice president, Southeast Asia & Korea, Veeam Software explains that CIOs are becoming more selective about where they build for near-instant recovery.

“In my experience, they reserve sub-minute recovery targets for a small set of revenue-critical workloads, while using different recovery speeds for different systems across on-premises, cloud, and SaaS to avoid overspending across the full estate,” he elaborates.

He notes that practical failures often stem not from backups themselves but from “unclear priorities, hidden dependencies, and untested restore steps.”

Delinea’s APAC VP, Cynthia Lee, complements this by emphasising identity’s role: “The critical question during an incident isn’t only ‘can we restore the data?’ but ‘can we actually trust and access our systems once we do?’ Fast recovery depends heavily on how quickly an organisation can re-establish trusted access.”

She highlights resilient, isolated vaults for privileged credentials, decoupled from core environments, alongside just-in-time access to rebuild systems dynamically across hybrid setups—delivering speed without perpetual parallel environments.

This aligns with broader APAC trends, where Veeam research shows successful organisations recover up to seven times faster by prioritising verified, frequent backups and cloud transitions.

Making automated backup policies auditable and compliant

AI is enhancing backup policies, but governance remains paramount for auditability, bias mitigation, and data sovereignty compliance. Chua observes: “AI governance is increasingly about being able to explain what the system did, who approved it, and why.”

He references Singapore’s Monetary Authority of Singapore (MAS) tools for AI risk management and ASEAN’s AI Guide principles, stressing clear records of automated changes and override capabilities.

Lee advocates extending identity governance to AI processes: “If an AI system initiates a backup or moves data, that action must be governed and logged with the same rigour as if a privileged human did so.”

Delinea’s research reveals persistent gaps; their 2026 Identity Security Report (global survey of over 2,000 IT leaders) found nearly 90% of organisations report at least one identity visibility gap, with 80% unable to always explain non-human identity (NHI) privileged actions—echoing the transcript’s Singapore-specific findings of 86% unable to explain NHI actions and 93% reporting visibility gaps.

Lee adds that 58% of Singaporean organisations lack viable alternatives to standing privileged access for non-human identities.

ASEAN’s Responsible AI Roadmap (2025-2030) supports this by promoting secure data-sharing platforms and governance frameworks.

Immutable vaults under fire

Many organisations maintain immutable backups, yet fewer conduct full end-to-end recovery rehearsals. Chua states: “Many organisations now keep backup copies that attackers cannot easily change or delete, but fewer have rehearsed a full recovery from start to finish.”

Where practised, critical systems often restore in minutes to hours; complex cases involving identity can take days. Common surprises include unprepared admin accounts or recovery environments.

Lee that notes that advanced testing now simulates identity compromise: “Threat actors in this region… increasingly target credentials and privileged access as their primary entry point.”

"If those are exposed, even a well-designed backup environment becomes hard to trust during recovery. You're essentially asking, "Is this environment clean?", and not being able to answer confidently." Cynthia Lee

Organisations rebuilding identity systems from scratch with automated credential rotation and just-in-time access achieve faster, ransom-free recovery.

Veeam’s findings reinforce that only 10% of attacked organisations recover over 90% of data, underscoring the need for immutable, air-gapped, and tested backups.

Matthew Oostveen, VP & CTO for APJ at Everpure (formerly Pure Storage) predicts IREs will mainstream in APAC by 2026 as traditional backups prove insufficient against ransomware.

Sovereign means local data, global visibility

Data residency rules are intensifying in Southeast and East Asia. Chua highlights Indonesia’s cloud capacity growth, Malaysia’s National Cloud Computing Policy, and Thailand’s cloud-first approach.

He warns against fragmented one-off solutions: “CIOs are responding by keeping storage and recovery inside the country when regulations require it, while still managing protection with one set of rules and one reporting view across markets.”

Delinea’s Lee describes a unified identity security layer: “The data stays where local regulations require it, but governance of who can access it and when remains unified.” Calling it a key distinction: “You get a single audit trail, consistent access policies, and visibility across the whole environment.”

Major investments such as Thailand’s $2.7 billion approvals for data centres and cloud services underscore the push.

Identity resilience: The 2027 weakest link?

Identity systems are rising in priority for cyber recovery. Veeam’s Chua notes: “Identity can’t be treated as ‘secondary’ anymore: if user accounts, access rules, and key configuration records can’t be recovered cleanly, broader business recovery becomes much harder.” He urges prioritising identity alongside post-quantum cryptography preparation.

"The real-world issue is that identity is tightly connected to everything else, so if it isn’t recovered early and cleanly, restores can stall even when application data is available." Chee Pin Chua

Lee stresses urgency: “Systems like Active Directory and cloud IAM platforms underpin access to virtually everything else.” Non-human identities (NHIs) complicate matters: Delinea research indicates 59% of organisations (aligning with the transcript’s 58%) lack alternatives to standing privileged access for NHIs. She advocates zero standing privilege for trustworthy recovery environments.

Forrester’s 2026 APAC predictions add that over 90% of enterprises will prioritise post-quantum technologies amid “harvest now, decrypt later” threats.

A unified, resilient path forward

Asia’s 2025-2026 backup trends reveal a maturing practice: selective speed, identity-first governance, rigorous testing, sovereign compliance, and proactive AI integration.

As Chua and Lee illustrate, success lies in standardised processes, verifiable automation, and rehearsed recovery—ensuring organisations restore business-critical systems swiftly, securely, and without ransom.