With cyber threats rising and compliance standards tightening, South African organisations are under growing pressure to revisit their data protection strategies.
According to Obsidian Systems, an supplier of open-source solutions and global SaaS backup HYCU, the era of treating backups as a box-ticking exercise is over.
“Backups only matter if you can recover fast and reliably,” says Muggie van Staden, CEO of Obsidian Systems. “Resilience today must encompass both backup and recovery. Whether you are a bank, retailer, or healthcare provider, you need to assume that one day your systems will fail. Your backup strategy determines whether that failure becomes a disaster.”
The 3-2-1 rule still applies, but it’s no longer enough
The long-standing backup best practice of maintaining three copies of data, on two different media, with one stored offsite (the “3-2-1 rule”) still holds, but in an era of cloud-native workloads and SaaS sprawl, it is getting harder to implement.
“South African organisations are no longer just protecting data in on-prem data centres. You have got workloads in hybrid clouds, multiple SaaS environments, and a growing use of AI workloads that did not exist five years ago. Your backup strategy needs to reflect that reality,” adds van Staden.
A changing threat landscape
It is not just about accidental deletion or server failure anymore. Simon Taylor, founder and CEO of HYCU, says cyberattacks have fundamentally changed the role of backup.
“Criminals are going after your backup infrastructure first, because they know it is your last line of defence. We have seen a rise in attacks targeting not just virtual machines, but entire SaaS environments and even supply chains. You cannot rely on SaaS vendors alone to protect your data. The responsibility lies with the business,” says Taylor.
To stay resilient, organisations should:
- Automate backups across cloud, SaaS, and on-prem workloads.
- Keep backups isolated from production environments.
- Use immutable, off-site storage that cannot be tampered with.
- Regularly test recovery processes through drills, not assumptions.
AI workloads add a new layer of risk
As South African organisations begin integrating AI into daily operations, a new challenge is emerging of how to protect the infrastructure that powers it.
“AI is not just a buzzword anymore. From vector databases to machine learning models, these are now business-critical assets. But they are often deployed quickly without proper resilience planning. The risk is that you enhance your services through AI but fail to protect the infrastructure it relies on,” adds van Staden.
Taylor agrees, adding that AI is also transforming how backups are managed.
“Automation and AI are helping IT teams scale their backup posture without adding complexity. But at the same time, we need to safeguard AI systems themselves. That includes their data pipelines, configurations, and compute environments.”
Compliance is closing in
Both leaders emphasise the growing influence of regulation on backup and recovery strategies. In the EU, DORA (Digital Operational Resilience Act) is setting new standards for financial entities. Locally, the Financial Sector Conduct Authority’s Joint Standard on Cybersecurity & Cyber Resilience reflects a similar shift toward mandatory resilience testing.
“This has become a compliance issue. If your backups are not tested and your recovery timelines are not clearly defined, you may not be compliant under emerging cybersecurity regulations,” says van Staden.
A mindset shift is needed
For both HYCU and Obsidian, the message is clear: backup is not a support function. Rather, it is a strategic pillar of business continuity, brand trust, and operational survival.
“Backups are your final line of defence. But they can also be your first line of resilience if you build them right,” says Taylor.
Obsidian and HYCU continue to partner closely to bring advanced, scalable, and tamper-proof backup and recovery capabilities to South African enterprises navigating increasingly complex IT landscapes.