---
id: "claim-backups-defeat-ransomware"
type: "claim"
source_timestamps: ["¶11"]
tags: ["ransomware", "data-backup"]
related: ["concept-data-architecture-for-security", "action-architect-data"]
confidence: "high"
testable: true
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-sig-57-smb-cyber-risk"
sourceUrl: "https://hbr.org/2026/06/ai-is-changing-cyber-risk-heres-how-smbs-can-respond"
sourceTitle: "AI Is Changing Cyber Risk. Here’s How SMBs Can Respond."
---
# Comprehensive data backups negate the need to pay ransomware

**Claim:** Maintaining comprehensive backups of organizational data removes the leverage hackers have during a ransomware attack, eliminating the need to pay to regain access to tied-up data. This is the first pillar of [[concept-data-architecture-for-security]] and is executed via [[action-architect-data]]. Understanding it requires [[prereq-ransomware-mechanics]].

**Source confidence:** high. **Testable:** yes.

> [!warning] Enrichment validation — PARTIALLY CORRECT BUT OVERSIMPLIFIED
> When backups are current, tested, immutable/offline, and uncompromised, organizations can often restore without paying — this is directionally correct and greatly reduces the incentive to pay. **But** modern ransomware combines encryption with *data theft and extortion* (double/triple extortion): attackers threaten to leak or sell exfiltrated data, which backups do **not** prevent, and some campaigns target/corrupt the backups themselves if backup environments are not segmented and protected. Backups negate the *availability* leverage, not the *confidentiality/reputational* leverage. Pair with data minimization, segmentation, strong access control, and legal/PR planning.
