Need some support?
We can help you review your current setup, highlight any gaps, and put practical steps in place to strengthen resilience over time.
By Martin Lewis, Head of Business Continuity Sales at Wavenet
Cloud has become the foundation of modern business operations, but resilience is often assumed rather than designed. This article challenges that assumption and helps you understand where hidden risks can emerge when everything sits in one place.
By the end, you will have a clearer view of:
More importantly, you will be able to assess how well your current approach would stand up under real disruption, and where you may need to strengthen your strategy.
Cloud technology has reshaped how organisations operate. It delivers flexibility, scalability and seamless collaboration, all while removing the burden of maintaining costly on-premises infrastructure. For many organisations we work with, cloud platforms are now the backbone of how their teams communicate, collaborate, and work, day to day.
However, there's a critical risk that's usually completely overlooked.
I often hear variations of this same assumption: "It's in the cloud, so it's covered." When systems, data, and access all sit within the same platform, it may feel inherently protected. The reality is that centralisation in the cloud creates a false sense of security.
Resilience is not built on where your workloads sit. It's built on how well you can respond and recover when something goes wrong.
Imagine starting your workday as usual. You log in, open your email, and nothing loads. Teams will not connect. Files you rely on every day are suddenly out of reach.
At first, it feels like a temporary issue. A refresh, a restart, a quick check with IT. But the issue does not resolve. Access is gone.
At that point, the question becomes very simple: what happens next?
This is something I explore regularly with customers. Most understand the theoretical risk, but fewer have worked through what it looks like in practice.
Cloud disruption is not a remote scenario. It can result from credential compromise, misconfigurations, cyber attacks, service outages, or even simple human error. When it happens, the impact is immediate.
For organisations reliant on platforms such as Microsoft 365, that can mean:
There is often an expectation that recovery will be straightforward. In reality, that depends entirely on the controls you have in place.
The shared responsibility model is a key consideration here.
Cloud providers are responsible for the underlying infrastructure, but responsibility for your data, access, and recovery sits with you.
If recovery has not been planned properly, it can take longer than expected, be only partially successful, or in some cases result in permanent data loss.
"Cloud providers are responsible for the underlying infrastructure, but responsibility for your data, access, and recovery sits with you."
Many organisations rely on built in backup and recovery features and assume they provide complete protection. They are useful, but they are not designed to cover every scenario.
In my experience, this often only becomes clear after an incident or a near miss.
Common gaps include:
The underlying issue is dependency. If your production environment and your backup sit in the same place, they are exposed to the same failure.
To reduce that risk, organisations need to introduce separation. This is where a structured approach to backup becomes essential.
| Key consideration when assessing backup resilience | Native cloud backup | Structured backup |
| How it fits into your overall cloud resilience strategy | Commonly assumed to be sufficient because it is built into the platform | Deliberately designed as part of a wider resilience, recovery, and business continuity approach |
| Level of dependency on a single cloud platform | Fully dependent on the same platform for both production and backup | Reduces dependency by introducing independent and off platform copies |
| Ability to recover if the cloud platform becomes unavailable | Limited, as recovery relies on access to the same environment | Strong, with the ability to recover data outside of the primary cloud environment |
| Protection against human error, deletion, and malicious activity | Basic safeguards that may not fully protect against insider threats or deliberate deletion | Greater protection through isolated and immutable backups that are not exposed to the same risks |
| Flexibility of retention and ability to meet compliance requirements | Often restricted to fixed policies that may not meet business or regulatory needs | Fully configurable to align with compliance, governance, and long-term retention requirements |
| Speed and precision of data recovery | Can be slower and less granular, particularly for specific file or workload recovery | Designed for fast, granular recovery across files, applications, and entire environments |
| Separation between live data and backup copies | No true separation, increasing the risk of a single point of failure | Clear separation across environments, reducing overall risk exposure |
| Impact on operations during a disruption or outage | Higher risk of prolonged downtime due to limited recovery options | Enables faster recovery and alternative access paths, reducing operational disruption |
| Level of control over backup and recovery processes | Limited control, governed by provider capabilities and policies | Full control over how data is backed up, stored, accessed, and restored |
| Contribution to wider business continuity and resilience | Supports basic recovery, but does not address broader continuity needs | Forms a critical part of a complete resilience strategy alongside cyber security and continuity planning |
"The underlying issue is dependency. If your production environment and your backup sit in the same place, they are exposed to the same failure."
One of the most effective ways to address this challenge is by adopting the 3-2-1 backup rule, a widely recognised framework for improving data resilience.
It's built on three simple principles:
It's not a new concept, but it remains one of the most reliable ways to reduce risk.
The organisations that get this right assume disruption will happen and plan their recovery accordingly.
If your cloud platform becomes unavailable, having an independent copy of your data fundamentally changes your position. It means you are no longer dependent on recovering from within a compromised or unavailable environment.
Without that separation, your recovery options narrow very quickly.
"The organisations that get this right assume disruption will happen and plan their recovery accordingly."
A resilient backup strategy is essential, but it's only part of the picture.
Backup supports recovery, but it does not ensure continuity. This is where business continuity planning becomes critical.
A strong business continuity strategy builds on your backup approach and answers the questions that matter most when disruption occurs:
Without clear answers, recovery becomes reactive rather than controlled. True resilience is about maintaining operations while recovery is in progress, not simply restoring them afterwards.
Cloud adoption should be viewed as the starting point of your resilience strategy, not the end of it. A resilient approach focuses on security, recovery, and continuity, not just day to day performance.
When we work with organisations on this, it typically comes down to strengthening three areas.
Reducing the likelihood of disruption is always the first step. A layered approach to cyber security helps prevent incidents and limit their impact.
This includes:
The goal is not just to stop attacks, but to minimise exposure and reduce potential damage.
Resilience depends on your ability to access data that is not affected by the same incident as your primary systems.
An independent backup strategy aligned to the 3-2-1 approach ensures:
This transforms backup from a reactive measure into a core resilience capability.
Recovery is critical, but so is what happens in the meantime.
Business continuity planning ensures your organisation can continue operating during disruption.
This includes:
Without this, even short outages can have significant operational and financial impact.
Cloud platforms remain one of the most powerful enablers of modern business. They drive productivity, collaboration, and growth. But convenience should never be mistaken for resilience.
The organisations that are best prepared are those that recognise a simple truth: if everything sits in one place, everything can be impacted at once.
By introducing separation through independent backups, strengthening cyber security, and planning for continuity, you remove that single point of failure and regain control.
Taking this proactive approach puts you in the best position to withstand disruption, protect your data, and recover with confidence.
When reviewing your cloud strategy, working with an experienced managed service provider can help strengthen your approach to cyber security, backup, and business continuity. The right partner should bring proven frameworks, recognised standards, and practical experience, helping you build resilience without adding unnecessary complexity.
"The organisations that are best prepared are those that recognise a simple truth: if everything sits in one place, everything can be impacted at once."
Martin Lewis is Head of Business Continuity Sales at Wavenet, bringing more than 29 years of experience across the IT industry. His career spans vendors, distributors, resellers, and managed service providers, giving him a broad, practical understanding of how organisations approach risk and resilience.
At Wavenet, Martin leads a team of specialists focused on helping organisations strengthen their business continuity and disaster recovery strategies. He works closely with customers to ensure solutions not only meet governance and compliance requirements but stand up to real-world disruption.
We can help you review your current setup, highlight any gaps, and put practical steps in place to strengthen resilience over time.