Backup, archive and secondary data used to sit largely inside the operational domain of IT. That was understandable when much of the business record still existed elsewhere: in paper contracts, printed correspondence, filing cabinets, local document stores and physical archives. Today, that assumption is far less safe. Many organisations now conduct core business almost entirely through digital channels, from electronic signatures and email to Microsoft 365, cloud applications, collaboration platforms and online customer records.

This shift has changed the role of backup infrastructure. Backup repositories are not just copies of systems; in many cases, they are the only recoverable record of commercial activity, customer interaction, contractual evidence and operational history. If that information is unavailable, corrupted, deleted or held inside a failed service environment, the impact is no longer limited to IT. It can affect continuity, compliance, customer service, legal position and executive accountability.

For UK companies, the reassessment is not only about storage technology. It is about where recovery data resides, who controls it, how quickly it can be restored, whether it is protected from deletion or compromise, and whether it remains governed in line with UK regulatory and operational expectations.

Digital business has weakened the old paper fallback

The decline of paper-based administration is one of the least glamorous but most important changes behind modern backup strategy. Physical filing cabinets, faxed documents, document vaults and paper correspondence once provided a partial fallback when systems failed. That fallback has largely disappeared. Contracts are signed electronically, board papers are distributed digitally, invoices are generated through finance systems, staff communicate through Teams and email, and customer records sit in SaaS applications.

This makes backup and archive design more strategically important. If a cloud file store, Microsoft 365 tenant, finance platform or document management system is disrupted, there may be no parallel paper process to fall back on. The archive is not simply an efficiency tool; it is part of the company’s institutional memory.

This also changes the expectations placed on recovery. It is not enough to know that data existed somewhere. Companies need confidence that records can be restored in a usable form, within a meaningful timeframe, and with enough integrity to support audit, legal, regulatory and operational requirements.

Storage economics are becoming harder to ignore

For much of the last two decades, storage planning benefited from falling cost per terabyte. Disk capacities rose, cloud storage became easier to consume, and retaining more data often appeared cheaper than making difficult decisions about retention, deletion and archive tiers. That period encouraged many organisations to keep more information for longer, sometimes without a clear view of the long-term cost profile.

The economics are now more complicated. Data volumes continue to grow, backup sets multiply across production, SaaS, endpoint, archive and recovery environments, and AI infrastructure demand is placing pressure on storage supply chains. In 2026, industry reporting has pointed to rising hard disk prices and stronger demand from AI data centre workloads, with Western Digital and Seagate both benefiting from AI-related storage demand. DIGITIMES reported that HDD contract prices rose after fourth-quarter 2025 negotiations, while analysts have also cited strong AI data centre demand as a factor in storage market pressure.

This matters because secondary data often grows faster than production data. Backup environments may contain daily, weekly and monthly recovery points, replicated copies, archive sets, immutable copies and SaaS backups. Cloud storage can look inexpensive at first glance, but retention periods, replication, retrieval, API calls, egress charges and long-term archive growth can change the business case. The Unitrends State of Backup and Recovery Report 2025 found that cloud cost optimisation was the most frequently cited challenge among respondents, underlining that backup economics are now a practical infrastructure concern rather than a procurement afterthought.

The lesson is not that cloud backup is too expensive or that on-premises storage is preferable. The lesson is that storage strategy needs financial design. Companies need to understand which data requires rapid recovery, which data belongs in archive, which copies need immutability, and which workloads justify local, hosted or cloud-based storage.

Remote working and better connectivity have changed backup location decisions

Hybrid and remote working have weakened the logic of office-centric backup design. When users, applications and business processes were concentrated in a single building, it made sense for companies to run local file servers, tape libraries or office-based backup appliances. That model is harder to justify when staff, applications and operational dependencies are distributed.

Connectivity has also improved. Ofcom’s Connected Nations 2025 report stated that full fibre was available to 78% of UK residential premises and 78% of SMEs, while gigabit-capable broadband reached 87% of UK residential premises. Ofcom’s Spring 2026 update then reported gigabit-capable availability at 89% of UK homes. These figures do not mean every business has enterprise-grade connectivity, but they do show why off-site replication, hosted backup repositories and local data centre recovery targets are more realistic than they were when many legacy backup architectures were designed.

For some companies, this supports a move from office-based storage to local data centre backup, managed backup platforms or cloud-connected repositories. A local UK data centre can provide physical separation from the office while avoiding some of the latency, sovereignty and concentration concerns associated with storing all recovery data in a hyperscale cloud environment. For MSPs and regional IT providers, this creates a practical middle ground: recovery data can be moved off customer premises without forcing every workload into a global public cloud model.

Tape, office arrays and simple file stores still have limits

Tape still has a role. It can be useful for long-term retention, offline storage and archive use cases where rapid recovery is not the primary requirement. Local disk arrays and backup appliances also remain useful where fast local restore is important. The issue is not that these technologies are obsolete. The issue is that relying on them alone can create avoidable exposure.

Office-based backup infrastructure may be affected by the same site-level incident as production systems. Fire, flood, theft, power loss, physical access restrictions or local infrastructure failure can affect both primary systems and local recovery copies. That is why many companies are now separating backup storage from the office environment, either through secondary sites, local data centres, managed backup services or cloud storage targets.

Simple file synchronisation platforms also need careful treatment. Dropbox, Google Drive, OneDrive and similar services are effective collaboration tools, but synchronisation is not the same as backup. If a file is deleted, encrypted, overwritten or corrupted and that change synchronises across devices, the company may still need an independent recovery copy. Version history and recycle bins can help in some scenarios, but they do not replace a governed backup and archive strategy.

Backup platforms have evolved because storage targets have changed

The backup industry provides a useful signal of where infrastructure strategy is going. Veeam, Commvault, Veritas and Acronis have all moved beyond traditional assumptions built around local disk and tape. Modern backup platforms commonly support cloud repositories, immutable storage, SaaS backup, object storage targets and geographically separate recovery copies.

Object storage is a big part of this shift. Veeam supports S3-compatible object storage as a repository and allows object storage immutability to prevent deletion for defined periods. Commvault supports WORM and object-lock style immutability for cloud storage environments. Veritas NetBackup also supports immutable S3 storage for backup and restore workflows. These developments matter because they show object storage moving from a developer or cloud-native topic into mainstream backup architecture.

For UK infrastructure leaders, the practical point is simple: storage targets are no longer passive capacity pools. They now influence ransomware resilience, recovery independence, cost control, archive design and supplier choice. Backup software has adapted because customers want more control over where recovery data is stored, how it is protected, and whether it can survive compromise of the primary environment.

Cyber incidents have made recovery design a board-level issue

Cyber resilience has become one of the strongest reasons to reassess backup architecture. The UK Government’s Cyber Security Breaches Survey 2025/26 reported that 43% of businesses and 28% of charities identified a cyber breach or attack in the previous 12 months. Ransomware affected a smaller share, equating to 1% of all businesses and charities, but the operational consequences can be severe when it does occur.

Recent UK incidents have reinforced this point. Marks & Spencer suffered major operational and financial disruption following its 2025 cyber attack, with the company later reporting that the incident cost £324 million in lost sales. Co-op also experienced a cyber attack in 2025, with Reuters reporting a £206 million revenue hit and a £108 million cost. Jaguar Land Rover experienced a major cyber incident in late August 2025, with the Cyber Monitoring Centre stating that the incident led to an IT shutdown and halted manufacturing operations at major UK plants including Solihull, Halewood and Wolverhampton.

These incidents are relevant to backup strategy because they show how digital disruption can affect operations, supply chains, customer service and financial performance. A backup policy that looks adequate during routine testing may be insufficient during a live incident if recovery systems depend on compromised credentials, inaccessible management tools, unavailable cloud services or repositories that attackers can alter.

Immutability, backup-of-backups and recovery independence

Immutability has become central to modern backup design because attackers often target recovery environments as well as production systems. Immutable backup storage is designed to prevent data from being altered or deleted for a defined period. This does not remove the need for good access control, monitoring or testing, but it gives organisations a stronger recovery position if an attacker gains administrative access or if an operational mistake deletes backup data.

Many companies protect production systems but give less attention to the backup platform itself. Backup catalogues, configuration data, encryption keys, metadata and repository indexes can all be critical during recovery. If a backup server is corrupted, misconfigured or deleted, the organisation may still have data but lack the practical ability to restore it quickly.

Recovery independence is therefore broader than simply having more than one copy. It means ensuring that recovery data, management access, administrative credentials, supplier dependencies and operational procedures are not all tied to the same failure domain. A stronger design may include immutable repositories, separate administrative controls, independent backup copies, tested restore paths and recovery documentation that remains accessible during an incident.

Microsoft 365 has changed what organisations need to protect

Microsoft 365 has created a new category of backup challenge because it now contains business-critical information that once sat across email servers, file shares, intranets and local document stores. Exchange Online, SharePoint, OneDrive and Teams often contain contracts, project records, HR documents, financial correspondence, operational decisions and customer information.

Microsoft operates the platform, but customers still need to think carefully about their own data protection responsibilities. Microsoft’s Services Agreement states that online services may suffer disruptions or outages and recommends that users regularly back up content and data stored on the services. Microsoft’s own Microsoft 365 Backup best-practices material also discusses backup and restore in the context of a shared responsibility model.

This distinction is important for governance. Retention policies, recycle bins, legal holds and platform availability are not the same as independent backup. Organisations may need point-in-time recovery, granular restore, protection against malicious deletion, protection from accidental policy changes and separate copies outside the Microsoft 365 environment. For many UK companies, Microsoft 365 backup is now part of resilience planning rather than an optional IT add-on.

AI adds another reason to retain recoverable versions

AI adoption is adding a newer dimension to backup and retention. As AI tools and agents begin to generate, modify, classify and act on business data, organisations need ways to reverse incorrect or destructive changes. This is not theoretical. Veeam’s 2026 Agent Commander messaging explicitly refers to detecting AI risk and undoing AI mistakes, including restoring affected records, files or mailbox items without rolling back everything else.

For business leaders, the point is not that AI will inevitably damage data. The point is that automation increases the importance of version history, auditability and selective recovery. If an AI-assisted workflow misclassifies records, deletes content, changes structured data or corrupts a document set, organisations may need more than a traditional disaster recovery plan. They may need precise rollback capability across files, records, SaaS data and metadata.

This reinforces the value of backup architecture that supports granular recovery, clean restore points and protected historical versions. AI does not replace the ransomware argument; it adds another reason to design recovery around trustworthy data states.

Concentration risk is not the same as cloud risk

Public cloud providers remain essential to many infrastructure strategies. They offer scale, automation, geographic reach, operational maturity and commercial flexibility that many organisations could not build alone. The risk discussion should therefore avoid simplistic anti-cloud arguments.

The more serious issue is concentration risk. If production systems, replicated data, backup copies, administrative control and recovery processes all depend on one provider or one account structure, the organisation may have redundancy without true independence. The UniSuper incident involving Google Cloud made this distinction clear. Google Cloud stated that an incident affected UniSuper’s Google Cloud VMware Engine private cloud service, and reporting at the time noted that UniSuper’s deletion affected geographically redundant copies inside the same provider environment.

The important lesson is that cross-region replication protects against some regional failures, but it may not protect against provider-level administrative failure, account deletion, systemic misconfiguration or loss of access to the cloud control plane. UniSuper avoided permanent data loss because it had backups available outside the affected Google Cloud environment.

For UK infrastructure leaders, the practical test is whether recovery remains possible if the primary provider, account, identity system or management plane is unavailable. In some cases, the answer may still be a hyperscale design with careful controls. In others, organisations may choose an independent backup provider, local UK data centre target, sovereign cloud environment or managed recovery service to reduce dependency on a single platform.

Governance, retention and sovereignty now apply to secondary data

Governance teams have long scrutinised production systems, but backup and archive repositories can contain the same personal, confidential and regulated information. That makes secondary data part of the governance perimeter. UK organisations handling legal, financial, healthcare, public-sector, education or commercially sensitive information need to know where backup data is physically hosted, who operates the infrastructure, who can access it, and whether any international transfer or remote access considerations arise.

The ICO updated its guidance on international transfers in January 2026, with checklists to help organisations identify restricted transfers. Legal commentary on the updated guidance has also noted that making personal data available to an overseas organisation, including by remote access, can be relevant to transfer analysis. This does not mean all cloud storage outside the UK is unsuitable. It does mean that organisations should understand data location, access rights, supplier structure and contractual safeguards.

The UK Government’s Cyber Governance Code of Practice also reinforces the board-level nature of cyber risk. It was created to support boards and directors in governing cyber security risks and sets out critical governance actions directors are responsible for. Backup, archive and recovery infrastructure belong in that conversation because they determine how the organisation can recover, evidence compliance and continue operating after a serious incident.

What this means for UK infrastructure strategy

The reassessment of backup, archive and secondary data is creating practical choices for UK organisations and MSPs. Some will continue using tape for specific archive workloads. Some will adopt hyperscale cloud backup. Some will use local data centres as off-site recovery targets. Some will combine managed backup, object storage, immutable repositories and Microsoft 365 backup into a layered model.

The best answer will vary by recovery time objective, recovery point objective, data sensitivity, budget, governance requirements and operational capability. What matters is that backup storage is no longer treated as anonymous capacity. Its location, independence, cost model, immutability, software integration and supplier governance all shape resilience.

This is also where UK hosting and infrastructure providers have a relevant role. A UK-operated data centre or sovereign cloud environment can provide an off-site backup location while supporting UK data residency, clearer operational accountability and proximity for recovery. For organisations that do not want all recovery data held in a hyperscale cloud account, local data centre backup and managed recovery services provide an alternative worth considering.

Conclusion

UK organisations are reassessing backup, archive and secondary data because the business record has moved decisively into digital systems. Paper fallbacks have weakened, Microsoft 365 and SaaS platforms hold critical information, cyber incidents can disrupt entire operating models, storage costs are under renewed pressure, and governance scrutiny now extends beyond production environments.

This is not a narrow technical debate about one storage format. Object storage, tape, disk, cloud backup, local data centres and managed services can all have valid roles. The strategic issue is whether backup and archive infrastructure remain recoverable, independent, governed and economically sustainable.

For infrastructure leaders, the strongest designs will be those that treat secondary data as part of resilience architecture. That means understanding where it is stored, how it is protected, who controls it, how it can be restored, and whether it remains available when the primary environment is compromised or unavailable.