When ransomware hits a Gulf enterprise, the first question from leadership is usually the same: Are our backups intact? For a growing number of organisations across the region, the answer is yes – but it is not enough.
Research by DataNumen found that 69% of ransomware victims believed they were adequately prepared before an attack. After the incident, however, that confidence dropped by more than 20 percentage points. The gap is not a technology failure; it is a planning failure – and one that Gulf enterprises are increasingly confronting.
The regional exposure makes the stakes concrete. According to Microsoft’s Digital defence report, the United Arab Emirates (UAE) ranked ninth globally and second in the Middle East and Africa in terms of the frequency with which customers were affected by cyber activity in the first half of 2025. Saudi Arabia ranked fifth in the region.
Cyber security firm Cyble recorded more than 90 unique entries on dark web data leak sites linked to Gulf-based organisations in the same period, spanning oil and gas, aviation and healthcare. Sophos data shows that UAE organisations pay 92% of ransom demands – above the global average of 85%.
That payment rate points to a deeper problem. Eliad Kimhy, senior security researcher at Acronis, says enterprises often invest seriously in backup infrastructure without ever testing a full recovery under realistic conditions.
“What they haven’t done is simulate the actual recovery scenario, restoring production systems from backup while the environment is partially compromised, under time pressure,” he said.
Backup jobs that reported success turn out to have excluded critical system states. Recovery procedures that looked straightforward on paper turn out to require dependencies nobody documented.
The architecture problem runs deeper than testing discipline. Modern ransomware operators target backup repositories directly. Organisations that have not isolated their backups, verified restoration integrity and confirmed that backup systems sit outside the blast radius of a compromised domain discover this at the worst moment.
Only 10% of ransomware victims recovered more than 90% of their data, according to Veeam’s Ransomware trends report, a figure that holds even among organisations with formal backup programmes.
The biggest misconception is that many organisations still believe that having backups automatically means they are recoverable within an acceptable timeframe Fred Lherault, Everpure
Fred Lherault, field chief technology officer for EMEA and emerging markets at Everpure, believes the core assumption needs to be revisited. “The biggest misconception is that many organisations still believe that having backups automatically means they are recoverable within an acceptable timeframe,” he said.
The shift Lherault describes is architectural: traditional backup infrastructure was built for isolated outages and operational errors, not enterprise-wide cyber disruption. More resilient environments are moving towards immutable snapshots on primary storage and isolated recovery environments where clean data can be validated independently from a compromised network.
Regulatory direction in the region is reinforcing that shift. Saudi Arabia’s Essential Cybersecurity Controls explicitly require organisations to demonstrate the ability to rapidly recover data and systems following a cyber incident and mandate periodic testing of backup recovery effectiveness, thereby moving recoverability from an internal IT assumption to a documented compliance obligation.
The UAE Cabinet’s approval of a National Cybersecurity Strategy in February 2025 placed further emphasis on resilience as a national priority, signalling that recovery capability will face increasing scrutiny at both the enterprise and government levels.
The question Gulf IT leaders need to answer is no longer whether their data is backed up. It is how long it takes to restore a critical system under real conditions, and whether anyone has tested that assumption before an incident forces the answer.
