Outdated Software – A Ticking Bomb in Backups
Table of contents
Updating software is one of the simplest and most effective ways to protect data. Unfortunately, many companies postpone or ignore this task.
In recent months, many vulnerabilities have been discovered and actively exploited in storage and backup solutions. These include tools such as Veeam Backup & Replication, MinIO, Veritas Backup Exec, Arcserve UDP, Rubrik CDM, Nakivo, QNAP QuTS Hero OS, and Pure Storage FlashArray and FlashBlade. Notably, some of the vulnerabilities in the latter were rated as a CVSS 10—requiring immediate action. Yet many companies still don’t take update warnings seriously.
Protecting sensitive and confidential data is a top priority for most CIOs. TLS encryption for internet-transmitted messages, AES-256 for data at rest, multi-factor authentication, and zero trust policies are commonly used. However, regular software updates and patching vulnerabilities are discussed far less. Experts agree that outdated software is a ticking bomb. Hackers closely monitor security patch release dates to exploit vulnerabilities in older system versions. Many users fail to follow vendor recommendations or delay updates, creating ideal attack conditions. The best-known example is WannaCry, one of the largest ransomware attacks in history. In May 2017, it infected over 300,000 computers in 99 countries, despite Microsoft releasing a patch two months earlier.
Think of software updates like car maintenance—even the best vehicle will break down without regular oil changes, and worn brake pads will eventually damage the braking system.
Similarly, not updating applications will sooner or later lead to data security breaches and reduced performance. For businesses handling sensitive customer data—such as accounting firms or financial institutions—this could mean financial losses, reputation damage, or even bankruptcy. According to research by NinjaOne, 57% of data breaches could have been prevented with regular updates.
Hitting the Last Line of Defense
While there has been progress in updating OSes and antivirus tools, storage systems and backup software are still neglected. Why? For years, backups weren’t a primary target for hackers. That changed with the rise of ransomware. IDC reports that over half of ransomware attacks target backup systems, and 60% succeed. Veeam’s 2024 Ransomware Trends Report reveals that backup repositories are attacked in 96% of cases, and cybercriminals successfully interfere in 76% of them.
Hackers know that backups are a company’s last resort. That’s why they increasingly encrypt or delete them—limiting recovery options and forcing victims to pay ransoms. Compromising backups threatens business continuity. And ransomware attacks aim not just for extortion, but also to disrupt operations and cause financial harm. Victims with compromised backups are in a weaker negotiation position. According to Sophos, companies whose backups were encrypted paid on average twice as much—a median ransom of $2.3M vs. $1M for those with intact backups.
Ransomware uses various infection vectors: phishing, remote access (RDP), and exploiting software vulnerabilities—often due to missed updates. Whether it’s a backup application or an operating system, unpatched software is a gateway. For example, Veeam CVE-2024-40711 was exploited by groups like Monti and Yanluowang. Similarly, CVE-2023-27532 was used by EstateRansomware to attack corporate environments.
Real-world impact stories stick
Example: In 2023, a mid-sized logistics firm lost all customer data after its backup server running an outdated version of Nakivo was compromised. Despite having backups, the encryption rendered recovery impossible—and the company paid over $1.5M in ransom.
Updating Backup Software = More than Just Security
The backup and disaster recovery (DR) market is evolving rapidly. Vendors regularly release new solutions or update existing ones. While security is key, it’s not the only reason to stay current. Over time, backup tools become incompatible with newer OSes, hardware, and applications.
Updated backup software often includes performance improvements—faster backups and restores, better resource usage, and support for large datasets. These enhancements reduce downtime and boost operational efficiency. Updates may also bring new data recovery features, like instant VM recovery or cross-platform restores.
While backup expenses can be high, proper updates can help reduce costs. New versions often include deduplication, compression, and other optimizations—cutting storage needs and data transfer times. This reduces storage expenses and speeds up backup processes, lightening the load on IT infrastructure.
Another major challenge for IT departments is regulatory compliance. Many industries are bound by strict data protection laws. Updated backup software often includes features that support compliance—such as data retention policies, audit logs, and reporting capabilities.
Summary Table
| Threat Factor | Impact | % of Cases |
|---|---|---|
| Backup targeted in ransomware | High data loss risk | 96% |
| Successful attack on backup | Company forced to pay ransom | 76% |
| Data breaches preventable by patching | Could have been avoided | 57% |
A Dozen Security Gaps on Average
The average enterprise storage or backup device has 14 security vulnerabilities, including three rated as high or critical. These findings come from Continuity’s State of Storage and Backup Security Report 2023, based on an analysis of 245 environments covering 8,589 devices from vendors like Dell, NetApp, Veritas, and Hitachi Vantara. Most participating organizations were in banking, but also included healthcare, telecom, and IT services.
Properly securing storage systems will soon be a core component of organizational cyber resilience strategies. Business users should not only wait for vendor updates but also adopt proactive practices, such as vulnerability scanning. That’s why interest is growing in Application Security Posture Management (ASPM) tools, which provide real-time system security monitoring. Industry regulations increasingly require automated vulnerability management. For instance, PCI DSS v4.0 mandates the use of automated vulnerability scanning tools.
In short, protecting storage and backup systems is no longer just about security—it’s also about compliance and operational efficiency.
Practical Checklist: How to Secure Your Backup Systems Today
- Audit all backup and storage software versions ✅
- Apply the latest vendor patches and security updates ✅
- Implement multi-factor authentication for backup access ✅
- Regularly test backup restore procedures ✅
- Enable immutability and encryption ✅
- Use vulnerability scanners on backup infrastructure ✅
- Isolate backup systems from the main production environment ✅
Consequences of Not Updating Backup Software
- Increased risk of cyberattacks – unpatched systems are open doors for hackers to access sensitive data and critical resources.
- Decreased system performance – outdated software often runs slower, driving up operational costs.
- Incompatibility with new technology – older apps may not work with modern hardware or OSes, causing functionality issues.
- Regulatory non-compliance – many industries have strict data protection laws. Using outdated software can result in fines or loss of certification.
Updating your backup software isn’t just a matter of maintenance—it’s a critical element of business continuity, compliance, and cybersecurity resilience. Don’t let outdated tools be your weakest link.
