Security is only as good as the weakest link. If you have some idiot in front of a keyboard opening an infected website or email that is carrying a so far unseen malware there isn't a lot you can do.
User training is almost more important than the actual electronic security systems.
The one thing I don't understand is how the backups got deleted. That the currently running backup job / the just finished backup job got deleted before the media was taken offline I could understand, unlucky, but possible.
But the first rule of backups is that they are offline when not being actively backed up to or restored from. You should also rotate your backup media.
Our backup rotation is pretty much the simplest you can get, 4 daily sets of backup media and 4 weekly backup sets, with monthly and annual backups stored off site.