Virtually every organization makes backups. Yet, it often turns out during incidents that recovery is not possible. This is rarely because there is no backup software present, but because processes and controls are lacking.
Backups are not systematically included in security or tested, retention settings are often incorrectly configured, or administrator accounts are inadequately shielded. In ransomware scenarios, we also see that attackers first target the backup environment. Without immutability or separate storage, backups are also encrypted or deleted.
The focus therefore shifts from "we make backups" to "we can demonstrably recover".
The 3-2-1 Rule as a Foundation
Despite all technological developments, the classic 3-2-1 rule remains relevant. Organizations maintain multiple copies of their data on different media, with at least one copy located offsite. In modern infrastructures, this typically means a combination of primary storage, local disk-based backup, and an external (often cloud-based) copy.
Increasingly, an additional layer of security is added in the form of immutable storage. Here, backups cannot be modified or deleted during a predetermined retention period, even with elevated privileges. This makes it significantly more difficult for attackers to disable recovery options.
Different Workloads, Different Requirements
An effective backup strategy takes into account the type of workload. Virtual environments such as VMware or Hyper-V require image-based backups with support for Changed Block Tracking. This means only changed data blocks are stored, which shortens backup windows and limits storage consumption. It is important that snapshots are managed correctly and that granular restore – for example, at the file or application level – is possible.
For SaaS environments such as Microsoft 365, a different reality applies. While providers ensure the availability of their platform, they typically do not offer extensive point-in-time recovery or long-term retention. Organizations that assume their SaaS provider handles complete backups are at risk. A separate SaaS backup solution prevents accidentally deleted or overwritten data from being permanently lost.
Endpoints also deserve attention. In hybrid work environments, business-critical information is often located on laptops outside the central network. Cloud-based endpoint backups with encryption and centralized policy are therefore not a luxury, but a necessary extension of the backup policy.
Ransomware Requires Extra Protection
Ransomware attacks have evolved. Where attackers once exclusively targeted production systems, backup environments are now explicitly attacked as well. The goal is clear: to make recovery impossible and maximize the pressure to pay a ransom.
Therefore, backups must be logically or physically separated from the production environment. Multi-factor authentication for administrator accounts, role-based access control, and extensive logging are now basic requirements. Network segmentation prevents a compromised domain from automatically accessing backup servers.
Immutability and air-gapped storage, where data is not directly accessible via the network, provide an additional line of defense.
The Importance of Periodic Restore Tests
A backup that has never been tested is essentially an assumption. Periodic restore tests demonstrate whether data is actually recoverable and whether applications return consistently. This goes beyond restoring a random file; complete recovery procedures must be simulated, including failover scenarios.
More and more organizations are automating this process. By performing automated restores in an isolated environment, it is continuously checked whether backups are usable. This reduces the chance of surprises during a real disaster.
Cloud, On-Prem, or Hybrid?
The choice of cloud backups, on-premises storage, or a hybrid model depends on compliance requirements, available bandwidth, and desired recovery speed. Cloud solutions offer scalability and geographical distribution, but come with considerations such as egress costs and reliance on internet connectivity.
On-premises backups enable fast restores and provide full control over the infrastructure, but require investments in hardware and lifecycle management. In practice, many organizations opt for a hybrid approach: fast local recovery options combined with an external, separate copy for disasters.
Backups as an Integral Part of Security
Backups can no longer be seen outside of security, as a standalone IT process. They are part of the broader security and continuity strategy. This means that RPO and RTO objectives are formally documented, access rights are strictly regulated, and monitoring is part of the SOC or SIEM landscape.
A mature backup strategy combines technical measures with process discipline. Those who implement this well not only limit the impact of ransomware or system failures but also enhance overall operational resilience.
Ultimately, it comes down to one core question: if everything fails today, can you recover in a controlled and complete manner tomorrow?
