Virtually every organization makes backups. However, it often turns out during incidents that recovery is not possible. This is rarely because there is no backup software present, but because processes and controls are lacking.

Backups are not systematically included in security or tested, retention settings are often incorrectly configured, or administrator accounts are insufficiently protected. In ransomware scenarios, we also see that attackers first target the backup environment. Without immutability or separate storage, backups are also encrypted or deleted.

The focus therefore shifts from "we make backups" to "we can demonstrably recover".

The 3-2-1 Rule as a Foundation

Despite all technological developments, the classic 3-2-1 rule remains relevant. Organizations keep multiple copies of their data on different media, of which at least one copy is offsite. In modern infrastructures, this usually means a combination of primary storage, local disk-based backup, and an external (often cloud-based) copy.

Increasingly, an additional layer of security is added in the form of immutable storage. In this case, backups cannot be modified or deleted during a predetermined retention period, even with elevated rights. This makes it significantly more difficult for attackers to disable recovery options.

Different Workloads, Different Requirements

An effective backup strategy takes into account the type of workload. Virtual environments such as VMware or Hyper-V require image-based backups with support for Changed Block Tracking. This means that only changed data blocks are stored, which shortens backup windows and limits storage consumption. It is important that snapshots are managed correctly and that granular restore – for example, at the file or application level – is possible.

For SaaS environments like Microsoft 365, a different reality applies. Although providers ensure the availability of their platform, they typically do not offer extensive point-in-time recovery or long-term retention. Organizations that assume their SaaS provider handles complete backups are at risk. A separate SaaS backup solution prevents accidentally deleted or overwritten data from being permanently lost.

Endpoints also deserve attention. In hybrid work environments, business-critical information is often located on laptops outside the central network. Cloud-based endpoint backups with encryption and centralized policy are therefore not a luxury, but a necessary extension of the backup policy.

Ransomware Requires Extra Protection

Ransomware attacks have evolved. Where attackers used to focus solely on production systems, backup environments are now explicitly targeted as well. The goal is clear: make recovery impossible and maximize the pressure to pay a ransom.

Therefore, backups must be logically or physically separated from the production environment. Multi-factor authentication for administrator accounts, role-based access control, and extensive logging are now basic requirements. Network segmentation prevents a compromised domain from automatically accessing backup servers.

Immutability and air-gapped storage, where data is not directly accessible via the network, provide an additional line of defense.

The Importance of Periodic Restore Tests

A backup that has never been tested is essentially an assumption. Periodic restore tests demonstrate whether data is actually recoverable and whether applications come back consistently. This goes beyond restoring a random file; complete recovery procedures must be simulated, including failover scenarios.

More and more organizations are automating this process. By performing automated restores in an isolated environment, it is continuously checked whether backups are usable. This reduces the chance of surprises during a real disaster.

Cloud, On-Prem, or Hybrid?

The choice of cloud backups, on-premises storage, or a hybrid model depends on compliance requirements, available bandwidth, and desired recovery speed. Cloud solutions offer scalability and geographic distribution, but come with considerations such as egress costs and dependence on internet connectivity.

On-premises backups allow for quick restores and provide full control over the infrastructure, but require investments in hardware and lifecycle management. In practice, many organizations opt for a hybrid approach: fast local recovery options combined with an external, separate copy for disasters.

Backups as an Integral Part of Security

Backups can no longer be seen outside of security, as a standalone IT process. They are part of the broader security and continuity strategy. This means that RPO and RTO objectives are formally documented, access rights are strictly regulated, and monitoring is part of the SOC or SIEM landscape.

A mature backup strategy combines technical measures with process discipline. Those who set this up well not only limit the impact of ransomware or system failures but also increase overall operational resilience.

Ultimately, it comes down to one core question: if everything fails today, can you recover in a controlled and complete manner tomorrow?