Backup is the thing that should have been done before

Backups represent a crucial issue that requires a structured approach, not only by insiders but by all those who care about their data as well as that of others, which, if lost, could lead to unpleasant scenarios, to say the least. While understanding the reasons for carrying out regular backups may be immediate, the implementation of appropriate practices by individuals and organizations may not be so obvious, potentially leading to significant economic and reputational damage, which can be difficult to recover from.


But what are they and what are the backups for?

Backups help ensure that data which is important to us survives threats such as loss or theft of devices, their destruction due to malicious or natural disasters, malware infections, data corruption due to targeted attacks, or more simply, due to the natural deterioration of storage media. Whatever the threats, it is necessary that the plan and the practices to be structured and conducted, contemplate and prove to be effective even in the case of the so-called “worst-case scenario”, a concept well known in risk management, which consists in structuring activities considering the most serious possible results that may occur in a given situation.


Backup for compliance

The need for an effective backup strategy is not only a good security practice but also one of the key points for various national and international regulations. Within the GDPR (european data protection regulation), there are several points that address this aspect. In accordance with the principle of accountability, it is necessary to ensure access to the data, adopting systems that allow them to be stored securely, preventing them from being accidentally deleted.

Article 5(1)(f) of the regulation, on the other hand, underlines that:

“personal data shall be processed in such a way as to ensure adequate security, including protection, through appropriate technical and organisational measures, against unauthorised or unlawful processing and accidental loss, destruction and damage (‘integrity and confidentiality’)”.

Further strengthened by art. 32, par. 1, letter c, which states that any organization processing personal data must have “the ability to promptly restore the availability and access of personal data in the event of a physical or technical incident“, and letter d, where it is expected that technical and organizational security measures, including backup and restoration, are tested, verified and evaluated regularly in their effectiveness in order to ensure the security of processing.


Backup mode

Within a backup strategy, it is possible to choose between different methods that are more or less suitable, depending on the different contexts and needs:

Full backup: provides for the complete copy of data without exclusion and regardless of whether the files have been modified.

Incremental backup: a copy of the data created and modified since the last full backup is performed.

Differential backup: a copy of data created and modified since the last full backup was performed. Unlike incremental backup, a differential backup will always compare changes since the last full backup, saving any differences each time.



Practical advice for an effective strategy

For an effective backup strategy, the analysis of the elements at stake is an important step. Here the advantages and disadvantages of each medium, the budget available, the amount of data to be saved, the security measures to be put in place for the protection of sensitive data, and the accessibility of the data itself must be evaluated. Although many of these aspects need to be considered and properly weighted according to the ecosystem of reference, there are some practical tips that can be implemented:

> make regular backups. The choice of the interval can vary according to the characteristics and dynamism of the data itself (how often and how much data changes). The rule of common sense applies. The watchword is resilience, ensuring that any interruptions are minimal.

> encrypt your backups. The goal within a sound backup strategy is to protect your data in case of theft, loss, or improper disposal of physical machines, and the use of appropriate encryption systems and tools provides an effective solution, even if one of these scenarios occurs. In fact, we must remember that our data has a very significant value, especially for criminals. They aim to steal trade secrets, to have access to the data itself, or to undermine the reputation of the rightful owner if they were disseminated. Encryption as a concept is explicitly mentioned as one possible technical and organisational measure to secure data in the list of art. 32(1) of the GDPR.

> apply the “3-2-1 backup” rule. This approach helps answer the following question: how many backup files should I have and where should I keep them?

  • own at least three copies of the data. Having only one backup copy is not enough. Having more than one copy results in a significant reduction in data loss in the event of a disaster.
  • store two backup copies on different devices or storage media. Any storage device will fail sooner or later. This point of the rule is based on the assumption that two devices of the same type have a much higher risk of failure than two devices of different types or two different storage media.
  • keep at least one copy of the backup off-site. Keeping all backup copies within the same site could be fatal in the event of a disaster. A great solution for individuals and small businesses without remote locations is to keep backups in the cloud.


> properly isolate your backups. Every day we read about attacks, such as ransomware, that hit a device and propagate within all devices connected to the same network. A solution can be to rely on cloud solutions (which also require in-depth analysis in terms not only of security), which proves to be an effective choice also for the benefit of scalability.

> periodical verification of the recovery process. It is essential to regularly check (depending on the nature of the activities) that the whole chain is efficient, including the people who manage it. If you do not make a real recovery of data, you will never be sure that the backup copy in question is intact and functioning.

> training. By being aware of the appropriate procedures to be set up and conducted, you can ensure a process that significantly reduces potential risks and makes the whole chain more efficient.


It is important that each and every one of us invests and plays the right weight and role in each of the points addressed. The consequences for those who abstain, as briefly analysed in this article, are many.

It is important to carry out backups. It is important to do it now. Let us not get to the point where there will be someone telling us that: “backup is the thing that should have been done before“.


ICT Cyber Consulting