In this Help Net Security interview, Gerald Beuchelt, CISO at Acronis, discusses common backup strategy pitfalls, reasons for backup failures, and offers actionable advice for organizations looking to improve their backup and recovery processes.
What are some of the most common mistake’s organizations make when implementing a backup strategy? How can these be avoided?
A common pitfall is viewing backups as a one-off project rather than an ongoing commitment and part of a large business continuity program. Many companies put significant effort into creating an initial backup plan but then fail to update it as their IT setup evolves. Over time, new data sources may appear, employees change their workflows, and software gets upgraded — all of which can outpace your backup strategy.
One aspect of this is depending on a single storage location. If everything lives on-site and a natural disaster hits the primary data centre, both production and backup data might be lost at once. One way to avoid this is by following a 3-2-1 rule, which involves keeping three copies of your data, using two different media types, and storing at least one copy off-site. You might even consider adding an offline or air-gapped backup.
Organizations also tend to overlook proper documentation and training. If only one or two staff members truly understand how backups work, the process can become inconsistent or fail entirely if those key people aren’t around.
Overall, backup, disaster recovery, and business continuity should be understood in context of the overall organisational security plan.
Studies suggest that a significant percentage of backups fail. What steps should organizations take to improve backup reliability and success rates?
To start, it’s essential to test your backups regularly. Too many companies only realise a backup failed when they try to restore data during an emergency. Periodic test restores confirm that backups were successful and can be counted on if something goes wrong. Automated backup verification is a valuable safeguard against corrupt or incomplete backups.
Monitoring and reporting also play a critical role. Modern backup tools often provide dashboards or alerts for backup issues like low storage capacity. Being proactive by keeping an eye on these metrics helps you catch and fix problems before they escalate.
It’s equally important to establish consistent backup procedures. When each department uses its own backup method without a unified approach, errors and confusion increase. By centralising schedules, encryption settings, and retention rules under one policy-based system, you reduce the risk of human error and streamline operations.
How can organizations balance recovery time objectives (RTO) and recovery point objectives (RPO) with the operational needs of their business?
Start by conducting a thorough business impact analysis. Figure out which processes, applications, and data sets are mission-critical, and decide how much downtime or data loss is acceptable. The more vital the data or application, the tighter (and more expensive) your RTO and RPO targets will be. Having a strong data and systems classification system will make this process significantly easier.
There’s always a trade-off: the more stringent your RTO and RPO, the higher the cost and complexity of maintaining the necessary backup infrastructure. That’s why prioritisation is key. For example, a real-time e-commerce database might need near-zero downtime, while archived records can tolerate days of recovery time.
Once you establish your priorities, you can use technologies like incremental backups, continuous data protection, and cross-site replication to meet tighter RTO and RPO without overwhelming your network or your budget. Be sure to test the entire recovery process (including failover and data integrity checks) on a regular basis to confirm you can achieve your targets.
How do you determine which data needs to be backed up and at what level of granularity?
Start by reviewing any regulatory or compliance rules you must follow; these often dictate which data must be kept and for how long. Keep in mind, that some information may not be kept longer than absolutely needed – personally identifiable information would come to mind. Next, look at the operational value of your data. If certain files or databases are critical for day-to-day business, they might need near-real-time replication or more frequent backups.
As for granularity, it depends on how sensitive or time-critical the data is. Systems hosting frequently updated data such as code repositories or collaboration platforms might benefit from daily incremental backups in addition to weekly full snapshots. This ensures that small, critical changes are captured without overburdening storage resources. Meanwhile, less dynamic data (e.g., archival logs or legacy records) could be backed up less frequently, using monthly or quarterly full backups. Policy-based automation can streamline these decisions.
What advice would you give organizations looking to improve their backup and recovery processes?
Firstly, treat backup as a continuous journey rather than a set-and-forget task. Plan to revisit your strategy anytime you introduce new systems or data sources. Regular audits, practice drills, and ongoing reviews of new technologies all help keep your approach current.
Secondly, embrace automation. Scheduling backups automatically, generating detailed reports, and verifying or replicating backups can go a long way toward reducing human mistakes.
Thirdly, don’t underestimate security. Sophisticated ransomware attacks commonly target backups along with primary data. That means privileges should be segmented, encryption should be employed both in transit and at rest, and multi-factor authentication should be enabled wherever possible. Keeping offline or air-gapped backup copies is another worthwhile safeguard.
Finally, document every step and plan for surprises. Detailed runbooks that outline how to restore each critical system ensure you’re ready when disaster strikes.