Backup concepts and data protection for companies

Companies that want to protect their data – and therefore themselves, their customers and their future – need a holistic digital cyber, security and risk management strategy. An important part of this is a comprehensive backup concept with data protection measures to minimize cyber risks, and cyber insurance in case something happens despite all security precautions and prudence. This is the only way for companies to protect themselves against the loss of business-critical data and ensure ongoing operations. Without sensible backup strategies, they can expect financial losses, loss of productivity, and reputational damage after a data loss.

Every week, more than 1,000 cyber incidents are reported to the National Cyber Security Office (NCSC). All companies are at risk. Large ones because they are lucrative targets; small and medium-sized ones because they are comparatively easy targets. Data theft, denial-of-service attacks and ransomware attacks are among the most common attack patterns that can paralyze operations and lead to long-term damage. In an attack with ransomware, data is deleted or encrypted and can only be restored with the key for which the blackmailers demand a ransom. A backup concept and up-to-date backup copies of the data could save having to pay the ransom or the cost of time-consuming data recovery.

Every company should know its data and understand its value in order to protect it effectively. Before a company (or its IT service provider) starts working on the backup concept, three important questions must therefore be answered:

1. What data do we back up digitally?
2. How important is data for our value creation?
3. What data do we have to retain for legal reasons?

As soon as it is clear which data is to be stored where and how, work can begin on the backup concept. The main objective is a systematic data backup and recovery plan to prevent data loss and ensure business continuity. All important, critical and relevant data must be identified, regularly backed-up and be capable of easy, quick and complete restoration in the event of a data loss.

There is never 100% certainty. But companies can minimize their risks massively with a well-thought-out backup concept and effective data protection:

• Backup solution: Companies can back up data locally on an internal data storage device (on-premises) or on an external server (in the cloud). On-premises backups offer more control and the data can be restored more quickly. Cloud backups are scalable and easier to access. For many companies, it makes sense to combine the strengths of on-premises and cloud backups (costs, security, availability) and choose a hybrid solution.
• Backup plan: No plan is set in stone. Not even the backup plan. Companies should regularly review their backup strategy and their backup concept and ensure that they not only back up the files they currently need, but also all new data, and also minimize the current risks. Companies should also test their recovery processes, adjust their backup schedule, and keep their storage solutions up to date with the latest technology.
• Data encryption: If data is backed up on a computer or server, it is protected by the access rights. However, if it is saved on an external drive or USB stick, it is easily readable without encryption. Therefore it makes sense for companies to protect access to the backup data carriers and encrypt their backup data. Modern backup software and cloud service suppliers have integrated encryption functions that should definitely be activated.
• Know-how: Companies without their own IT department, or with too little internal data backup expertise, should definitely commission an IT service provider to carry out their regular backups. It makes sense to store the backup copies on the company's backup solution and periodically copy them to the IT service supplier's backup solution.
• Disconnection from the network: When cyber criminals attack a company, they want to control as many systems and data as possible and cause as much damage as possible. To better protect the backup data from hacker attacks – or accidental deletion – a backup solution should not be permanently connected to the company network. This means that hackers cannot delete or encrypt the backup copies via the network and demand a ransom.

The decision for a backup method depends on the security needs of the company and the storage space and time budget for the backup copies:

• Complete backup: All data is completely backed up each time. Although this is the most secure solution, it requires a lot of storage space and time.
• Incremental backup: Backs up only the data that has changed since the last backup and requires less disk space and time. However, this only works if all previous backups are intact so that all data can be completely restored.
• Differential backup: Backs up the data that has changed since the last complete backup. Requires more storage space than an incremental backup, but is faster than a full backup – and simplifies data recovery because only the last full and the last incremental backup are required.

How often data is saved depends on the company's specific requirements and the rate of data change, and it should be defined in a backup schedule. Critical data should be backed up daily or even hourly, less important data weekly or monthly. With the backup schedule, companies can easily minimize data loss and restore data quickly. It is important to test the backup and restore processes regularly to ensure they work in an emergency.