In the context of World Backup Day, and recent geopolitical developments, the following question is more relevant than ever: What should companies/decision makers do to build cyber resilience and meet compliance requirements while ensuring their own security?

Commvault and ESG's 2024 survey "Preparedness Gap: Why Cyber Recovery Requires a Different Approach to Disaster Recovery" highlights the complexity of modern cyber resilience. Only 26% of respondents believe they can protect all critical applications and data, and only 20% are confident they can protect all apps and data needed for business operations. 85% say that recovery without setting up a clean room environment carries a significant risk of reinfection. 83% also fears that hasty recovery after a cyber incident could destroy valuable evidence. The lesson learned? Achieving reliable cyber resilience and backups is no easy task.

A lack of risk awareness combined with increasing numbers and sophistication of cyber attacks, whether by AI-generated code or otherwise, makes a solid backup and recovery strategy essential for business continuity. The threat of ransomware, the continuing trend towards SaaS applications such as Office 365 and Salesforce, and the issue of cloud data security show that a well-functioning backup is more important than ever.

Developing a backup strategy that truly meets an organisation's requirements and needs is a matter that requires knowledge and experience. Therefore, always involve a specialist when defining the strategy. However, a number of elements can be distinguished that work in most cases. The steps below are based on the recommendations of Ministry of Economy's digital trust centre. 

1. Identify crucial data: Determine which data is essential for business operations and cannot be replaced. This could include customer databases, financial data, e-mails, documents and configuration files.
2. Choose the right storage locations: Use multiple storage locations to minimise the risks of data loss. Use the "3-2-1 Method" for backups: make 3 copies of your data, store them on 2 different media, and store 1 in another location. This can include both on-site and off-site storage, such as external hard drives and cloud storage. (By the way, in some cases it may be necessary to deviate from the 3-2-1 Method, but it is generally a good approach)
3. Automate backups: Automate the backup process to prevent backups from being forgotten. This ensures regular backups are made without human intervention.
4. Regular testing: Regularly test whether backups are successful and can actually be restored. This can be done by periodically restoring a backup and checking that the data is intact.
5. Backup security: Make sure access to backups is secured with passwords or encryption to prevent unauthorised access.
6. Retention policy: Set a retention policy that determines how long backups are kept. This is important to comply with legal requirements and to ensure that older data remains available for recovery.

With the increase in cybercrime, the growing indispensability of digital data for business operations and the rising popularity of cloud services, backup requirements have also increased. Recovery must comply with authorities' requirements and restore only uninfected data. Cloud backups are particularly suitable for disaster recovery and cyber recovery because they are located in a different location from the business in question. The data is usually specially "hardened" with an air gap and encryption. Restoring a cloud backup in the cloud can also efficiently ensure business continuity.

Specialised providers offer various offsite cloud storage options. In addition, hybrid cloud solutions offer app, file and database production as a contingency operation. Other key features are compliance and security. Cloud backups comply with legal requirements (e.g. GDPR) and provide protection against unauthorised access through encryption and physical security measures.

Moreover, cloud solutions scale better than on-prem backups, which remain necessary for operational backup and recovery operations at LAN speed when companies are still in the process of cloud transformation. Last but not least, savings are made on operating an additional data centre and on hardware and management costs. All in all, a backup strategy should minimise risks, store data securely and ensure long-term operations.

A currently controversial issue is whether European companies should rely mainly on domestic providers for cloud backups. Traditional US providers are covered by the CLOUD Act, which gives US authorities access rights to stored data. This is in stark contrast to the GDPR. The Trans Atlantic Data Privacy Framework (TADPF) was intended to resolve this contradiction, but is on shaky ground due to the current political situation in the US. European companies should therefore now consider all aspects of their cyber resilience strategy.