If you are practicing proper computer security measures, then you are running routine backups. Do you have a policy for your backups? Is it written down? If so, then add it to your official policy manual so anyone can easily understand and implement it if you have a technology personnel change (this could be an internal person, or an outside firm). Whether you have one or not, below are the components to include in your backup policy.

Data Formats and Storage

If you are running backups, then you have chosen a data format for your backup (disks, tapes, online storage) and are backing up with regularity. Although there are many mediums upon which to place your backups, we recommend having an onsite repository (read backup appliance) and an offsite cloud-based repository. If you are one of the unlucky companies to still be using tapes or hard drives, you have some tough questions to answer. Is someone taking the backups home? If so, who?

More importantly, once it leaves the business premises where and how is that person storing the data? The backseat of a car is not a safe option. What about encryption? Are your backups secured if someone were to come into possession of them? You may be using a service such as Iron Mountain for secure offsite storage, but you must ask yourself how quickly can I get my hands on those during an emergency.

The one advantage of tape or local disk-based backups is that they are ‘air gapped’ from the rest of the network. Hackers often delete backups before doing whatever they are going to do, and with tape or disks you are fairly well protected. Local appliance-based backups
can also be secured by utilizing appliances that have different operating systems than your main network resources. Having backups that run on windows are problematic because if someone breaches your network, they most likely gain access to the backups as well.


Decide the frequency based on how much data you can afford to lose in a disaster. If you lost a whole day of data and that was not ok, then nightly backups are insufficient. Ideally, run a backup every day- most of our clients are backing up every 4 hours. Don’t forget laptops that are in the field and may have data on them not on the server.  Regardless of what frequency is right for your business, it has to be clearly spelled out in your backup policy and senior personnel need to know how much data they will lose in an emergency and be ok with that amount-whatever it is.

Retention Period

How long will you keep your backups? Some companies keep daily backups for one week, and weekly backups for eight weeks. Some companies keep data for six months or a year. Deciding how long it’s necessary to keep your data is part of your overall backup policy. Find out if your industry regulatory body mandates how far back data needs to be kept. Make sure your policy is in compliance with your regulatory statutes.

Encryption, Access and Testing

It’s important to decide both whether to encrypt your backups (which means they will be translated into an indecipherable code) and who has access to the information. The data’s sensitivity or classification level will likely dictate these elements. Your internal IT or Managed Services Provider likely will oversee the day to day backups, but senior management should be involved weekly/monthly checking on the backups.

When you assign one person to oversee the backup policy, also assign an alternative. Redundancy is a best practice to protect the company.

Don’t forget to periodically test your backups by retrieving data and making sure it is usable. Backup, monitor, and verify.

Regular Review of Your Backup Policy

Part of your policy needs to be reviewing the policy. Technology changes lightning fast. It’s a good idea to include a clause in your policy to review it annually. Is there a better, faster, more economical way to backup?  If you make that part of the policy, then you’ll be more likely to keep your business up-to-date and running smoothly. An easy way to remember is to review the policy when you file your taxes, it will pay off.