How to safely and securely back up data
It's not just about ransomware. Less publicized threats like system misconfigurations, hardware and software failures, and user errors dictate a better approach to data backup.
Ransomware that targets backup systems has heightened the urgency of securely storing and backing up data. Like criminals who rob banks because that's where the money is, cybercriminals seek out backup infrastructure. Businesses can't recover if their critical system components and data are compromised and can't be swiftly restored.
The problem doesn't stop there. Many businesses are challenged by unrelenting cyberattacks and a complex regulatory environment that mandates strict data backup and recovery (DBR) measures for data privacy and protection, including HIPAA, PCI-DSS, SOX, FedRAMP, GDPR and DORA.
As enterprises grapple with increasing volumes of unstructured data -- text, audio, video, social media, IoT and now AI and machine learning -- regulations around data privacy and protection of personally identifiable information (PII) put data security and governance at the forefront for many industries.
"Backup kind of just works at this point," said W. Curtis Preston, a data protection veteran (aka "Mr. Backup") and author of the book Learning Ransomware Response & Recovery. "What is really needed is to make sure that you are doing your backups in a way that would protect them from cyberattacks because of what we know from the cybersecurity experts," he said. "You are going to get ransomware."
Why data backup and security matter
Failing to securely back up critical systems can lead to catastrophic outcomes. Knights of Old, a 158-year-old transportation company in the U.K., was forced to shut down when a ransomware attack encrypted the logistics systems, backups and financial data of its parent company, KNP Logistics Group, in June 2023. The parent company was unable to secure financial backing after the attack, and more than 700 employees were made redundant.
Unfortunately, organizations also need to be concerned about internal failures when it comes to secure backup infrastructure -- as well as third-party provider errors. In May 2025, the San Francisco Jazz Organization (SFJAZZ) filed a lawsuit against Aldrich Technology LLC for breach of contract, alleging that the IT service provider's failure to install software upgrades and monitor backups resulted in a ransomware attack in May 2023 that infiltrated and encrypted the non-profit organization's file servers, accounting workstations, backups and backup servers. The breach compromised the personal information of current and former employees, including social security numbers, driver's license or government identification numbers, and dates of birth.
While ransomware threats have drawn attention to the importance of backing up critical systems and data, system misconfigurations, hardware and software failures, and user errors can also lead to data loss.
Choosing the right back up type
According to Gartner's June 2025 "Magic Quadrant for Backup and Data Protection Platforms," 75% of enterprises will use a unified platform for on-premises and cloud backup and recovery by 2029, up from 25% in 2025. By the end of the decade, most large enterprises (85%) will also adopt backup as a service to protect cloud and on-premises workloads, in addition to IT managed backup -- a significant increase from 25% in 2025.
In hybrid scenarios, critical data is backed up on enterprise storage servers or appliances on-premises, sometimes via tiered storage. Hard disk drives are often used for long-term air-gapped or cold storage, such as archival data that's not frequently accessed, due to their lower cost and performance. Solid state disk technologies, including flash drives, frequently serve as hot storage, often for systems and data that require faster recovery. Other systems (such as VMs) and data, including user files, documents, development projects and analytics workloads are backed up and stored in the public cloud at a per-GB or per-TB monthly rate. Depending on the cloud provider, different tiers can provide variable pricing structures and access speeds.
The "2025 State of the Data Center Report" by the Association for Computer Operations Management (AFCOM) revealed that 80% of respondents acknowledged moving their cloud workloads back to on-premises environments to better manage performance and cost. The top workload cited was storage management, including backups, disaster recovery and archiving, at 44%, followed by data analytics and business intelligence tools at 38%.
Gartner reported that only about 20% of companies currently back up SaaS applications as a "critical requirement," but that number is expected to grow significantly, with 80% of organizations projected to prioritize SaaS backups by 2029.
Many compliance frameworks and disaster recovery plans recommend full backups of essential business, customer and operations systems to support faster restoration of high-priority systems and data, especially in the event of a disaster. Full backups may take a long time, especially when dealing with large data sets, slower systems and limited storage capacity, all of which can add to overall costs. Some businesses schedule full backups monthly or weekly and use incremental and differential backups at other times.
Differential backups capture all file, folder and data changes since the last full backup. These technologies can use file attributes, hashes and checksums to find changes in data. This approach can make the restoration process faster. IT professionals restore the last full backup and the most recent differential backup to recover any modifications.
In contrast, incremental backups capture only the data and file changes made since the last backup. An incremental backup, for example, records the data changes made in the last 24 hours, while a differential backup uses the last full backup as its starting point and captures all changes made since then, regardless of how many backups have occurred.
"AI models are being trained now to analyze storage logs to find things like system anomalies and system behavior to actually predict a backup failure before it happens," said Bill Kleyman, CEO and cofounder of AI platform provider Apolo and executive chair of Informa/AFCOM programs for data center and IT professionals. "The strength of the hardware is better than it was four or five years ago, and the models are also more powerful."
The choice between full, incremental and differential backups depends on storage capacity and performance requirements for backup windows and recovery time objectives (RTOs). It's essential to align backup strategies with key performance targets for business continuity. Recovery point objective is the maximum acceptable data loss during an incident. It defines how far back in time the company can go to restore data without causing unacceptable damage. RTO is the maximum allowable downtime before systems must be restored to maintain business continuity and meet disaster recovery goals.
How to ensure your backup is safe and secure
Important controls for how to back up data securely include encryption methods, access controls, vendor risk assessments and immutable backups -- all of which serve as safeguards against data loss and unauthorized access.
Encrypt data in transit and at rest
Standard encryption methods such as AES-256 can be applied at multiple levels -- backup software, the storage device and files -- to protect data at rest. Data in transit should also be encrypted using TLS/SSL protocols. However, it's critical to test recovery processes to ensure encryption keys are properly managed and don't obstruct data restoration.
Use role-based access controls
Unlike the role-based access control (RBAC) that's for identity and access management across an organization's systems and applications, RBAC within DBR infrastructure is used to control access to specific backup operations. These controls typically apply to backup administrators, IT professionals and security teams, and, in some cases, compliance officers and auditors. They support least-privilege access and govern actions such as restoring, deleting and modifying backups as well as managing immutability settings.
Verify provider compliance
Businesses considering cloud-based backup or storage services must ensure that providers meet availability, security and data protection requirements, such as SOC 2, ISO/IEC 27001 and other relevant compliance standards. Organizations should recognize which data protection regulations apply, based on their industry and the types of data they handle. They should request proof of certifications, third-party assessments and audit reports from cloud service providers. Before signing contractual agreements, including service-level agreements, it's important to evaluate the provider's security controls such as access management, DBR testing, storage locations and incident response plans.
Consider air-gapped and immutable backup options
Physically or logically isolated from the connected network via segmentation, access controls and policy restrictions, air-gapped backup protects critical systems that need guaranteed recoverability from unauthorized access and cyberattacks. Another approach, immutable backups, can't be modified or deleted, is commonly enforced through write-once read-many storage and is controlled via time-based policies or administrative controls.
"There are a number of products that make it very easy to configure your backups in a very insecure manner," Preston cautioned. "So, this is where AI can help." Backups can be complex, and people often have a hard time configuring their systems, he explained, adding "What if you have a chatbot that says, 'Hey, I looked at your backups, and I noticed that none of them are using immutable storage.'" More tools are beginning to integrate chatbot frontends, Preston said, noting that a chatbot could use natural language processing to provide guidance on where security controls need to be placed.
Keeping up with your backups
While some businesses routinely test their backups, roughly 20% set up backup systems but fail to test them. Others fall short on comprehensive testing and find failures during restoration attempts.
AI-powered tools allow organizations to test more, and they can generate test plans and point out specific flaws, advised Jon Brown, senior analyst, Data Protection, Ops & Sustainability at Enterprise Strategy Group, now part of Omdia. "So, if you are willing to do those things, the tools are much, much better."
It's also important to review and update the company's DBR strategy annually and train employees on backup awareness and best practices.
Meanwhile, vendors are integrating advanced cybersecurity capabilities into DBR platforms. According to Gartner, 95% of data backup and data protection platforms will embed cyberthreat detection by 2029, compared to 55% in 2025.
Other AI advances have changed the role of backups. "You are using your backup repository as a source," Brown said. Modern DBR platforms, for example, include the ability to identify and classify the data they store, recognizing when data contains PII or originates from sensitive sources. Backup platforms are being used for much more than restoration, such as preserving metadata and enforcing associated business rules.
"AI is making storage more intelligent," Brown noted. "More data management functions are getting embedded into storage and as such also into backup and recovery solutions."
Kathleen Richards is a freelance journalist and industry veteran. She's a former features editor for TechTarget's Information Security magazine.
