Backups are one of the most consistently undervalued aspects of everyday security. Most people understand in principle that they should back their data up. Far fewer do so reliably, and fewer still have ever tested whether their backup actually works.
The practical reality of not having a working backup becomes clear very quickly when something goes wrong – a ransomware attack that encrypts files, a device failure, accidental deletion of something important. At that point, a backup is either there or it isn’t.
What to back up
Start with anything that would be difficult or impossible to recreate: documents, photos, project files, emails where these aren’t centrally retained, anything that exists only on a single device. In a work context, understand what is and isn’t covered by organisational backup systems – cloud platforms and shared drives often have their own retention and recovery mechanisms, but locally stored files typically don’t.
Personal devices are often overlooked. If work-related material, credentials, or sensitive personal information lives on a personal laptop or phone without any backup, that represents real exposure.
The 3-2-1 principle
A widely used rule of thumb is the 3-2-1 approach: keep three copies of important data, on two different types of storage media, with one stored offsite or in a separate location. In practice this often means one copy on your primary device, one on an external drive or secondary device, and one in cloud storage.
The point of multiple copies in different locations is resilience. A backup stored only on an external drive in the same room as the device it’s backing up offers limited protection against theft, fire, or flood. Cloud storage and physical storage complement each other rather than substitute for one another.
Back up regularly
A backup is only as current as the last time it ran. Data created or modified after the last backup will not be recoverable from it. How often you back up should reflect how much data you can afford to lose – if losing a day’s work would be manageable, a daily backup is probably sufficient. If losing an hour’s work would be serious, more frequent backups are warranted.
Automated backups are more reliable than manual ones. A process that runs without requiring deliberate action is one that actually happens.
Test the restore
This is the step that most people skip, and it’s the most important one. A backup that has never been tested is an untested assumption. Files can become corrupted, backup processes can fail silently, and storage media can degrade. Periodically restoring a file or folder from backup – not the whole system, just something – confirms that the process is working and that you know how to use it when you need to.
The time to discover that a backup doesn’t work is not the moment you need it.
Ransomware and backups
One specific reason backups matter: ransomware attacks encrypt files and demand payment for the decryption key. Organisations and individuals with working, tested, offsite backups are in a fundamentally different position to those without them. A clean backup that pre-dates the infection can make the difference between recovery and a very difficult choice. This is also why it’s worth ensuring backup storage isn’t permanently connected to the primary device – a backup drive that’s always mounted, or a cloud account that syncs automatically, can be encrypted alongside the original files.
Further reading:
- NCSC – Ransomware-resistant backups: https://www.ncsc.gov.uk/collection/ransomware-resistant-backups/principles-for-ransomware-resistant-on-premises-backups
