2025 Cybersecurity Guidebook Chapter 3: The Importance of Proper Data Backups

Our Chief Information Security Officer, Anthony Cabral, sat down to discuss the importance of proper data backups. The conversation has been lightly edited. You can read a summary below or watch the full video here: https://www.youtube.com/watch?v=byJ47RW3gwU

Trey: We are back continuing on with our cybersecurity guidebook. This week, we are discussing the importance of proper data backups. Anthony, want to share more?

Anthony: Sure, Backups have been around forever. We've been doing them for a long time, but I think a lot of people have been doing them wrong or are currently doing them wrong and don't understand why you need the full need of backup. There are a few reasons why every firm needs data backups right?

Most firms understand the major reason if there’s a security incident where someone exfiltrates, deletes, or encrypts your data and you need copies of those to be able to recover. Another more rare threat is an insider threat. You have a disgruntled employee who has access to stuff, goes in, and deletes a bunch of firm or client files and now they are gone. Having good backups allows you to be able to recover from that. On the security side of backups, you want multiple copies of those backups. You want one on-site where your close to the data and have fast recovery and then another one off-site somewhere. Your offsite one should be geographically dispersed from wherever your physical locations are. If your onsite copy gets compromised for some reason, whether it is a natural disaster or a cyber incident effects, or whatever, having a fail-safe copy outside of our hot zone is helpful. You want to make sure your backups are immutable. That means once the backup is complete, no changes can be made to those backups so you can’t inject malicious code or anything. You also want to make sure everything is encrypted all the time. All phones and emails are encrypted by default nowadays, so it’s important that your backups are too.

The last thing to think about is recovery time objective (RTO) and recovery point objective (RPO). Recovery time objective means, how long does it take me to get all my data back into production so that my users can use it and go back to work and start to service our clients again. The more data you have, the longer it’s going to take for you to get all that restored and accessible to your user base. It also gets pricier, the more data you have. You’re paying for storage, backups, offsite backups, and so on. There’s multiple layers of costs when you store more data than you really need. There are also high liabilities when you store data that you don’t need and some regulatory stuff that your lawyers can talk through. Recovery point objective means how much data am I going to lose during a total loss incident. If you do backups once a day, and lighting strikes right before you go to do your backups, you will have lost 24 hours of data and that is if the prior day’s backup went off without a hitch. You really need to be prepared to lose up to 48 hours of data because you can’t always plan for the worst-case scenario.

To recap: Have backups off-site, geographically distant, immutable, encrypted everywhere, and understand what your recovery times and objectives are. The shorter the recovery time and points the more it’s going to cost. Have a good retention policy and clean up as much of your data as you can.

Trey: Thanks, Anthony! Clear Guidance Partners would love to be a resource for your firm if you need help with proper data backups. Fill out this form and a member of our team will reach out: