Don't Be an April Fool.
Every year on the 31st of March, the global technology community pauses to ask one question: if everything disappeared tomorrow, would you survive? Most organisations assume the answer is yes. Far too many discover, too late, that it isn’t.
World Backup Day was conceived as a grassroots reminder; a yearly nudge to check, test, and improve the resilience of the systems we rely upon. But in 2026, with ransomware operators running sophisticated criminal enterprises, geopolitical cyber threats rising sharply, and regulatory expectations hardening; backing up your data is no longer merely good advice. It is a legal obligation, a commercial necessity, and in many sectors, a matter of public safety.
This piece examines why backup matters, from resilience in the face of cyber-attack, to the quieter catastrophes of human error and hardware failure. It sets out the common strategies that security professionals recommend, the regulatory frameworks that demand it, and the hard lessons learnt by organisations that have discovered, in the worst possible way, what the absence of a working backup actually costs.
Why Backup matters more than ever
The threats to organisational data have never been more varied, more sophisticated, or more consequential. A backup strategy is not an IT technicality, it is the last line of defence between a manageable incident and an existential crisis.
Of companies that suffer catastrophic data loss do not survive
Average cost of a ransomware attack in the UK (2024)
Average downtime following a ransomware incident
Of data loss events caused by human error or hardware failure
Ransomware: the threat of our era
Ransomware has evolved from a nuisance perpetrated by low-level criminals into an industry. Ransomware-as-a-Service (RaaS) platforms allow threat actors with minimal technical capability to deploy sophisticated, multi-stage attacks against organisations of every size. The attack pattern is now well understood: infiltrate, establish persistence, move laterally, exfiltrate data for leverage, then encrypt.
The critical point for backup strategy is this: modern ransomware operators actively seek out and destroy backups before triggering encryption. An attacker who has spent weeks quietly traversing your network will look for your backup systems, your NAS devices, your cloud sync solutions, and your tape libraries. If your backups are accessible from the same network environment as your production systems, they are at risk.
Organisations with well-designed, tested, and isolated backup architectures recover. Those without them face a binary choice: pay the ransom, with no guarantee of complete decryption or an end to extortion, or rebuild from nothing.
Hardware failure and human error
Whilst ransomware commands the headlines, the majority of data loss events remain stubbornly mundane: a failed hard drive, an accidental deletion, a misconfigured script that overwrites a production database, a power surge that corrupts a RAID array. These events are unglamorous but consequential, and they are the reason that backup culture must be embedded at every level of an organisation, not merely in response to the threat of cyber-attack.
Natural disasters and physical threats
Fire, flood, and physical theft remain live risks, particularly for organisations that rely primarily on on-premises infrastructure. The principle of geographic separation in backup design – storing copies of data at physically distinct locations – is directly motivated by the very real possibility that a single site can be rendered entirely inoperable by events beyond anyone’s control.
The benefits of a robust backup programme
A well-designed and consistently maintained backup programme delivers benefits that extend well beyond the obvious ability to restore lost files. Considered strategically, it is a foundational component of organisational resilience.
Ransomware Recovery
Clean, isolated backups are the only reliable technical counter-measure to ransomware encryption. They eliminate the coercive power of the ransom demand by providing an independent recovery path.
Minimised Downtime
Every hour of operational downtime carries a cost, in lost revenue, damaged relationships, and eroded trust. Mature backup and recovery capabilities directly reduce Recovery Time Objectives (RTOs) from days to hours or minutes.
Regulatory Compliance
Multiple regulatory frameworks, including the UK GDPR, NIS2, DORA, and sector-specific requirements, mandate data availability and resilience. A documented backup programme is evidence of compliance.
Litigation and SAR Support
Backups provide a recoverable record of data as it existed at a point in time, valuable during legal proceedings, regulatory investigations, and the fulfilment of Subject Access Requests where live records have been altered or lost.
Reduced Insurance Exposure
Cyber insurers are increasingly scrutinising backup practices at underwriting. Documented, tested backup programmes demonstrate risk maturity and can positively influence both the availability and cost of cyber insurance cover.
Business Continuity Assurance
Backup sits at the heart of any credible Business Continuity Plan (BCP). It provides the concrete foundation upon which recovery objectives, crisis communications, and stakeholder assurances are built.
A backup is not a cost centre. It is the insurance policy, the disaster plan, and the negotiating position — all in one.
Common backup strategies: A professional assessment
No single backup strategy is universally correct. The right approach depends on the volume and criticality of the data involved, the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) the organisation can tolerate, budget, and the threat model in play. What follows is an assessment of the principal strategies, their merits, and their limitations.
The 3-2-1 rule is the bedrock of backup strategy and remains the most widely cited framework in professional guidance. It stipulates: maintain 3 copies of your data (the production copy plus two backups); store them on 2 different media types (for example, local disk and cloud, or disk and tape); and keep 1 copy off-site, geographically separated from the primary environment.
The logic is one of fault tolerance: multiple independent failure modes must occur simultaneously to result in total data loss. For most organisations, the 3-2-1 rule provides an excellent baseline. It does not, however, address the threat of ransomware operators who compromise all connected backup destinations; which is why the rule has since been extended.
This evolution of the classic rule adds two critical requirements for the modern threat landscape. The additional 1 mandates that at least one backup copy be kept offline, air-gapped, or immutable — physically or logically disconnected from the network such that ransomware cannot reach it. The 0 requires that backups be verified to contain zero errors, closing the gap between having a backup and having a backup you can actually restore from.
For organisations facing elevated cyber risk, which, in 2026, is essentially all of them, the 3-2-1-1-0 framework should be the minimum standard. Immutable cloud storage (using object lock features provided by major cloud providers) and offline tape rotations both satisfy the air-gap requirement in different ways.
Understanding backup types is fundamental to designing a schedule that balances storage consumption against recovery speed. A full backup captures everything, the complete dataset, at a point in time. It is the most storage-intensive but produces the simplest, fastest restore. An incremental backup captures only data changed since the last backup of any type, minimising storage at the cost of a more complex, multi-step restore process. A differential backup captures all changes since the last full backup; a middle ground between the two.
Most enterprise backup schedules combine approaches: a weekly full backup anchors the schedule, with daily incrementals or differentials in between. The specific cadence should be driven by the RPO, the maximum acceptable data loss measured in time. A 24-hour RPO permits daily backups; a 4-hour RPO requires much more frequent incremental snapshots or continuous data protection.
Cloud-based backup services offer compelling advantages: geographic diversity is inherent, capacity scales on demand, and the operational burden of managing physical media is eliminated. Providers including AWS, Microsoft Azure, and Google Cloud offer native backup services as well as object storage with immutability features that satisfy the air-gap requirement of the extended 3-2-1-1-0 rule.
However, cloud backup introduces considerations that must be actively managed. Data sovereignty is a particular concern under the UK GDPR: personal data transferred to or stored in third countries must be covered by an appropriate international transfer mechanism. The location of backup data must be understood and documented. Additionally, recovery from cloud backup at scale, restoring terabytes of data over a standard internet connection, can be slow. Recovery time must be tested, not assumed.
An immutable backup is one that, once written, cannot be modified, encrypted, or deleted for a defined period, even by privileged administrative accounts. Immutability is provided through dedicated backup appliances with WORM (Write Once, Read Many) storage, through object lock features in cloud storage, or through physical offline media. It is the principal technical control that renders ransomware ineffective against the backup infrastructure itself, since an attacker with administrative credentials cannot alter or destroy a copy that the storage system itself refuses to change.
NCSC guidance and the frameworks of multiple regulatory bodies now reference immutable backups as a recommended or required control. Any organisation revising its backup architecture should treat immutability as a non-negotiable design requirement.
# Example enterprise backup schedule (RPO: 24h, RTO: 4h)# --- Weekly cadence --- Sunday 00:00 Full backup → On-site NAS + Immutable cloud (30-day lock) Mon–Sat 02:00 Incremental → On-site NAS + Encrypted cloud # --- Monthly --- 1st of month Full backup → Offline tape rotation (off-site vault) # --- Testing --- Quarterly Recovery test → Full restore to isolated environment Annually DR exercise → Full BCP invocation simulation # --- Validation --- Every backup Automated verify → Hash check + completion report to CISO
What the regulators require: backup under the law
Data backup is no longer merely best practice, it is, across a growing range of regulatory frameworks, a formal legal obligation. The specific requirements vary by sector, jurisdiction, and the nature of the data concerned, but the direction of regulatory travel is consistent and unambiguous: organisations are expected to be able to restore data in a timely manner following an incident, and to demonstrate the arrangements by which they will do so.
| Framework | Jurisdiction | Backup Obligation | Severity |
|---|---|---|---|
| UK GDPR / DPA 2018 | United Kingdom | Article 5(1)(f): integrity & confidentiality principle. Article 32: appropriate technical measures including ability to restore availability of personal data in a timely manner after incident. | High |
| NIS2 Directive | EU (UK via NIS Regulations) | Mandates backup management as an explicit risk management measure for essential and important entities. Requires policies for backup, recovery, and crisis management. | High |
| DORA | EU Financial Sector | Digital Operational Resilience Act requires financial entities to maintain backup and recovery capabilities, with defined RTO/RPO targets, regular testing, and documented recovery plans. | High |
| NHS DSPT | United Kingdom (Health) | Data Security and Protection Toolkit requires NHS organisations to maintain and test data backup procedures, with evidence of backup testing forming part of the annual assertion. | High |
| FCA Operational Resilience | United Kingdom (Financial) | PS21/3: firms must be able to remain within impact tolerances for important business services, requiring documented recovery capabilities including data restoration. | High |
| ISO 27001:2022 | International | Annex A Control 8.13: Information backup. Requires backup copies of information, software, and system images to be maintained and regularly tested in accordance with an agreed backup policy. | Certification |
| SOC 2 (AICPA) | USA / Global SaaS | Availability and Processing Integrity trust service criteria require backup procedures, recovery testing, and monitoring of backup processes. | Certification |
UK GDPR Article 32: The backup obligation in plain English
Article 32 of the UK GDPR requires organisations to implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risk. It explicitly includes, as an example of such a measure, “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.” This is, in effect, a statutory requirement to back up personal data.
What constitutes “timely” is not defined in the legislation, and deliberately so, it depends on the nature of the processing, the potential harm to individuals, and the operational context. What the ICO expects is that you have determined what ‘timely’ means for your organisation, documented it, and can demonstrate that your backup arrangements are capable of meeting it.
The NIS Regulations and Critical Infrastructure
For operators of essential services and relevant digital service providers, the Network and Information Systems (NIS) Regulations 2018, and the updated obligations flowing from the EU’s NIS2 Directive, impose explicit requirements around the resilience of network and information systems. Backup is a named control under multiple competent authority guidance documents, and organisations in sectors including energy, transport, water, health, and digital infrastructure should treat backup programme maturity as a regulatory requirement, not merely a good practice.
The World Backup Day Checklist
Whether you are reviewing your backup programme for the first time or auditing an established one, the following checklist provides a practical framework for assessing maturity and identifying gaps. Use today, World Backup Day, as the trigger to go through it with your team.
| Checklist | Details |
|---|---|
| Policy exists and is current | A written Backup Policy has been reviewed within the last 12 months, defines scope, schedule, RTO/RPO targets, and responsibilities. |
| All critical data is in scope | A data inventory confirms which systems, databases, and file stores are covered. No critical data falls outside the backup programme. |
| 3-2-1-1-0 rule is implemented | Three copies exist; two media types are used; one copy is off-site; one copy is offline or immutable; zero backup errors are accepted. |
| Backups are encrypted | All backup data, in transit and at rest, is encrypted using an approved algorithm. Encryption keys are managed separately from the encrypted data. |
| Immutable or air-gapped copy exists | At least one backup destination is protected against ransomware modification, either through immutable storage (object lock) or physical offline separation. |
| Backups are monitored and alerting | Failed backups trigger immediate alerts to the responsible team. Backup health is reviewed at least weekly. |
| Recovery has been tested | A full recovery test has been performed within the last 12 months, to an isolated environment, with results documented. The restoration process is understood and rehearsed. |
| RTO and RPO are defined and achievable | Recovery Time and Recovery Point Objectives are documented, have been agreed with the business, and have been validated through testing; not merely assumed. |
| Third-party and cloud backups are understood | The location of backup data held by processors or cloud providers is known. International data transfers are covered by appropriate mechanisms. SLAs include recovery commitments. |
| Backup access is controlled | Access to backup systems and media is restricted to authorised personnel. Privileged accounts used for backup management are separate from standard administrator accounts and are subject to enhanced monitoring. |
| Retention periods are documented | Backup retention periods are defined and applied consistently. Long-term retention backups containing personal data are reviewed against UK GDPR obligations. |
| Physical media is secured | Offline and tape backups are stored in a physically secure location. Off-site media is transported and stored securely, with a chain of custody maintained. |
Backups and data protection: managing the conflict
Readers of our companion piece on data deletion will recognise a fundamental tension: the UK GDPR demands that personal data be deleted when it is no longer needed, whilst robust backup practice requires that data be retained in multiple copies across multiple locations. These obligations pull in opposite directions, and managing the conflict between them requires deliberate governance.
The ICO’s position on backups
The ICO acknowledges that it is frequently not technically feasible to selectively delete specific records from backup media, particularly tape-based or snapshot-based backups where individual record deletion would corrupt the entire backup set. Its guidance accepts that where deletion from live systems has been carried out, personal data that remains in backups may be retained until the backup is naturally overwritten or retired, provided it is not accessed or processed for any other purpose in the interim, and provided appropriate technical and organisational controls are in place to ensure it is not inadvertently restored.
Practical governance requirements
This position does not grant an unlimited licence to retain personal data indefinitely in backup systems. Organisations should document the rationale explicitly in their retention schedules and ROPA entries, set appropriate backup retention periods that reflect the operational necessity and balance it against data minimisation, ensure that backups are not used as a mechanism to circumvent deletion obligations on live systems, and apply access controls that prevent personal data in backups from being accessed except during a genuine recovery event.
# Backup Retention Policy — Data Protection Alignment Live system deletion: Applied per retention schedule ✓ Immediate Daily backup tapes: Overwritten on 30-day cycle ✓ Compliant Weekly full backups: Retained 3 months, then purged ✓ Compliant Monthly archives: Retained 12 months, then purged ✓ Compliant Annual DR snapshots: Retained 3 years (business need) ⚠ Review against ROPA # Rule: backups must not be accessed to fulfil SARs without legal review # Rule: restoration from backup triggers re-application of deletion schedule.
The pledge, and what it actually means
The World Backup Day pledge – “I solemnly swear that I will backup my important documents and precious memories on this day, the 31st of March” – is deliberately simple. The simplicity is the point. The hardest part of backup culture is not the technology. It is the discipline of treating something invisible as genuinely important, until the moment it becomes urgently, undeniably necessary.
For organisations, that discipline must be institutional rather than individual. It must be encoded in policy, embedded in architecture, validated through testing, and owned at the board level. A CISO who cannot answer the question “if our primary systems were encrypted tonight, how long before we’re operational again?” is not in a position to provide meaningful assurance to the business.
The regulatory environment is increasingly unforgiving. The ICO, the FCA, and the NIS competent authorities are all asking harder questions about organisational resilience, and the ability to restore data following an incident sits at the heart of those conversations. Cyber insurers are scrutinising backup maturity before underwriting. Clients and partners are asking about it in due diligence questionnaires.
But beyond the regulatory and commercial imperatives, there is a simpler truth: data represents work, relationships, trust, and, where it is personal data, people’s lives. Treating it as something worth protecting, worth testing, and worth recovering, is a statement of organisational values as much as it is a technical exercise.
So on this World Backup Day: run your checklist. Test a restoration. Review your retention periods. Make sure your immutable copy is genuinely immutable. And don’t be an April Fool.