What Everyone Needs to Know

A “backup” is, in general, one or more copies of important data stored on your devices or servers, including virtual servers or virtual machines, as well as by your cloud-based service providers (email, case management, documents, fundraising, etc.) and is used in potential data loss situations to restore the original information. Data loss can occur for several reasons, including hardware failures, human error, ransomware attacks, or theft. Protecting backups from corruption, deletion, and unauthorized access is a critical task for IT administrators since backups help us restore from all kinds of disasters.


Creating backups of essential data can ensure that attacks do not interrupt service. Backups can include:  

  • User data, such as individuals users’ profiles and files.
  • Organizational data, such as databases and configurations of your office’s case management systems or Windows login infrastructure.
  • Full server images, which can make restoring from a cyberattack or system failure painless.

Backups are only as good as when and how they are created, so your organization should have a plan on how often to store backups and where to store them.


Most cloud-based services (e.g., email, documents, case management, donor management) backup your organizations data to help the service provider recover if their server or network environment is damaged or attacked.  It is worth investigating what each cloud provider backs-up, how long the back-up data is preserved, and how you may recover data that is damaged or lost by your users or through a cyber incident.  Your organization may decide that it wants to back-up some or all your cloud-based service data in addition to the backups provided by the service vendor.  These backups might help programs meet their data retention policy requirements and protect against data that was lost or corrupted but not discovered until after the point at which the cloud service provider can recover the data itself.  These backups might also make it easier and faster to recover specific data or make it practical to turn off accounts for users who have left the organization but who created data that needs to be retained. 

What IT Needs to Know

Creating backups is the process of making one or more copies of important data stored on your devices or servers, as well as by your cloud-based service providers (email, case management, documents, fundraising, etc.) and is used in potential data loss situations to restore the original information.  Backups should be stored in a secure location, physically and logically separate from the original data. During ransomware attacks, backups are a primary target for attackers since the attackers want to prevent you from being able to recover. There are multiple storage options, including external hard drives, tape drives, and, encrypted cloud-based storage.


There are several important things to consider when planning for and storing backups.

  • How often should you perform backups? The timing of backups can greatly impact their usefulness. For instance, if you need to recover data but you only store backups once a day overnight, you could potentially lose a full day of work.
  • How long will it take to restore your data? If you have a large amount of data, you may need local faster storage for faster recovery times. 
  • How long will it take to restore your entire system if it is affected by an attack, a hardware failure, or a corruption? The extent of a breach will determine the time necessary to restore backups.
  • What are the human, hardware, and monetary ongoing costs of the backups? Storage costs money, and so does IT staff time spent on maintaining backup systems.
  • How will you monitor backups to make sure they are working and backing up all the required data? Consider ways to do this automatically as part of your backup system.
  • Is the backup data encrypted in case the backup is accessed in an unauthorized fashion?
  • How will you secure access to your backup system or systems? You should ensure that backups are only accessible to authorized personnel, that the systems are protected with MFA, and that the data cannot be changed once it is backed up. 

Costs for implementing and maintaining a backup protocol can vary widely.  It is worth shopping around to find the right mix of features and cost. There is a significant investment of time to setup and do some initial testing of your backups.  For smaller, simpler technology environments, this might be in the tens of hours.  For larger, more complex environments it might be over 100 hours to implement and fully test.

Solutions to Consider

  • For backup of on-site servers, virtual machines and cloud backups of accounts such as Microsoft 365 Email or SharePoint)
  • Microsoft Azure Site Recovery (Backups): Website
  • Keepersecurity: Website


Table of Contents