Ask anyone who regularly deals with incident recovery what separates a disruption from a disaster, and you’ll likely hear the same answer: clean, recent, and restorable backups.
In the modern threat landscape, properly stored and protected backups have become more essential than ever. However, threat actors know this as well, which explains why, as backup and restoration capabilities continue to improve, double and triple extortion has become the new normal. The Arctic Wolf 2025 Threat Report found that, in 96% of ransomware cases we responded to, the attackers also exfiltrated data to increase pressure to pay the ransom. While worrying, this serves as proof that data backups work, and threat actors have had to evolve their attacks with the exfiltration of data prior to encryption to increase their chances of a payday.
But properly protecting your data with backups isn’t a one-size-fits-every-environment proposition. You need to determine what data to back up, how often to do so, and where to store your backups.
What Is Data Backup?
At the organizational level, data backup is the repeatable process of creating consistent, point-in-time copies of data, system images, and configurations, as well as the storage of them on separate media and locations, and the verification that they can be restored to a trusted state.
It’s that last part which makes data backups a recoverability control. Without proper testing of your backups to ensure complete restoration, your data backup is merely storage.
Common security frameworks offer more details:
- CIS Controls v8.1 advises organizations automate their backups, protect recovery data at the same level as production data, isolate at least one backup instance, and test backup recovery at least quarterly
- The Australian Cyber Security Centre’s Essential Eight make regular backups a core component of each of its three maturity levels, with requirements around synchronization to a common point in time and their secure, resilient storage among others
- The NIST CSF’s Protect and Restore Functions advise organizations conduct continuous backups of critical data, test them regularly, store some offline and offsite, and enforce location restrictions to further reduce risk
How Do Data Backups Aid in Recovering From a Cyber Attack?
Backups do three crucial things during an incident:
1. Short-circuit ransom leverage: When you can restore quickly, you’re less likely to pay to decrypt data. Arctic Wolf’s 2025 Threat Report found the median aggregate ransom demand remains at $600,000 (USD), yet only 30% of organizations we worked with elected to pay the ransom, meaning 70% refused. Additionally, paying was the only viable recovery option in just 12% of cases, with backups being a major reason behind these figures.
2. Contain integrity risk: An offline backup or an immutable one — a backup that cannot be modified, deleted, or encrypted for a specific period after it is created — allows you to roll back your environment to a known valid state after integrity loss from ransomware encryption, wiper activity, or attacker-caused misconfigurations.
3. Accelerate business recovery: Modern ransomware almost always blends encryption with data exfiltration. Even with a refusal to pay, organizations still need a way to restore core services needed for communications, legal, and privacy workstreams. Clean, recent, and restorable backups reduce organizational downtime and let incident response proceed in parallel.
One word of warning: According to the Arctic Wolf 2025 Threat Report, external remote access like RDP, VPN, and remote access tools were behind 59% of the ransomware cases investigated by Arctic Wolf® Incident Response in the past year. Since many ransomware gangs and threat actors now attempt to disable or delete backups upon gaining access to your environment, it should be assumed they will find and delete any backups they can access, making offline storage essential.
What Are the Main Types of Backups?
When it comes to protecting your data, diversification matters. To best thwart threat actor attempts to disable or delete accessible backups, you need to deploy a diverse media mix of backup types and locations.
Here are some of the main backup types available to organizations:
Hard Drive (On-Premises Disk or Appliance)
This common form of backup stores data on a dedicated backup appliance, or on local, disk-based storage like external hard drives (HDDs and SSDs), USB flash drives, and Network Attached Storage (NAS) devices. Both approaches use high-speed disks to enable fast backup and restoration operations, making them highly useful for frequently accessed data.
Benefits
- High-throughput local restoration capabilities
- Cost-effective for large data sets, providing a fast operational recovery time objective (RTO) — the maximum amount of time an organization can withstand their critical systems remaining offline before causing financial or operational impact.
Drawbacks
- If a hard drive backup is reachable via the network, ransomware attacks will often make their encryption or deletion job one in the same. Therefore, these types of on-premises/on-appliance backups should be isolated when possible.
- IT teams should also work to harden the credentials needed to access them and ensure that only admin accounts have the permission to modify or delete them.
- Finally, IT leaders should consider Write-Once-Read-Many (WORM) immutability, which creates a backup that cannot be modified, deleted, or encrypted for a specific period after it is created.
Tape
Magnetic tape cartridges have been around for decades, but the technology is still widely used in enterprise IT, especially for the creation of long-term archival and ransomware-resilient backups. In this form of backup, data is written to reels of magnetic tape using a tape drive, which is then usually stored offline in a secure vault or other off-premises environment.
Benefits
- High-capacity, low-cost storage medium allows organizations to store and preserve data that does not need to be accessed frequently.
- It creates a natural air gap between your data and your environment, meaning threat actors cannot access the data to exfiltrate, encrypt, or delete it.
Drawbacks
- Not desirable as a means of providing access to recent, point-in-time data, as they are typically used for long-term storage.
- Restoration from tape backups is a slower process than other forms, as tape stores data in a linear stream, meaning the tape must physically wind to the correct position before you can access it, unlike a hard drive backup, which provides random access and allows you to jump directly to the data you want.
- Locating the correct tape, physically inserting it into the tape library or drive and letting it spin up and calibrate also adds to restoration time in a moment when every second matters.
- If tapes are stored offsite, as recommended, retrieval and transportation time must also be factored in.
Cloud Backups (Backup-as-a-Service / Software-as-a-Service)
Cloud backups provide scalable, flexible, and geographically distributed protection for an organization’s data. Backup-as-a-Service (BaaS) centralizes the backup and restoration process through a managed cloud platform and collects system, database, and file-level data via agents or APIs before exporting them to secure cloud storage, while Software-as-a-Service (SaaS) backups protect cloud-native applications like Microsoft 365, Google Workspace, and Salesforce. SaaS backups also use application APIs to capture data, files, and configuration states.
Benefits
- The cloud provider shoulders the storage and replication management responsibilities, reducing costs for organizations while providing secure storage.
- Data is encrypted in transit and at rest, reducing risk when configured correctly.
- Many providers support immutability, object locking, and versioning to better defend against ransomware attacks.
- Recovering from a cloud backup is simple and quick.
Drawbacks:
- Cloud backup performance depends heavily on the organization’s network capabilities and bandwidth. If poor, both initial full backups and restoration may lag.
- Without proper data retention policies, cloud storage consumption can become expensive as the provider is asked to store duplicate datasets or unnecessary versions.
- Some businesses may face compliance or regulatory restraints that inhibit or limit where data can be stored in the cloud.
- Misconfiguration risks are significant with cloud backups, meaning overly broad permissions or unsecured API keys can expose them to encryption or deletion.
- Cloud services require robust identity controls, logging, and monitoring to prevent unauthorized access or supply chain compromise.
Offsite
These types of backups provide strong resilience by storing data in a physically distanced and separate location that is naturally air-gapped from the organization’s network. With third-party vaulting, backup data is stored in a secure offsite facility managed by a specialized provider. Organizations send encrypted backup data to the provider, where it is stored under climate control and monitored retention policies. Disaster recovery (DR) sites, however, are secondary environments capable of accessing, running and modifying data, not just storing it. They can be “cold” — which means the operational infrastructure stays offline until needed, “warm” — where systems are placed on standby and are ready to receive data, or “hot” — which is a fully synchronized environment ready to resume operations.
Benefits:
- Provides robust protection against cyber attacks, but also against natural disasters and utility grid events.
- Satisfy compliance frameworks that require geographic redundancy and long-term retention of backups.
- Can enable faster recovery from an alternate location.
Drawbacks:
- Transporting or replicating data to a remote location can take a long time, especially for large data sets.
- Restoration can be impeded due to the data needing to be retrieved from the remote location or shipped back.
- Organizations must ensure secure handling, encryption, and chain-of-custody if physical media is involved.
- Misconfigurations can result in incomplete or outdated datasets.
- Operating multiple locations increases operational overhead, requires stronger documentation, and increases operational complexity during restoration.
How Often Should You Conduct a Backup?
There is no universal cadence for organizational backups. Ideally, backup frequency would follow a business impact analysis (BIA) which identifies which business functions are most critical to an organization to help determine the order in which functions are restored after an incident, with the most critical functions backed up most frequently.
Barring a BIA, organizations should look to common industry frameworks for advice on setting their backup cadence. For example, CIS Control 11 recommends automated backups are conducted at least weekly, and more frequently for sensitive data, with quarterly recovery testing.
Another complicating factor is the evolution and expansion of organizational environments to incorporate everything from IoT and mobile devices to SaaS platforms. Here are some general guidelines for often to backup which element of your environment:
Endpoints
- Daily incremental backups that only capture what has changed since the last backup
- Continuous sync for critical roles like those in finance, engineering, HR and the C-Suite
- Developer endpoints may warrant hourly snapshots of local repositories or mandatory remote-first storage
Servers
- Daily incremental and weekly full backups
- Hourly backups for transactional tiers, like finance, customer relationship management (CRM) and e-commerce
Databases
- Continuous Write-Ahead Log (WAL) shipping — a process of copying transaction log files from a primary database server to one or more secondary servers to create a real-time replica
- Daily full backups to an immutable object storage device or system that permits versioning
- Periodic point-in-time recovery drills to alternate hosts
Networks and Security Appliances
- Nightly config backups or on-change triggers for firewalls, routers, switches, web application firewalls (WAFs), virtual private networks (VPNs), identity providers, and endpoint detection and response (EDR) /security information event management (SIEM) policies
- Store backup in a secure repository with change tracking
SaaS Platforms
- While providers often conduct and store their own backups, best practice is to deploy third-party BaaS with granular restore and immutability at least daily, with shorter cadences for critical mailboxes and drives.
Whatever cadence you settle on, enforce tiering by criticality and explicitly document both your RTO and your Recovery Point Objective (RPO) — which is the maximum amount of data your organization can afford to lose during an incident, measured in time — in your data retention and recovery policies.
What Is the 3-2-1 Rule?
The simplest standard for a robust, effective data backup program is to follow the “3-2-1 Rule.” Simply put, this means:
- 3 copies of your data (production data plus two backups)
- On 2 different forms of media or platforms
- With 1 of those copies residing offsite
Taking things further, however, means adhering to the “3-2-1-1-0 Rule,” which better reflects the requirements needed to ensure proper data protection in the modern threat environment. It expands the classic “3-2-1 Rule” to include:
- At least 1 immutable and/or air-gapped copy of your data
- And 0 errors in recovery testing or validated restores
This extension of the rule is considered best practice for protection against modern ransomware attacks, which — as discussed above — have made data exfiltration prior to encryption the rule, rather than the exception.
What Role Do Backups Play in an Incident Response Plan?
Backups are a core component of effective incident response, providing the foundation for restoration of systems to a trusted state post-breach. When ransomware, malware, data corruption, or other forms of destructive activity disrupts an organization’s operations, validated and protected backups enable rapid recovery, minimize downtime, and help organizations avoid paying a ransom or rebuilding an environment.
Here’s how your organization can ensure your backup policies and procedures work most effectively within your overall incident response plan:
Preparation
- Maintain an authoritative asset and data inventory that maps systems to backup locations, retention, and restore runbooks
- Pre-stage credential vaults and break-glass identities — emergency administrative accounts that are kept separate from normal operational accounts and only used in critical situations — for backup platforms
- Align with CISA guidance for offline, encrypted, immutable, and regularly tested backups
- Run the backup-destroyer scenario in a tabletop exercise — a worst-case scenario where participants are forced to explore how they would respond if the organization’s backups fail.
Detection and Analysis
- Snapshot volatile evidence and coordinate with backup admins to freeze retention on restore points that are most likely to be clean
- As many intrusions begin via RDP and VPN, assume that backup credentials and/or tokens have been compromised and rotate them immediately
Containment, Eradication, and Recovery
- Treat backup infrastructure as Tier 0 — the first line of defense and initial response layer — but only after double-verifying that the backups are uncompromised before attempting restoration
- Use staged recovery to rebuild identity and network control planes before business services
- Validate the recovered systems against known-good baselines to compare current configurations or behaviors against what is considered “normal” and trusted
- Scan for TTPs observed during the incident in the backup
Post-Incident
- Update your BIA and data recovery policies with the observed RTO/RPO, adjust backup cadences, and close any visibility gaps discovered during the incident (for example, missing SaaS coverage)
In today’s threat landscape, “having backups” isn’t enough. You need validated recovery, isolation and immutability, full SOC visibility, and a dedicated IR team ready to engage the moment an incident strikes. As threat actors evolve into fileless malware, double- and triple-extortion ransomware, and targeted backup destruction, organizations must also evolve through proactive efforts, framework-aligned policies, and threat-informed architecture so that when — not if — an incident strikes, your response is fast, confident, and on your own terms.
Discover how Arctic Wolf Incident Response provides a full-service IR team that helps organizations recover from attacks and restore business operations as fast as possible.
Learn how you can gain proactive protection and strong defensive capabilities with the Incident360 Retainer, which provides full-service coverage for one incident, plus advanced readiness offerings to prepare organizations for cyber incidents and to minimize their impact.
