Backups and data recovery at a glance

You ever had that embarrassing moment at an Apple Store: “We’re sorry, but this one’s a goner. Did you back up regularly?”...followed by shamefaced silence?  Data loss without a backup can wreck months or years of work – even in your private life.  

The consequences of data loss are far more serious for companies: Having data go missing for just a few hours or even minutes can ruin a company. Recently compiled researches have shown, that the average amount of a data loss for a UK firm has increased to £1.9 million a year, or £71 per record.

In the event of a misconfiguration with an online shop’s IT architecture, online shoppers would be unable to access the site until it has been fully restored. Implementing a backup or data recovery plan would have prevented this incident and significant financial losses from the business itself.

To minimise the risk of data losses, it is important to implement the right backup and data recovery strategy for your company.  

What you need to know, in a nutshell 

  • Data can be lost for various reasons, e. g., if deleted accidently or maliciously by malware. 
  • You need a data backup and recovery strategy so that the data can be recovered if lost.  
  • For a company to find the right strategy, it’s important for them to set clear objectives on what is acceptable.  The company should set the objectives based on a prior risk analysis. 
  • There are various storage media on the market for backups, depending on the requirements, and you can use and write these according to different methods.  
  • Many companies regularly overwrite limited storage media in the form of a grandfather-father-son backup.  
  • You should not neglect data protection when it comes to backups, since newer technologies, like cloud backups, pose challenges for companies.  

In this article

Definition: What does ‘data loss’, ‘data backups’, and ‘data recovery’ mean?  

Data loss 

Data loss occurs when a company loses data that is essential for the operation of the business. A loss like this can be caused by the following:  

  • Unintentional deletion  
  • Accidental misconfiguration  
  • Corrupted data 
  • Malware used during hacker attacks 
  • Faulty hardware  
  • Lost hardware  
  • Destruction of the storage medium by a fire, water, or other force of nature 

In a study by the Recoverylabs (2021), 56% of respondents stated that they had suffered data loss at least once.  

Data backup 

A concept of a data backup is in place so that we can keep the consequences and costs of data loss as low as possible. A backup is used so that you can recover work data that has been lost. The data is restored from a certain recovery point. There are two variables that determine the impact of data loss:  

  • Recovery Point Objective (RPO): An RPO is a measurement of time from the failure, disaster or comparable loss-causing event. RPOs measure back in time to when your data was preserved in a usable format, usually to the most recent backup. Recovery processing usually preserves any data changes made before the disaster or failure. RPOs can also refer to how much data can be lost before your enterprise receives significant harm, also known as your enterprise’s loss tolerance
  • Recovery Time Objective (RTO):RTOs represent the amount of time an application can be down and not result in significant damage to a business and the time that it takes for the system to go from loss to recovery. This recovery process includes the steps that IT must take to return the application and its data to its pre-disaster state. For high-priority applications, an RTO can be safely expressed in seconds, as long as the IT department has invested in failover services. RTOs require your IT department to first sort applications based on their priority and risk of business loss. IT then allots these applications the appropriate amount of your enterprise’s resources, namely time, money and IT infrastructure.

The shorter the RPO and RTO, the fewer negative impacts there may be in terms of data loss, with a more expensive backup and recovery strategy.  That’s why companies usually carry out a risk assessment as part of a business impact analysis so that they can make a financially viable commitment. (“In the worst-case scenario, how much data loss could we handle?”) 

Data recovery 

Data recovery describes the process of restoring the backup data. Of course, it’s not enough to just create the backup, you must also be able to access it. The Recovery Time Objective varies significantly depending on the storage medium and data recovery process.  

You should test the data recovery process regularly according to the Standards for Information Security (ISO 27001, TISAX®). This test simulates data loss, and the data in a specific system is recovered according to the process. The test checks whether the RPO and RTO can be met and if changes must be made to improve the process. Definition of archiving is when data is stored at a static point – for example, when a company wants to capture the accounting data at the time that they sign a contract with an investor. While a backup is useful for data protection and data recovery, archiving (also) fulfils legal requirements, for example, to meet the retention periods stipulated for tax-related data.  

We recommend an overwriting-resistant medium when it comes to archiving, whereby the recovery does not have to be particularly quick or easy.  

Like mentioned above you should know about the standards of data recovery according to ISO 27001. In our Whitepaper about this standard, you can find further information.


How to find the most suitable backup strategy for your company 

We are going to introduce you to common storage media and backup types. Before you decide which strategy best suits your needs, you should ask yourself the following questions:  

  1. What are the data volumes that I already have or what data volumes do I produce every day that need to be recoverable?  
  2. To which point in time in the past do I have to be able to safely restore the data (RPO)? 
  3. How fast should the data be recovered (RTO)? 

For example: It could be the case that a company produces incredibly large volumes of data every day, which must be recoverable. However, there is no rush for the data recovery, and it can take a few days in the worst case. This affects the storage medium (magnetic tape is probably suitable here) and the backup type (probably an incremental backup in this case). 



Storage media at a glance: Which medium is suitable for which use case? 

Here is an overview of the most popular storage media for backups:  

  1. Magnetic tape is durable and can be reused (i.e. overwritten). However, it does take quite a while to recover data from magnetic tapes. Despite all the technical advancement, magnetic tapes are the best option when it comes to very long-term data backups of large volumes of data. For example, so-called Linear Tape Open tapes – provided that you store them correctly – last up to 30 years. Optical storage media like DVD and Blu-ray are still very popular, especially for private purposes. If the media are selected and stored correctly, they can last for over 50 years. While a single magnetic tape can store up to 6,000GB of data, a Blu-ray disc can only handle 25GB.  
  2. Many people use hard disks these days for ongoing hard disk backups. Thereby, data is continuously stored on an inherently large disk array. This option allows fast and relatively safe backups.  
  3. Cloud backups are especially popular because, in an emergency, they allow the data to be automatically and completely removed from the physical source (extreme case: if there is a fire in the building, data could immediately be uploaded from a local server to a cloud). In the same vein, data can be restored just as fast in a recovery case. However, the data volume in question must fit through an internet connection.  

An important note: Anyone using cloud providers for backups should use dedicated backup services that ensure redundancies.  An example of where this went incredibly wrong is when a data centre in Strasbourg caught fire at the beginning of March 2021 and numerous customers lost their data irretrievably. 

Backup types – these are the backup methods available

Different backup types will be suitable for you depending on the storage capacities and software available for data backups:  

Full backup 

You can back up the entire database in specific time intervals using this method (e.g., every day). This is both technically simple to implement and effective.  

However, keep in mind that a full backup also means that a little more storage space needs to be available every day (since you are adding new data daily).  

Differential backup 

A differential backup starts with a full backup,Instead of backing up the entire data volume every day, with this method only the data that has been modified or newly created since the last backup is stored. So, you will have a larger data volume after each backup cycle until the next full backup. Even data that was only modified once since the last full backup is backed up with each differential backup.  

Overall, a differential backup is far less time-consuming than a full backup, but you also need more storage space. 

Incremental backup  

An incremental backup also begins with a full backup. When it comes to an incremental backup, the data that was changed since the last incremental backup is essentially backed up.  

The difference to the differential backup is that the storage requirement does not automatically increase every day. However, to save the data in the event of data loss, you must be able to trace the storage chain accurately. So, you will need a full backup, including all the incremental backups.  

Continuous backup 

The first three methods back up data at regular intervals. What counts when it comes to data loss is the last backup interval. If the data is backed up daily, the RPO could be set for up to 24 hours. If you want a much shorter RPO, a continuous backup (CDP = Continuous Data Protection) is suitable.  

Changes are stored in real-time on a backup medium (i.e. every few seconds or minutes). Of course, not all media are suitable for this method. For example, you cannot use magnetic tapes for continuous backups,  since continuous backups quickly restore data from the recent past. Continuous backups are generally not stored for more than a few days, which is why you should combine them with other backup types.  

By the way: Backups are also an important part of a Business Continuity Management (BCM). Such a management system ensures that businesses can maintain their business operations in case of emergencies.

Principle of sustainability (or grandfather-father-son backup)  

What companies need is a data backup concept that regularly overwrites storage media, since storage media and the available storage space is limited. You cannot physically exchange externally stored storage media (e.g., magnetic tapes in a safe) every few hours – the expenditure would be too high.  

To ensure that you rotate certain storage media, follow the sustainability principle. It is not the only principle for data backups, , but it is a particularly popular approach. An alternative to this would be the “First in, First out” approach (FiFo).  

This is how the sustainability principle works:  

The system creates daily backups on the son level, weekly backups on the father level, and monthly backups on the grandfather level. You need a total of twenty storage media for this:  

  • You use four son backup media every day from Monday to Thursday, and store the daily data on them (e.g., with the incremental backup, all modified data). Son storage medium #1 is backed up on Mondays, son storage medium #2 on Tuesday, etc.  
  • You use four father storage media every Friday one after the other, and store the daily data on them. This makes the son storage media used during the week superfluous and can be overwritten in the following week.  
  • You always carry out grandfather backups on the last day of the month, and the first grandfather medium is then overwritten again after 12 months. The result is that you can always recover the data from the entire previous year.  


How can I ensure the data security of my backups?  

It’s important to rethink our strategies when it comes to data protection and backups. Historically, it has been a priority for backups to be physically protected (e.g., locked away safely or stored in a data centre with surveillance).  

Today, cloud storage is becoming more significant as a backup method, the need for ways to implement data protection requirements is increasing.  Cloud solutions, in particular, require the use of encryption and a data security plan. According to a survey conducted by Digital Business Cloud Magazine, 53% of respondents found data protection for cloud solutions to be difficult. Encryptions of cloud backups must:  

  • still be decryptable, even after a long backup period;  
  • still meet the essential requirements of being 'state of the art', even after a certain period that depends on the risk assessment for future decryption. 

Minimise loss risks with the 3-2-1 rule of backup 

Many companies rely on the 3-2-1 rule of backup to protect themselves against data losses as much as possible. , The 3-2-1 rule purports the following:  

  • you should always have three copies of your data;  
  • you should store this data on two different media; 
  • and you should keep one of the backups at an external location. 

Summary: “No backup, no sympathy.”  

At least, that’s the rule IT specialists live by. And it really is the case that no company can afford to forget about backups. However, not every backup is a suitable backup. Even if you have backup measures in place, so much can go amiss if you do not have a well-thought-out strategy that is in line with the company objectives (e.g., RPO and RTO). Popular modern technologies like cloud backups do solve many issues, but they also pose new challenges for companies in regards todata protection. Regardless of which method and storage media you implement, , we recommend that you test and probe your data recovery process regularly. Backups are not meant to be a one-time practice, but rather, a consistent measure to align with technologies and recommendations.                       

There are still are some questions that you would like to get answered? Feel free to reach out to one of our experts.

Book an appointment



whitepaper-download whitepaper-download

ISO 27001 and TISAX®:

A Guide to Due-Dilligence and Information Security

Download your free whitepaper

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies

100% success in ISO 27001 audits to date



TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk