Backup security isn’t just about having a copy of data. It’s a process from impact analysis through to regular tests that verify whether operations can truly be restored from the copies. A discussion with representatives of the health insurer Dôvera highlighted what works in practice and where the limits are.
From impact analysis to an approved strategy
The process starts with a business impact analysis, which identifies critical data and determines what needs to be backed up and how quickly it must be back. Disaster recovery is only a subset of business continuity management. At its top there should be an approved security strategy, ideally endorsed by the board, so it has clear priorities and resources. Only then does the team have the time, capacity, and support for what truly matters.
Plans should not remain on paper. The team must meet regularly and test recovery in an isolated environment, for example with the help of virtualization tools. The goal is to verify that the steps work in practice and everyone knows what to do.
A backup that can truly be restored
A backup has value only if it can be restored. Therefore, quality, consistency, and regular testing at intervals according to the importance of the data are key. Without that, the copy remains just a “forgotten medium” that perhaps no one has ever tried to read. In practice, backup technologies with consistency checks help, as does so-called immutable storage that prevents backups from being overwritten.
With ransomware, it’s not enough to save the data; you also need to restore the operations themselves. You often cannot immediately wipe the affected systems because an investigation is underway, so you must account for spare capacity for recovery. Recovery methods can be tested without impacting production if separate test environments are used. At Dôvera, artificial intelligence is used more as an internal consulting tool on top of policies, not as autonomous decision-making in security.
Vendors, BCP, and the reality of drills
Vendors are part of the equation as well. If they manage part of the infrastructure, contractual provisions must cover how quickly they will restore critical services and where backups of device configurations are stored. The organization must have access to the configurations even in case of a provider outage. It’s worth involving vendors directly in recovery tests.
New solutions go through a process from idea, through risk assessment and architecture, to impact analysis with requirements for recovery time and point objectives (RTO/RPO). Continuity plans are validated in real incidents as well as planned drills and are updated at least once a year. Recovery is a never-ending process in which the reality of attacks tests not only the documentation but also the stamina of the team. Topics such as the right to be forgotten versus an immutable backup are primarily legal in nature and are assessed according to lawful grounds for processing.
