Why it matters
As the business owner, you're responsible for managing your data – including ensuring it’s backed up effectively.
If your business experienced a security incident, restoring your data from backups would be the best, and fastest, way to get back to business as usual.
How to protect your business
Regardless of who does your backups — you, someone in your team, or an external IT service provider — you need to:
- understand what’s being backed up
- know how often the data is backed up
- decide how long to keep backups for, and
- know where, and how, offline copies of the backups are being stored.
Know what you need to back up and when
You need to make sure all the data your business holds is backed up. That means:
- the data provided to you by your customers or staff – for example personal employee or customer details, and customer account credentials
- data that’s generated by the organisation, including financials, operational data, documentation and manuals
- system-based data, like your log files.
How often you need to back up data depends on how important it is. For example:
- if you have new customer data coming in every day that would be impossible to recreate, set your backups to happen a few times a day
- if you don’t update your website much, you can set your backups to happen less often — you could back it up once a week or once a month instead.
Backing up your website
If you have a publicly available website, your web hosting provider may have a service where they do backups of your website on your behalf. If that’s the case, talk to them about who’s responsible for backing up:
- the servers that support your website, and
- the data collected through the website.
If your hosting provider is responsible, check:
- if they’ll charge you for restoring your website and data from backups if something goes wrong – some do charge for this service, and it’s better to know up front
- how often they’ll do backups, and how long they keep them for.
Set your backups to happen automatically
If you do your own backups, set them to happen automatically. That way you don’t have to think too much about them.
If possible, set the backups to email you if they fail. This will let you know that something’s wrong and needs to be looked into.
Test your backups regularly
When you back up your data a new file is created which holds a copy of the data. Sometimes the copy fails, and it’s important to know this so you can fix it before you need to use it.
Check your backups on a regular basis by:
- restoring your system from a backup to test the entire backup, or
- restoring the data from a single database to test part of your backup.
Your IT service provider can help you with this.
Decide your backup options and keep them somewhere safe
To maintain resilience, you should ideally have 3 copies of your backups:
- one copy offline – a "cold" offline backup is disconnected from your network and will never be affected if an incident happens. Offline backups are only temporarily connected to the network for incremental updates
- one copy in a different physical location, preferably offsite, in case of physical damage or compromise – for example, a fire, flood or ransomware
- one copy on different media – for example, a USB stick or DVD.
Make sure your backups can only be accessed by the people who need access to them, and are protected with strong passwords.
If you're unsure how your backups work, talk to your IT provider.
CERT NZ has implementation advice for setting up backup programs for IT providers.
You can also report an online issue or security incident to us at CERT NZ.