By Mackenzie Gryder, with Ben Taylor
This blog is part of Gate 15’s Summer of Security: Ransomware Resilience Series, highlighting the essential considerations for organizational leaders and cybersecurity professionals.
When ransomware hits, backups often determine whether an organization can recover quickly or face devastating losses. Without reliable backups, victims are left with only two options, paying the ransom or losing critical data permanently. Backups are the last line of defense against ransomware. They not only safeguard essential files but also provide organizations with leverage, ensuring they can restore systems without negotiating with attackers. However, not all backups are created equal. For them to work when needed, they must be frequent, redundant, and regularly tested.
Primary Considerations for a Backup Strategy.
When ransomware attackers encrypt files, having dependable backups ensures that business operations can be restored without caving into demands. But the effectiveness of a backup plan hinges on more than just storing copies of data. Organizations need to think strategically about:
- Frequency: Regularly creating backups ensures minimal data loss if an attack occurs. The more often data is backed up, the smaller the window of potential loss.
- Redundancy: keeping multiple copies in diverse and secure locations, such as on-site, off-site, and in the cloud, reduces the risk that a single point of failure will compromise recovery.
- Testing: Regularly validating that backups can be restored quickly and effectively ensures that plans are not just theoretical but actionable in a crisis.
Types of backups.
- Full Backup. A full backup creates an exact copy of all selected files, databases, or systems. This method provides the most comprehensive protection since it captures everything in one snapshot.
- Incremental Backup. An incremental backup saves only the data that has changed since the last backup, whether full or incremental. This method significantly reduces storage needs and backup time, making it ideal for businesses that require frequent backups without overloading systems.
- Differential Backup. A differential backup stores all changes made since the last full backup (but not since the last incremental backup). This method offers a middle ground between full and incremental backups, reducing storage needs while making data restoration faster than with incremental backups.
Check Your Frequency.
How frequently organizations should be backing up data depends on the tolerance for data loss. As full backups are expensive to host, it is important to conduct analysis to determine how much data can be lost before the organization loses too much revenue. Organizations should begin by estimating revenue loss for various systems or networks being down. Data retention may also be governed by industry regulation, which of course should be factored in.
One approach some organizations will utilize is a weekly full backup to establish a baseline recovery point. That will be supported with daily differential backups to help speed up restores within utilizing the space of a full backup. Hourly or real-time incremental backups can be utilized for business-critical systems to minimize the loss of essential data.
Easy as 3-2-1.
The 3-2-1 rule is a widely accepted best practice to ensure that data is protected adequately, and up-to-date backup copies of the data are available when needed. The 3-2-1 backup strategy goes as follows:
- Three data copies. Three copies of all critical data should be made on a regular basis, including the original data and at least two backups.
- Two types of storage. Utilize two different storage types for the data. Both copies of the backed-up data should be kept on two separate storage types to minimize the chance of failure. Storage device types could include an internal hard drive, external hard drive, removable storage drive, a tape library, a secondary storage array or a cloud backup environment.
- One offsite location. One copy of the data should be shipped to an offsite storage facility. At least one data copy should be stored in an offsite or remote location to ensure that natural or geographical disasters cannot affect all data copies.
Don’t Forget to Exercise!
Testing backup systems and disaster recovery (DR) plans is crucial to ensure that your organization can quickly recover from various disruptions, including data loss, ransomware attacks, hardware failures, and other disasters. Organizations are encouraged to perform full disaster recovery tests on an annual basis, with a best practice of smaller drills on a more regular basis. The more frequent drills can focus on elements such as partial recovery, or virtual recovery.
Real World Examples:
In May 2019, Baltimore’s city government was hit by a ransomware attack that encrypted thousands of files municipal systems. The city lacked reliable, fully tested backups for key systems, leading to a prolonged disruption of services such as property tax payments and emergency dispatch. Recovery costs exceeded $18 million, illustrating the critical role of backup planning and testing. Baltimore also did not have a centralized technology budget, and they chose not to spend money on cyberattack insurance. If the city of Baltimore had backed up their data safely, they could have restored all the lost data quickly and saved money.
The 2021 ransomware attack on Colonial Pipeline, a major U.S. fuel pipeline operator, highlighted how quick access to backups can limit operational impact. While the company ultimately paid a ransom, its ability to restore some systems from backups allowed partial operations to resume more rapidly, mitigating broader disruptions in fuel supply.
Conclusion:
Ransomware is on ongoing threat, but organizations that prioritize backup strategies can reduce risk and recover quickly. By focusing on frequency, redundancy, and testing, businesses create a strong defense that makes paying ransom unnecessary. The message is clear: without reliable backups, organizations gamble with their most critical asset, their data. Back it up, test it, and ensure recovery is possible before an attack happens.
Insights from our Weekly Ransomware Report.
Each week we publish our Weekly Ransomware Report (along with other all-hazards reports) through Gate 15’s Resilience and Intelligence Portal (GRIP). Contact us if you are interested in receiving the full report. Highlights from this week include:
- Most Active Threat Actors (victim number): Play (12), INC Ransom (7), Qilin (5)
- Gentlemen Ransomware
- Hackers Hide RMM Installs as Fake Chrome Updates and Team Invites
Coming Up Next: “Lessons from the Ashes: Post-Incident Analysis.” Why it matters: Conducting thorough post-mortems after ransomware incidents helps identify root causes, improve defenses, and prevent repeat attacks. A thorough post-incident analysis will include both a technical review of how the attack occurred, as well as a review of the organizational response and decision-making processes.
Gate 15 has worked across the Critical Infrastructure environment to develop cybersecurity plans and tabletop exercises for trade associations and owner/operators. We are pleased to offer 10% off ransomware exercises to new clients that are booked before 30 September 2025. Send out an email and mention this blog, and let’s discuss how to boost your organizational resilience together.
Join the GRIP! Stay informed of what’s new in all-hazards homeland security by joining the Gate 15’s Resilience and Intelligence Portal (GRIP). Join the GRIP! and join us in securing America’s people, places, data, and dollars. To join the GRIP, click the link above or here, scroll down and select the “Join the Grip!” button, or email our team at Gate15@Gate15.global.
Gate 15: Technology-enhanced, human-driven, homeland security risk management.
Understand the Threats.
Assess the Risks.
Take Action.