Backup, Retention, and Risk: Aligning Data Protection with Governance

I've heard it said that there are two types of people in the world.

Those that have backups and those that have never lost a file.

I am hopeful that as you are reading this, you are not here as you have lost a file.

Let me be very clear, data backups are 100% essential for any organisation that values reliability, security, efficiency and their clients!

Too often, businesses overlook backup until it’s too late. Data can be lost due to accidents, technical failures, or malicious actions. Every organisation, regardless of size, faces these risks and has a responsibility to align backup and retention strategies with information policies and regulations.

I've had clients tell me that data backups aren't really priorities for their business, with a majority of files shared between multiple laptops using thumb drives as there was nothing they considered "critical". Having supported a number of organisations with similar viewpoints, I offer the following observations for consideration...

Data Backups MUST align with Organisational Policies

Organisations must have backup retention policies that fit their business needs, legal requirements, and risk profiles. The goal is to keep what is required for the right amount of time. Nothing less, nothing more.

Key strategies include:

• Define how long different categories of data must be retained in line with privacy laws and industry standards.
• Use retention labels and lifecycle policies to automate keeping and deleting data where possible.
• Regularly review policies to match new regulatory requirements and the organisation’s evolving structure.

When retention and backup are aligned, organisations avoid keeping unnecessary records that increase privacy exposure. They also safely dispose of data that is no longer needed, reducing cost and compliance risks.

Just because you are Cloud-first doesn't mean you have Backups

With cloud-first strategies, data may reside in many locations: individual laptops, corporate SaaS subscriptions, cloud file shares, and managed databases. Identifying where your data lives is the first step to securing it.

Effective practices include:

• Use automated discovery tools to locate and classify data across devices and cloud repositories.

• Reconcile all known storage locations with what staff actually use—for example, investigating shadow IT.

• Catalogue each data store by its sensitivity, business purpose, and regulatory requirements.

Regular audits ensure that new storage locations are included and that the location register remains current. Sophisticated organisations continuously monitor data flows to cloud applications and repositories as part of a broad governance program.

The Shared Responsibility Model

Public cloud providers like AWS, Microsoft Azure, and Google Cloud operate under a "shared responsibility" model.

• They, as providers are responsible for securing their own infrastructure, including physical data centres, networking, the cloud environment and the code/data that makes the environment work.

• You, the client, is responsible for managing your own data, user accounts, application security, and backups.

Yes, this does mean that cloud data is not automatically protected from loss or accidental deletion just by being “in the cloud.”

Each organisation must ensure:

• Backups are configured, tested, and meet retention requirements.

• Access permissions and encryption settings are managed at the client-side.

• They understand which functions are supported by the provider and which require their own controls and solutions.

What's Your Backup Risk Exposure?

Auditing backup and risk exposure is a proactive way to check readiness and compliance.

Here are some techniques to consider:

• Regularly review which data is backed up and compare it to inventory and data-flow maps.
• Test backup restores in line with a documented schedule to prove that data can be recovered quickly.
• Use reporting tools to confirm backup completion, highlight missed files, and flag errors.
• Carry out risk assessments and simulation exercises, including simulated ransomware recovery.

Reports from backup and audit activities should be shared with executives and factored into ongoing governance and compliance programs.

The Role of a vCIO in Backup Governance

A Virtual CIO (vCIO) brings executive-level IT strategy and oversight without the commitment or cost of a full-time hire. For backup, retention, and data governance, a vCIO will:

• Build or review information retention policies and align them with organisational objectives.
• Oversee regular auditing and reporting of backup processes.
• Assess risk exposure and recommend improvements.
• Coordinate the adoption of backup automation, data discovery, and cloud governance tools.
• Liaise with cloud service providers and internal stakeholders to ensure all responsibilities are met.

This partnership offers objectivity, expertise, and an influential voice in board-level decision making.

Practical Steps for Your Business

Lets start with the basics:

• Use trusted, automated cloud backup tools.
• Centralise file storage to avoid shadow IT and local drives.
• Regularly review provider backup settings and perform simple restore tests.
• Assign a clear owner for data protection.

When the above is looking good:

• Implement classification and labelling of business data.
• Define and automate backup retention rules by category.
• Conduct formal backup restore testing every quarter.
• Use a vCIO to clarify roles and ensure compliance is tracked.

Got compliance and regulatory requirements, then you will need to:

• Adopt comprehensive data inventory and automated discovery tools.
• Integrate backup retention strategies with enterprise privacy and discovery frameworks.
• Continuously monitor backup status and set alerting for failures or anomalies.
• Embed vCIO oversight into the IT governance structure.

Remember: Data backups are not just for "disaster" recovery.

Often, the value most appreciated from having regular, automated backups of all business data is the much maligned "I'm sure that didn't look like that yesterday" overwriting of file contents - without a backup, you will never know what content has been lost and you will spend hours looking through thumb drives, other laptops, email attachments to check what is missing.

Or, consider the case of the accidental folder drag - where did it used to live? Having a backup provides the option to rapidly recover to a known state.

Considering that daily data backups are cheaper than a pub lunch, it does seem that Australian business owners are either unaware of the risk, or don't know the options available.