Share this
Creating a Backup Plan? Ask These Questions First
by Josefine.Fouarge on Jun 25, 2026 8:00:00 AM

A backup job ran overnight and the report shows green. But is that enough?
A completed backup job and a recoverable backup are two different things. The worst-case scenario is discovering that gap when you actually need to restore something. By then, the configuration can't be fixed any longer.
According to IBM's Cost of a Data Breach Report (2025), 65% of organizations that suffered a breach had not fully recovered from it. That number points less to bad software and more to plans that were never properly set up and tested.
Avoid scrambling when things go wrong by addressing the tough questions that will help you develop a solid, reliable backup plan in advance.
Table of Contents
- How Critical Is Your Data?
- Does the Information Change Regularly?
- How Fast Do You Need to Recover Data?
- When Is the Best Time to Back Up?
- How Long Do You Need to Keep Your Backups?
- What Is Your Plan for Testing Your Backups?
- Build a Backup Plan Worth Having
- FAQ
How Critical Is Your Data?
Data sensitivity determines how much protection a backup plan needs to provide. Not all data carries the same risk if it's lost or exposed. Treating everything the same leads to overprovisioning in the wrong places and blind spots in others.
If your billing system goes down on payroll day, you'll feel it immediately. Databases, billing systems, and ERP platforms are mission-critical and need daily backups at minimum, including longer retention periods and encryption both in transit to the backup storage and at rest. Operational data like emails and shared drives follow a similar schedule. Some business records carry legally mandated retention requirements.
That classification also tells you where additional protection layers belong. Sensitive data should be encrypted and, where possible, stored in an isolated or immutable location that ransomware can't reach even with access to the primary network. And remember, a file share and a medical records database aren't the same conversation.
Does the Information Change Regularly?
Not every dataset needs a nightly job. What drives the cadence is how often the data changes. A database processing daily transactions needs a different setup than an archive folder that hasn't changed in months.
There are different backup types to consider when protecting constantly changing data:
- Incremental backups capture only what changed since the last job, which keeps each backup small and fast to run. The tradeoff shows up during recovery. Restoring from an incremental chain means applying every job since the last full backup in sequence. In practice, the longer that chain, the longer your business stays offline.
- Differential backups capture everything changed since the last full backup. Each one grows larger over time, but restore is faster. You only need two files: the last full and the most recent differential.
- Incremental Forever backups remove the tradeoff entirely. They run a single initial full backup, then capture only changed blocks going forward while maintaining all restore points within your retention window. Storage stays lean and restores from any point in time stay fast. It's the approach that holds up best as your data grows. Here's a full breakdown of how Incremental Forever works.
Never rely on your standard schedule after a major update. If you just migrated servers, updated your core software, or installed a new platform, trigger a manual backup immediately.
How Fast Do You Need to Recover Data?
It's important to know that your recovery speed depends on your architecture, storage, and storage location, as well as the requirements you have to align with, not just based on the backup software.
Think of Recovery Point Objective (RPO) as your data loss threshold. If your RPO is four hours, you're deciding that your business can afford to completely recreate four hours of lost work. Recovery Time Objective (RTO) is your clock to recovery. It's the maximum time your business can survive offline before operations must resume. RPO and RTO are two important KPIs to track, but there's more to measuring backup performance.
As an example, put 2TB of cloud-only backup on a standard 100 Mbps connection. You're looking at 45 to 55 hours of download time before the first file restores (ignoring any potential bandwidth limitations from the cloud storage).
Nearly 1 in 5 SMBs that suffered a cyberattack filed for bankruptcy or closed entirely (Mastercard Small Business Cybersecurity Study, 2025).
Your choice of backup architecture directly dictates your recovery timeline. If speed is the priority, you want a method that avoids rebuilding your data piece by piece during a crisis.
Here's how the three backup types compare:
| Incremental | Differential | Incremental Forever | |
|---|---|---|---|
| Backup speed | Fast | Medium | Fast |
| Restore speed | Slow | Fast | Fast |
| Storage use | Low | High | Least |
In addition to the backup types, for businesses that need a quick recovery, a combination of local and cloud storage offers fast restores from local storage, and offsite protection and long-term retention from cloud storage. The 3-2-1 backup strategy, which involves having three copies of data on two different storage types with one copy stored offsite, remains the baseline standard for achieving this hybrid setup.
When Is the Best Time to Back Up?
Most of your backups can be scheduled during off-peak hours, such as overnight or on weekends. Running a heavy backup job at 2 PM could clog your network bandwidth and slow down user applications.
Set jobs to run automatically so that you don't have to rely on someone remembering to start them every night.
Some workloads may require more than a nightly job. For example, databases with high transaction volumes may require hourly jobs to achieve a meaningful RPO.
Endpoint backups for remote workers follow the same logic. Schedule them during off-hours, when the machine is idle and not competing with active sessions or VPN traffic.
How Long Do You Need to Keep Your Backups?
How long to keep your backups is a compliance decision. But not all data follows the same retention rules.
A practical starting framework by data type:
- Critical data (databases, ERP, billing systems): 90-day minimum, or per applicable compliance requirement
- Operational data (email, shared drives, productivity tools): 30 to 90 days
- Business records (financial documents, contracts, compliance records): 6 to 10 years in most jurisdictions
- Regulated data (HIPAA, GDPR, PCI-DSS, CPRA): per the specific regulation
For businesses in regulated industries or environments, such as healthcare (HIPAA), financial services (PCI-DSS), and any organization handling EU citizen data (GDPR) with active ransomware exposure, add an immutable or air-gapped copy.
For data that doesn't fall under a regulatory requirement, a baseline retention policy still makes sense. One practical example:
- 30 days for keeping data on local storage
- 60 days for keeping data in an offsite location, i.e., cloud storage
What Is Your Plan for Testing Your Backups?
Someone added a new database that wasn't included in the job scope. A file path changed after an application update. The backup kept running and the reports stayed green, but the data being captured was no longer what anyone assumed. To prevent a backup failure like this from occurring during an actual data recovery, you must regularly test a restore under conditions that resemble a real emergency.
Testing should be scheduled. A monthly restore of a representative data set catches most configuration drift. A quarterly full DR drill validates your RTO commitments under realistic conditions. Remember to document every result, as that record is what you would show an auditor who asks for proof. It's also what gives you and your team confidence going into an incident.
Here's a detailed guide on how to build and run a disaster recovery test plan.
Build a Backup Plan Worth Having
On top of everything, don't forget to revisit your backup setup on a regular basis.
- Update the data classification you created during onboarding every time the business changes.
- Look at what your business requires for the RPO and RTO instead of using the software default and adjust it with any changes that might occur.
- If you use retention policy templates, use them as a starting point for your own setup and update them when your data changes.
- Schedule quarterly restore tests and actually run them.
A backup job that just "runs" isn't enough. What matters is whether you can actually restore from it at any given time.
Ready to build a backup plan that holds up when you actually need it? Book a call with a NovaBACKUP backup expert and walk through the right setup for your environment.
Frequent Asked Questions
FAQ
Will running backups slow down my employees' computers?
It can, if you schedule them during business hours or if every backup is a full backup that takes a long time to process. A heavy backup job running at 2 PM competes for the same network bandwidth your team relies on. Schedule backups overnight or on weekends, or use a backup method like Incremental Forever that keeps every backup short, and your employees won't feel a thing.
FAQ
What is the difference between incremental, differential, and incremental forever backups?
All three avoid running a full backup every time, but they differ in what they capture. Incremental backups save only what changed since the last job, keeping each backup small but making restores slower as the chain grows. Differential backups save everything changed since the last full backup, so recovery only needs two files: the last full and the latest differential, but storage needs grow with every new backup. Incremental Forever backups combine the advantages of both without their drawbacks. You get lean storage and fast restores from any point in time.
FAQ
How long do I legally need to keep my backups?
It depends on your industry and data type. Business records require 6 to 10 years in most jurisdictions. Healthcare data under HIPAA, payment data under PCI-DSS, and EU citizen data under GDPR each carry specific mandates.
FAQ
What is the 3-2-1 backup rule?
Three copies of your data, on two different storage types, with one copy stored offsite. It's the baseline standard because no single failure, whether hardware crash, ransomware, fire, or flood, can take out all three at once. For businesses with active ransomware exposure, making the offsite copy immutable means attackers can't reach or delete it even if they compromise your network.
FAQ
How do I know if my backups are actually working?
Run a restore test. A backup job completing and a backup that actually recovers your data are two different things. Schedule a monthly test where you restore a sample of files and verify they're intact. Once a quarter, run a full drill that simulates a real recovery scenario. Document the results. That record is your proof of protection.
Sources
- IBM. Cost of a Data Breach Report 2025. Ponemon Institute / IBM, 2025
- Mastercard. Small Business Cybersecurity Study. Mastercard, 2025
Worth Reading

Winning New Clients and NovaBACKUP + Impossible Cloud | Data Protection Digest | June 2026

Creating a Backup Plan? Ask These Questions First
Share this
- Pre-Sales Questions (90)
- Tips and Tricks (89)
- Industry News (38)
- Best Practices (37)
- Reseller / MSP (36)
- Security Threats / Ransomware (26)
- Disaster Recovery (25)
- Cloud Backup (22)
- Storage Technology (22)
- Compliance / HIPAA (20)
- Applications (18)
- Backup Videos (15)
- Virtual Environments (12)
- Technology Updates / Releases (9)
- Backup preparation (6)
- Data Protection Digest (6)
- Infographics (5)
- Products (US) (4)
- Backup Software (2)
- Company (US) (1)
- Events (1)
- Events (US) (1)
- Unternehmen (1)
- July 2026 (1)
- June 2026 (2)
- May 2026 (3)
- April 2026 (7)
- March 2026 (3)
- February 2026 (2)
- January 2026 (2)
- December 2025 (2)
- November 2025 (1)
- October 2025 (2)
- September 2025 (1)
- August 2025 (1)
- July 2025 (1)
- June 2025 (2)
- May 2025 (2)
- April 2025 (2)
- March 2025 (1)
- February 2025 (2)
- January 2025 (2)
- December 2024 (1)
- November 2024 (2)
- September 2024 (2)
- August 2024 (1)
- July 2024 (2)
- June 2024 (3)
- May 2024 (1)
- April 2024 (2)
- March 2024 (3)
- February 2024 (2)
- January 2024 (1)
- December 2023 (1)
- November 2023 (1)
- October 2023 (1)
- September 2023 (1)
- August 2023 (1)
- July 2023 (1)
- May 2023 (1)
- March 2023 (3)
- February 2023 (1)
- January 2023 (1)
- December 2022 (1)
- November 2022 (2)
- October 2022 (2)
- September 2022 (1)
- July 2022 (1)
- June 2022 (1)
- April 2022 (1)
- March 2022 (2)
- February 2022 (1)
- January 2022 (1)
- December 2021 (1)
- September 2021 (1)
- August 2021 (1)
- July 2021 (1)
- June 2021 (1)
- May 2021 (2)
- April 2021 (1)
- March 2021 (1)
- February 2021 (1)
- January 2021 (1)
- December 2020 (1)
- November 2020 (1)
- October 2020 (1)
- September 2020 (3)
- August 2020 (2)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2020 (1)
- March 2020 (2)
- February 2020 (2)
- January 2020 (2)
- December 2019 (1)
- November 2019 (1)
- October 2019 (1)
- August 2019 (1)
- July 2019 (1)
- June 2019 (1)
- April 2019 (1)
- January 2019 (1)
- September 2018 (1)
- August 2018 (3)
- July 2018 (2)
- June 2018 (2)
- April 2018 (2)
- March 2018 (1)
- February 2018 (1)
- January 2018 (2)
- December 2017 (1)
- September 2017 (1)
- May 2017 (2)
- April 2017 (4)
- March 2017 (4)
- February 2017 (1)
- January 2017 (1)
- December 2016 (1)
- October 2016 (2)
- August 2016 (3)
- July 2016 (1)
- June 2016 (2)
- May 2016 (6)
- April 2016 (5)
- February 2016 (1)
- January 2016 (7)
- December 2015 (6)
- November 2015 (2)
- October 2015 (5)
- September 2015 (1)
- July 2015 (1)
- June 2015 (2)
- May 2015 (1)
- April 2015 (3)
- March 2015 (3)
- February 2015 (3)
- October 2014 (2)
- September 2014 (6)
- August 2014 (4)
- July 2014 (4)
- June 2014 (3)
- May 2014 (2)
- April 2014 (3)
- March 2014 (4)
- February 2014 (5)
- January 2014 (4)
- December 2013 (4)
- October 2013 (6)
- September 2013 (1)
