A backup is a copy of computer data stored separately so the original information can be recovered if it is lost, corrupted, or altered. Backups serve several purposes: protection against hardware failure, software defects, accidental deletion, malicious encryption (ransomware), site failure or other disasters; preservation of earlier versions for legal or audit purposes; and fulfilment of regulatory retention requirements. For general computing context and technical background see computing resources.

Types and methods

Backup methods differ by what is copied, how often, and how the copies are organized. Common approaches include:

  • Full backup: a complete copy of all selected files or systems at a point in time. Simplifies restoration but is resource intensive.
  • Incremental backup: captures only data that changed since the last backup of any kind. Saves storage and backup window time but requires a chain of increments to restore to a recent point.
  • Differential backup: records changes since the last full backup. Restores require the last full plus the most recent differential.
  • Snapshots: point-in-time images often provided by storage systems or virtual machines; useful for rapid recovery of whole volumes or instances.
  • Continuous data protection: records changes in near real time to allow fine-grained recovery to a recent state.

Backups can be performed at file, block or image level, and may be implemented by agent-based software installed on systems or by agentless solutions that operate at the hypervisor or storage layer.

Storage locations and media

Backup copies are kept on a variety of media and in different locations to reduce correlated risk. Typical storage choices include local external drives, network-attached storage (NAS), tape libraries for long-term archives, secondary data centers, and cloud object storage. Many organisations use hybrid strategies combining on-premises media for rapid restores with offsite or cloud copies for resilience against site-level disasters. Air-gapped or immutable backups are recommended where protection against ransomware and tampering is critical.

Policy, retention and compliance

Effective backup programs are governed by policies that specify scope, schedule, retention periods, access controls and disposal procedures. Retention rules vary by business needs and by law; certain financial, medical or transactional records are commonly subject to statutory retention requirements. Organizations map legal and regulatory obligations to backup retention schedules and ensure that retained data remains accessible and auditable. For guidance relating to retention of accounting and financial records see accounting records resources.

Technical targets such as recovery point objective (RPO) and recovery time objective (RTO) are used to define acceptable levels of data loss and downtime. These objectives inform choices about backup frequency, storage tiering, and complementary measures such as replication or clustering for high availability.

Best practices

  • Follow the 3-2-1 principle: keep at least three copies of data, on two different media, with one copy offsite.
  • Encrypt backups in transit and at rest to protect confidentiality of sensitive information.
  • Use immutable or write-once media where regulations or threat models demand tamper resistance.
  • Automate backups and monitor success/failure metrics; alerting reduces the risk of unnoticed gaps.
  • Periodically test restores from backups (tabletop and full restores) to verify integrity and operational readiness.
  • Document procedures and assign clear roles for backup operations and recovery activities within a disaster recovery plan.

Modern backup programs face several challenges: increasing data volumes, complex multi-cloud and hybrid environments, and targeted threats such as ransomware that seek to destroy backups. Technologies such as deduplication, compression, snapshot-based protection, and cloud-native backup services help manage cost and scalability. Backup as a service (BaaS) offerings and integrated appliances can simplify operations, but organisations must still validate that service-level guarantees, encryption and retention meet their needs. For operational guidance on handling sensitive data and backups consult data stewardship materials at data protection guidance.

Backups are a core element of business continuity and disaster recovery but they do not eliminate the need for wider resilience planning. Replication and high-availability designs reduce downtime, while backups provide recoverable historical copies and protection against data corruption and accidental or malicious deletion. A balanced program combines clear policies, appropriate technology, secure storage, and regular testing to maintain recoverability and compliance.

Further reading and resources may include vendor documentation, standards bodies and legal guidance relevant to specific industries. When designing or reviewing a backup program, organisations should consider cost, risk tolerance, regulatory obligations and operational capabilities to choose an approach that meets both technical and business requirements.