Skip to content

Data Security – Backup

Data Security – Backup

Vanessa Cresswell

Vanessa Cresswell

Click edit button to change this text. Lorem ipsum dolor sit amet consectetur adipiscing elit dolor

Many companies are now completely reliant on the data stored on their network servers, PCs, laptops, mobile devices and in the cloud. Some of this data is likely to contain either personal information and/or confidential company information.

Here we look at some of the issues to consider when reviewing the security of your computer systems and data.

Data backup is an essential security procedure and needs to be undertaken on a regular basis. A business should view regular backups as a form of insurance policy.

There are a number of points to consider.

Systems and Applications Software Installation media

Ideally, once software has been installed, the original media (unless the software was downloaded) should be stored securely off-site. Any activation keys/codes should be similarly stored securely.

Data file locations

In a network environment some data files might be stored on the server and other data files stored on local drives. In which case, separate backups may be required for both the server and one or more PCs.

Ideally, a network solution should be provided which ensures that all data is re-copied back to the server from local drives.

Backup strategy and frequency

There is likely to be a need for two parallel backup procedures; one to cover a complete systems backup of the server(s) and another to incrementally (or differentially) backup data files which have been updated since the previous backup.

The most common backup cycle is the grandfather, father, son method. With this, there is a cycle of 4 daily backups, 4/5 weekly backups and 12 monthly backups.

Remember that some data has to be preserved for many years – for example accounting records need to be kept for a minimum of 6 years.

Backup media can be re-used many times, but they do not have an infinite life and will need replacing after 2-10 years depending on quality and number of times used. Some additional points are made on this issue in the section on backup media degradation.

Backup responsibilities

Someone should be given responsibility for the backup procedures. This person needs to be able to:

  • regularly ensure that all data files (server and local) are incorporated in the backup cycle(s)
  • adapt the backup criteria as new applications and data files are added
  • modify the backup schedule as required
  • interpret backup logs and react to any errors notified
  • restore data if files are accidentally deleted or become corrupt
  • regularly test that data can be restored from backup media
  • maintain a regular log of backups and where the backup media are stored.

Applications backup routines

Many accounting and payroll applications have their own backup routines. It is a good idea to use these on a regular basis (as well as conventional server backups) and always just before critical update routines. These backup data files should be stored on the server drive so that they are backed up.

Local PCs

Certain users will have applications data files exclusively on their local drives (such as payroll data for example) and these will require their own regular backup regime, which as mentioned in the previous paragraph, may consist of a combination of backing up to media and backing up to the server.

Backup media

Selecting the right media to use for backups depends on budget, how much data there is and the networking operating software. External hard disks or a NAS box with cloud backup may provide a good solution. If an external service provider is used, or perhaps a cloud option, they should have their own backup regime – but don’t totally rely on this.

Optical storage such as CD/DVD, or Blu-Ray may also be considered as a cheaper alternative, but capacity and life may be limited.

Backup location

Backups should be stored in a variety of both on-site and off-site locations. On-site backups are easily accessible when data has to be restored quickly, but are at risk from either fire or other disaster.

A large number of businesses use an on-site safe, however, in a recovery situation this could be buried under tons of rubble, or the premises themselves may be inaccessible for a period of time.

Off-site backups have the advantage that they can be recovered in an emergency, but

a) they still need to be stored securely; and

b) need to be reasonably accessible.

Backup retention

Finally, certain type of records, such as accounting records for example, need to be kept for a minimum period of time and this must be considered when developing the data backup strategy (also see below regarding degradation).

Backup media degradation/decomposition

Backup media degrades and the data stored on them decomposes over a period of time.

Optical media such as CD/DVD and Blu-Ray are particularly sensitive to light (photosensitive), so ensure that they are stored in a dark environment. They are also prone to physical damage when being handled. Finally, this type of media is not designed for long-term storage – lasting possibly as little as 2 years.

Backups should be checked on a regular basis for signs of digital decomposition, and tested to check that data can be successfully restored.

In-house or cloud?

Many internet service providers and third-party IT service organisations, now offer, either as standard or as a chargeable extra, off-site data repositories and also complete online application solutions. The immediate appeal is that there is no need to internally support a server and its operating and applications software. However, there are a significant number of key security issues which should be covered as part of the contract/service level agreement (SLA). These should include level of encryption, the countries in which the data is processed and stored (as this has potential issues with Data Protection laws), data deletion and retention periods, the availability of audit trails of who is accessing the data and finally, who has ownership of the data if the provider goes into administration/receivership.

Where data is stored in the cloud, try to ensure that as little personal data as possible is processed and stored in this way. If this is not possible then at least anonymise the data so that individuals cannot be identified.

Ensure you can manually take your own backup copies of data stored with a third-party, and that this data is in a readable format and can be restored onto other services and applications.

How we can help

We can provide help in the following areas:

  • performing a security/information audit
  • drawing up a suitable backup regime
  • training staff in security principles and procedures.

Please do contact us if we can be of further help.

Share this with your friends

Share on facebook
Share on google
Share on twitter
Share on linkedin

More to explore

Venture Capital Trusts

Venture Capital Trusts (VCTs) are complementary to the Enterprise Investment Scheme (EIS), in that both are designed to encourage private individuals to invest in smaller high-risk unquoted trading companies affected by the equity gap. While the EIS requires an investment to be made directly into the shares of the company, VCTs operate by indirect investment through a mediated fund.

Read More »

VAT Flat Rate Scheme

The flat rate scheme for small businesses was introduced to reduce the administrative burden imposed when operating VAT. Under the scheme a set percentage is applied to the turnover of the business as a one-off calculation instead of having to identify and record the VAT on each sale and purchase you make.

Read More »

VAT – Seven Key Points for the Smaller Business

This factsheet focuses on VAT matters of relevance to the smaller business. A primary aim is to highlight common risk areas as a better understanding can contribute to a reduction of errors and help to minimise penalties. Another key ingredient in achieving that aim is good record keeping, otherwise there is an increased risk that the VAT return could be prepared on the basis of incomplete or incorrect information.

Read More »

VAT – Cash Accounting

Cash accounting enables a business to account for and pay VAT on the basis of cash received and paid rather than on the basis of invoices issued and received.

Read More »

VAT – Bad Debt Relief

It is quite possible within the VAT system for a business to be in the position of having to pay over VAT to HMRC while not having received payment from their customer. Bad debt relief allows businesses, that have made supplies on which they have accounted for and paid VAT but for which they have not received payment, to claim a refund of the VAT by reference to the outstanding amount.

Read More »


VAT registered businesses act as unpaid tax collectors and are required to account both promptly and accurately for all the tax revenue collected by them. The VAT system is policed by HMRC with heavy penalties for breaches of the legislation. Ignorance is not an acceptable excuse for not complying with the rules. We highlight below some of the areas that you need to consider.

Read More »