Hybrid backup strategy for business

An illustration of a man sitting at a desk using a computer, with his local files being backed up to a server and the cloud
(Image credit: Shutterstock)

Backup is a fundamental part of a complete data security strategy and IT administrators that fail to implement a hybrid backup strategy properly are putting their company, their own jobs, and those of their staff on the line. Data is one business asset that is not expendable as once it's gone, it's gone for good.


The Veritas Backup Exec 22.2 interface

(Image credit: Future)

Veritas Backup Exec 22.2 review

A backup plan isn't just about keeping a few copies of files to hand on the off-chance that one goes missing. It's about providing a full business recovery plan in the event of a disaster. By this, we mean anything from an accidentally deleted file, a corrupted database, or a sickly server to a ransomware attack, burglary, fire, or flood.

This doesn't need to be challenging as there is a huge choice of top-quality backup products on the market that are suitable for a wide range of business environments and budgets. The most effective backup strategies employ a 'hybrid' approach that combines on-site and cloud backup and the good news is there are plenty of solutions that provide both essential data protection and easy management.

The theory behind a hybrid backup strategy

A hybrid backup strategy allows multiple copies of data to be maintained in different physical locations so it's always available regardless of any mishap. The easiest way to understand this is to use the '3-2-1' principle where you retain three up-to-date copies of your data, back it up to two different types of storage media, and keep one copy off-site. 

This type of strategy gives you the best of all possible worlds as your onsite backups provide fast recovery services for lost or deleted items. If for reasons such as theft, fire, or flood, you can't access your main office or IT equipment gets stolen, you'll have the third copy safely stored off-site.

The cloud is a natural contender for off-site storage and all good backup products either include their cloud storage in the price or offer support for public providers such as Amazon and Microsoft Azure. You don't have to use the cloud though, as many products offer replication services that can copy backups to your own remote storage devices such as NAS appliances and other storage servers.

It's important to use a single backup product to protect all your systems and applications as multiple products will increase costs and complexity. Backup strategies that rely on manual human intervention are guaranteed to fail so only choose products with full scheduling services that allow them to run jobs regularly to a predefined schedule.

Hybrid backup costs

Ransomware attacks are now so common that businesses of all sizes need to take precautions to mitigate them and avoid paying for data to be decrypted. Backup software can't protect against these attacks but those that offer file versioning allow you to retain multiple copies of files going days, weeks, and months so if you get hit by a ransomware demand, it's possible to browse them and restore files to a state before they were encrypted.


The latest ransomware attacks attempt to infiltrate the software itself and will delete all backups to prevent recovery of data that it subsequently encrypts. A good defense against this is immutable cloud storage that once written to, cannot be changed, modified, overwritten, or deleted.

A prime example of this is Amazon's S3 buckets with Object Lock as enabling this feature turns them into WORM (write once read many) storage devices so existing data can't be modified or deleted until the retention period you've set has expired. This is often referred to as a '3-2-1-1' strategy where the fourth step is backing up data to immutable cloud storage.

Backup recovery

Running backups once a day may not be enough and two factors will determine their frequency – recovery time objectives (RTOs) and recovery point objectives (RPOs). RTOs determine the period your business can comfortably survive without access to its systems, applications, and data. 

An RTO in hours will require a backup strategy that delivers much faster restore services than an RTO measured in days. You may also need to define multiple RTOs – a critical mail server, for example, will need to be restored much quicker than basic file sharing and print services.

The RPO defines the amount of data loss your business can tolerate and will define how frequently backups are run. If you can't afford to lose all the data created during the previous 24 hours then running one backup per day won't be sufficient.

This is where backup software scheduling services pay dividends. You can create multiple jobs for different RPOs and RTOs, define your backup frequencies, and leave the software to run them at the appointed times.

Disaster prevention within a hybrid backup strategy

When your data protection solution is up and running you must test all its restore facilities for files, applications, servers, and virtualization hosts. Schedule tests for regular pre-arranged times and not when convenient otherwise they won't get done.


Revitalize your aging datacenter – the real value of datacenter modernization whitepaper

(Image credit: AMD)

Discover a datacenter revitalization strategy that will help you dominate


Make sure you set the backup software to provide notifications and alerts by email or SMS and if you receive warnings that a backup job has failed, find out what the problem is and address it. All these safety measures will confirm that your backups are working, data is retrievable, your RPOs and RTOs can be met and all unforeseen problems are ironed out before you need to use them for real. 

You should document the entire process by creating a 'run book' and keeping it up to date. This will provide contact details of all key personnel and include clear recovery instructions for all systems and services so any type of data recovery can be run even if key staff members are unavailable.

There's now a new strategy for just this situation. Termed 3-2-1-1-0, this calls for all the standard copies of data maintained in different locations, additional immutable cloud storage, and zero errors for all your recovery processes.

No two hybrid backup products are the same so you should conduct rigorous testing to make sure they have the features to match your requirements. Look for vendors that offer time-limited free trials of their full solutions so you can try them out before parting with any cash.

Dave Mitchell

Dave is an IT consultant and freelance journalist specialising in hands-on reviews of computer networking products covering all market sectors from small businesses to enterprises. Founder of Binary Testing Ltd – the UK’s premier independent network testing laboratory - Dave has over 45 years of experience in the IT industry.

Dave has produced many thousands of in-depth business networking product reviews from his lab which have been reproduced globally. Writing for ITPro and its sister title, PC Pro, he covers all areas of business IT infrastructure, including servers, storage, network security, data protection, cloud, infrastructure and services.