Cybersecurity Handbook
Chapter 9

All You Need to Know About Backups and Archives!

The management of backups and archives touches on one of the three pillars of digital security: availability. To do your work effectively, your documents and media content must be available, up to date, and backed up in the appropriate places. 

How to ensure the availability of your documents

The measures for optimising the backups and archives of documents specifically touch on this key aspect of your work. Their objective is to help you find your up-to-date documents on a daily basis and to facilitate their recovery in case of a cyberattack, theft, breach, or loss of material. You are surely thinking: My organization and I are unlikely to come under a cyberattack … so why should we worry about this?

The answer is simple. The most frequent causes of cybersecurity failures are often trivial. 

Did you know that in Quebec, the primary cause of Internet outages is not criminal organizations or hackers hired by the secret service of the United Nations? Squirrels are the ones that, by digging and gnawing on things, end up severing cables.

Most cybersecurity issues will also have a rather ordinary cause: the random theft of a computer, your battery running out and turning off your computer while you’re in the middle of editing a document, or even your cat who, seeking some affection, spills your wine glass on your keyboard. 

In short, having an effective backup and archive policy helps you minimise the impact of these events and recover quickly. This is why you need to plan and formalize these strategies so that your team uses them effectively and consistently. We will help you establish a backup policy in this chapter. 

What is the difference between a backup and an archive?

First, it’s important to differentiate between what constitutes a backup and an archive

A backup is part of managing data in the short term (or while working on a project) while archives save information over the long term. Thanks to software such as Time Machine (Mac OS), you can make an exact copy of your computer at any given moment. This way, if you spill coffee on your computer, at least you’ll be able to recover all of its contents. The more often you back up your documents, the less work you will lose! In addition, if your most important documents are saved and synched on a cloud service in real time, you won’t lose anything … other than your computer. 

Archives are also copies of documents, but saved with the specific intention of accessing them in the future. The most important folders and files are therefore organized in a coherent and formalized manner. Recovering lost data can take time, especially if the files are misnamed or inefficiently organized. 

Normally the archive process can serve to free up space on your computer hard drive or on the organization’s servers. For example, once a project is completed, you can save it on an external hard drive or store it on a key. You can also keep a copy of your archives at a different location. A flood, theft, or fire can always happen. Diversifying the physical places where you keep the hard drives is always a winning strategy. 

Several actions can be taken to facilitate the systemization of the archive and backup processes. First it’s important to formalize a common reference system and to agree on the backup policies so that they are understood and followed by everyone in your organization. Lastly, in terms of archiving, it might be a good idea to designate a person responsible for carrying out and documenting the operations.

The “3-2-1” strategy

We hope that we have convinced you of the importance, usefulness, and effectiveness of the backup and archive processes. Now, how can you develop an optimal strategy?

In cybersecurity, we often refer to the “3-2-1” strategy for managing backup copies and important documents. Basically, this means having three different copies of what we wish to protect. Ideally, two copies will be on different devices (a computer, an external hard drive) and at least one copy will be offsite. 

For example, if you’re producing a short film, you can apply the “3-2-1” strategy. To do this, you will work with three copies of your document at all times. The first could be saved locally on your computer. The second could be stored on an external hard drive that you keep in a different location (at the house of a trusted friend, for example.) The third could be saved on a cloud service. For more information on the security of cloud services, see the Cloud Security chapter.

Obviously, this method has been devised to ensure the rock-solid resilience of your documents. You can also adopt intermediary strategies, depending on the sensitivity of the documents. What’s most important is formalizing a plan and rigorously implementing it on a daily basis.

Encrypting the backup copies

Whether you use a local or cloud backup, we recommend that you encrypt your sensitive data and configure the file sharing correctly.

To be fully effective and minimise the risks associated with the fact that some employees may forget their access or passphrase, this method should be implemented once everyone has thoroughly learned the passphrase policy. Once the data is encrypted, you won’t be able to access it if you forget your passphrase. It is therefore important to begin with mastering the password manager before starting to encrypt your hard drives.

Be patient and go easy on yourself. Security is a process. It’s much more effective and appropriate to change your individual and organizational practices in a slowly, but surely sustainable way than to try and change everything overnight.

The more prepared and trained you are to recover your data, the less time (and therefore money) you will lose in case of a problem. We encourage you to do simulations of your recovery plan to ensure its effectiveness. You will also get a better idea of the time needed to do the operation. 


  • Get into the habit of doing regular backups. 
  • Organize and formalize the backup and archive methods of your organization.
  • Use the “3-2-1” strategy for the most sensitive data and variants of the strategy for other documents.
  • Choose your backup strategies based on local backup methods and cloud solutions.
  • Encrypt your sensitive data (if you feel at ease with this process).
  • Test your recovery plan.

Useful links:

Chapter 10 Cloud Security All the Chapters