Your Backup Action Plan
Your Backup Action Plan

Photo by Jakub Zerdzicki on Pexels
You've learned the theory, the failures, the strategies, the types, and the threats. Now it's time to put it all together. Here's a concrete, step-by-step action plan you can implement this week to transform your backup posture from vulnerable to resilient.
Week 1: Assess and Inventory
- Conduct a data audit: List every server, workstation, and cloud service your business uses. For each, identify critical data (Tier 1), important data (Tier 2), and replaceable data (Tier 3). Use the tiering system from the "What Data" lesson.
- Document your current backup status: For each data source, note: Is it backed up? Where? How often? When was the last successful restore test? Be honest — "not sure" means "no."
- Identify gaps: Highlight every data source that is unbacked-up, backed up but untested, or backed up only on-site.
- Estimate your Recovery Time Objective (RTO): How long can your business survive without data? 4 hours? 24 hours? This drives your backup strategy.
Week 2: Implement the 3-2-1 Rule
- Install backup software:
- Linux/macOS:
apt install borgbackuporbrew install borg - Windows: Download Duplicati or Cobian Reflector
- Linux/macOS:
- Set up local backup (Copy 2): Configure a nightly backup to a local NAS or external USB drive. Use compression and deduplication.
- Set up off-site backup (Copy 3): Create a Backblaze B2 account ($6/TB/month). Configure Duplicati or Restic to push encrypted backups nightly. Enable Object Lock with 30-day immutability.
- Set retention policy: Keep 7 daily, 4 weekly, 6 monthly backups. Configure automatic pruning in your backup tool.
- Enable notifications: Configure email alerts for both backup success and failure. No alert = no monitoring.
Week 3: Harden Against Ransomware
- Enable append-only mode on Borg:
borg init --append-only /backups/repo. Use a restricted SSH key that can only runborg serve --append-only. - Segment your network: Move backup storage to a separate VLAN. Firewall rules: allow only the backup server to reach backup storage on specific ports.
- Create dedicated backup credentials: Separate SSH keys, separate cloud API keys with bucket-only permissions. Store in a password manager or on a YubiKey.
- Enable Object Lock on cloud storage: Set 30-day immutability on your Backblaze B2 or S3 bucket.
- Verify VSS (Windows): Ensure Volume Shadow Copy is enabled and protected. Monitor for Event ID 8224 (shadow copy deletion).
Week 4: Test Everything
- Run integrity check:
borg check --verify-data /backups/repoorrestic check --read-data. Fix any errors found. - Perform a file-level restore test: Restore 10 random files to a test directory. Verify they open and contain current data. Document results.
- Perform a database restore test: Restore your database backup to a test instance. Compare row counts to production. Run integrity checks.
- Time your restore: Measure total restore time from start to verified functional state. Compare against your RTO.
- Document the test: Fill out the Restore Test Report from the "How to Perform a Restore Test" lesson. File it for compliance.
Ongoing: Maintenance Schedule
| Task | Frequency |
|---|---|
| Monitor backup job status (email alerts) | Daily |
| Check backup storage capacity | Weekly |
| Run integrity verification | Weekly |
| File-level restore test | Monthly |
| Full restore test | Quarterly |
| Rotate backup credentials | Every 90 days |
| Disaster recovery simulation | Annually |
Free Tools Summary
- BorgBackup — Local deduplicating backups with append-only mode
- Restic — Encrypted off-site backups to cloud storage
- Duplicati — Cross-platform GUI backup with cloud destinations
- Backblaze B2 — Low-cost cloud storage with Object Lock ($6/TB/month)
- Bitwarden — Free password manager for storing backup credentials
- Auditd / Sysmon — Monitor for ransomware activity targeting backups
Key Takeaways
- Week 1: Assess and inventory your data. Know what you have and what's at risk.
- Week 2: Implement 3-2-1 with free tools. Local backup + off-site cloud backup.
- Week 3: Harden against ransomware with air gaps, immutability, and network segmentation.
- Week 4: Test everything. An untested backup is just a hope.
- Ongoing: Follow the maintenance schedule — backups are a process, not a one-time project.
Your Backup Action Plan

Photo by Jakub Zerdzicki on Pexels
You've learned the theory, the failures, the strategies, the types, and the threats. Now it's time to put it all together. Here's a concrete, step-by-step action plan you can implement this week to transform your backup posture from vulnerable to resilient.
Week 1: Assess and Inventory
- Conduct a data audit: List every server, workstation, and cloud service your business uses. For each, identify critical data (Tier 1), important data (Tier 2), and replaceable data (Tier 3). Use the tiering system from the "What Data" lesson.
- Document your current backup status: For each data source, note: Is it backed up? Where? How often? When was the last successful restore test? Be honest — "not sure" means "no."
- Identify gaps: Highlight every data source that is unbacked-up, backed up but untested, or backed up only on-site.
- Estimate your Recovery Time Objective (RTO): How long can your business survive without data? 4 hours? 24 hours? This drives your backup strategy.
Week 2: Implement the 3-2-1 Rule
- Install backup software:
- Linux/macOS:
apt install borgbackuporbrew install borg - Windows: Download Duplicati or Cobian Reflector
- Linux/macOS:
- Set up local backup (Copy 2): Configure a nightly backup to a local NAS or external USB drive. Use compression and deduplication.
- Set up off-site backup (Copy 3): Create a Backblaze B2 account ($6/TB/month). Configure Duplicati or Restic to push encrypted backups nightly. Enable Object Lock with 30-day immutability.
- Set retention policy: Keep 7 daily, 4 weekly, 6 monthly backups. Configure automatic pruning in your backup tool.
- Enable notifications: Configure email alerts for both backup success and failure. No alert = no monitoring.
Week 3: Harden Against Ransomware
- Enable append-only mode on Borg:
borg init --append-only /backups/repo. Use a restricted SSH key that can only runborg serve --append-only. - Segment your network: Move backup storage to a separate VLAN. Firewall rules: allow only the backup server to reach backup storage on specific ports.
- Create dedicated backup credentials: Separate SSH keys, separate cloud API keys with bucket-only permissions. Store in a password manager or on a YubiKey.
- Enable Object Lock on cloud storage: Set 30-day immutability on your Backblaze B2 or S3 bucket.
- Verify VSS (Windows): Ensure Volume Shadow Copy is enabled and protected. Monitor for Event ID 8224 (shadow copy deletion).
Week 4: Test Everything
- Run integrity check:
borg check --verify-data /backups/repoorrestic check --read-data. Fix any errors found. - Perform a file-level restore test: Restore 10 random files to a test directory. Verify they open and contain current data. Document results.
- Perform a database restore test: Restore your database backup to a test instance. Compare row counts to production. Run integrity checks.
- Time your restore: Measure total restore time from start to verified functional state. Compare against your RTO.
- Document the test: Fill out the Restore Test Report from the "How to Perform a Restore Test" lesson. File it for compliance.
Ongoing: Maintenance Schedule
| Task | Frequency |
|---|---|
| Monitor backup job status (email alerts) | Daily |
| Check backup storage capacity | Weekly |
| Run integrity verification | Weekly |
| File-level restore test | Monthly |
| Full restore test | Quarterly |
| Rotate backup credentials | Every 90 days |
| Disaster recovery simulation | Annually |
Free Tools Summary
- BorgBackup — Local deduplicating backups with append-only mode
- Restic — Encrypted off-site backups to cloud storage
- Duplicati — Cross-platform GUI backup with cloud destinations
- Backblaze B2 — Low-cost cloud storage with Object Lock ($6/TB/month)
- Bitwarden — Free password manager for storing backup credentials
- Auditd / Sysmon — Monitor for ransomware activity targeting backups
Key Takeaways
- Week 1: Assess and inventory your data. Know what you have and what's at risk.
- Week 2: Implement 3-2-1 with free tools. Local backup + off-site cloud backup.
- Week 3: Harden against ransomware with air gaps, immutability, and network segmentation.
- Week 4: Test everything. An untested backup is just a hope.
- Ongoing: Follow the maintenance schedule — backups are a process, not a one-time project.
Rating
0
0
There are no comments for now.
Join this Course
to be the first to leave a comment.