Data Backup & Recovery — Canadian Baseline Control BC.7

What Data Backup & Recovery Means

Data backup and recovery is the practice of creating and maintaining copies of important business data so it can be restored if the original is lost, corrupted, or made inaccessible. Under the Canadian Centre for Cyber Security's Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089), control BC.7 addresses the need for organizations to implement reliable backup processes and verify that data can be recovered when needed.

Whether caused by ransomware, hardware failure, accidental deletion, or a natural disaster, data loss can halt business operations entirely. A tested backup and recovery plan ensures your organization can resume critical functions within an acceptable timeframe.

This page provides educational information based on publicly available Canadian Centre for Cyber Security guidance. It is not professional cybersecurity advice. Organizations should consult qualified professionals for advice tailored to their specific circumstances.

What the Canadian Centre for Cyber Security Recommends

The CCCS Baseline Controls (ITSM.10.089) recommend that organizations back up important data and system configurations regularly, and that they test the ability to restore from those backups. The guidance emphasizes that backups must be protected from the same threats they are meant to defend against.

Key recommendations from the CCCS include:

• Back up important information and systems regularly, including data, system configurations, and application settings.
• Store at least one backup copy offline or offsite, disconnected from the organization's network, to protect against ransomware and other network-based threats.
• Test backup restoration regularly to confirm that data can actually be recovered and that the recovery process works as expected.
• Encrypt backup data, particularly when it is stored offsite or transmitted over networks, to protect confidentiality.
• Document backup procedures so that staff know what is being backed up, where backups are stored, and how to initiate a restore.

The CCCS has also published guidance on ransomware specifically, emphasizing that offline backups are one of the most effective ways to recover from a ransomware incident without paying a ransom.

Why This Matters for Canadian Businesses

Data loss is not a theoretical risk for Canadian SMBs — it is a regular occurrence. Hardware failures, ransomware attacks, accidental deletions, and software errors can all result in the loss of critical business data. The consequences vary depending on the nature and volume of data affected, but can include:

• Operational shutdown if essential business systems cannot function without the lost data.
• Financial losses from downtime, lost productivity, and the cost of data reconstruction or ransom payments.
• Regulatory consequences under PIPEDA and provincial privacy laws if personal information is permanently lost or exposed during a data loss event.
• Loss of customer trust if client records, orders, or service histories cannot be recovered.

The CCCS National Cyber Threat Assessment has consistently identified ransomware as one of the top threats to Canadian organizations. Ransomware attacks specifically target an organization's ability to access its own data, making reliable, isolated backups essential to recovery.

How to Get Started

Building a reliable backup and recovery capability does not require enterprise-grade infrastructure. The following steps provide a practical starting point for Canadian SMBs.

1. Identify What Needs to Be Backed Up

Start by inventorying your critical data and systems. This typically includes:

• Financial records and accounting data
• Customer and client databases
• Employee records
• Email and communications
• Business documents and intellectual property
• System configurations and application settings
• Website and e-commerce data

Not all data has equal value. Prioritize based on what your business needs to operate and what would be most costly or difficult to reconstruct. Our free assessment can help identify gaps in your current backup practices.

2. Apply the 3-2-1 Backup Rule

The 3-2-1 rule is a widely recognized backup strategy that aligns with CCCS recommendations:

• 3 copies of your data (the original plus two backups)
• 2 different storage types (for example, local disk and cloud storage, or local disk and external hard drive)
• 1 copy offsite or offline (physically separated from your primary network)

The offline or offsite copy is particularly important because ransomware and other malware can encrypt or destroy backups that are accessible on the same network as the compromised systems.

3. Automate Your Backups

Manual backup processes are prone to being forgotten or performed inconsistently. Use automated backup solutions that run on a defined schedule. The appropriate frequency depends on how often your data changes:

• Daily backups for data that changes frequently, such as transaction databases and email.
• Weekly backups for data that changes less often, such as system configurations.
• Real-time or near-real-time replication for systems where any data loss is unacceptable, though this is typically more relevant for larger organizations.

4. Encrypt Your Backups

Backup media and files should be encrypted, especially when stored offsite or in cloud services. Unencrypted backups represent a data breach risk if the storage media is lost, stolen, or improperly disposed of. Use strong encryption standards and manage encryption keys securely and separately from the backup data itself.

5. Define Recovery Time and Recovery Point Objectives

Two key metrics guide backup planning:

• Recovery Time Objective (RTO) — How quickly you need to restore systems and data after a disruption. This determines how fast your recovery process must be.
• Recovery Point Objective (RPO) — How much data loss is acceptable, measured in time. An RPO of 24 hours means you can afford to lose up to one day of data, which implies daily backups at minimum.

These objectives should be determined in consultation with business leadership and should drive your backup frequency and recovery infrastructure decisions.

6. Test Your Restores Regularly

A backup that has never been tested is not a reliable backup. Schedule regular test restores to verify that:

• Backup files are complete and not corrupted
• The restore process works as documented
• Data can be recovered within your defined RTO
• Staff know how to perform a restore

Document the results of each test and address any issues promptly. Consider testing restores to a separate environment to avoid disrupting production systems.

Common Mistakes to Avoid

Backup and recovery programs frequently fall short due to avoidable errors. Be aware of these common pitfalls.

Backups Connected to the Network

If all of your backups are accessible from your primary network, ransomware can reach and encrypt them along with your production data. The CCCS specifically recommends maintaining at least one backup copy that is offline or otherwise isolated. This could be an external hard drive stored securely offsite, a tape backup, or a cloud backup with immutable storage settings.

Never Testing Restores

Organizations frequently discover their backups are incomplete, corrupted, or incompatible only when they attempt to restore after an actual incident. Regular test restores are essential. A backup process that has never been verified provides only a false sense of security.

Backing Up Only User Files

Restoring individual files is important, but full recovery from a major incident also requires system configurations, application settings, databases, and potentially operating system images. Ensure your backup scope covers everything needed to rebuild your environment.

No Documentation of Backup Procedures

If only one person knows how to perform and restore backups, you have a significant single point of failure. Document procedures clearly and ensure multiple staff members are trained. This documentation should be part of your incident response plan.

Ignoring Cloud Data

Many organizations assume that data stored in cloud services is automatically backed up by the provider. While cloud providers typically maintain infrastructure redundancy, they may not protect against accidental deletion, account compromise, or data corruption in the way an independent backup would. Understand your cloud provider's data protection capabilities and supplement them if necessary.

Connecting Backup & Recovery to Other Controls

Backup and recovery works alongside other Baseline Controls to provide comprehensive protection:

• Incident Response (BC.1) — Your incident response plan should include detailed procedures for restoring from backups, including who is responsible and how to prioritize system recovery.
• Cloud Services Security (BC.10) — If your organization uses cloud services, ensure that cloud data is included in your backup strategy and that you understand the shared responsibility model for data protection.
• Anti-Malware (BC.3) — Anti-malware controls help prevent ransomware and other threats that cause data loss, while backups provide a recovery path if those preventive controls are bypassed.

For a complete view of how all 13 Baseline Controls work together, visit the controls overview page or take the free assessment to evaluate your organization's current posture.

Additional Resources

• CCCS Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089)
• CCCS — Ransomware: How to Prevent and Recover (ITSAP.00.099)
• Cybersecurity Canada Resources Page
• Free Cybersecurity Baseline Assessment