The most expensive sentence a manager can say is: "Oh, I thought we had backup." The reality is that most companies in Colombia have "something like a backup" — an external disk in a drawer, a Google Drive folder, manual copies someone makes when they remember. That's not business backup.
Business backup is a documented, automated, and tested strategy so that when the moment to recover arrives — and it always does — your business does it in hours, not days, without losing more data than your tolerance policy allows. This guide gives you the complete framework to understand, design, and maintain a backup strategy that actually works.
What counts as business backup (and what doesn't)
Seven minimum criteria. If your "backup" doesn't meet all seven, it's home-grade backup: (1) automated without human intervention, (2) documented schedule per system, (3) monitored 24/7 with failure alerts, (4) tested at least monthly with real restoration, (5) immutable or air-gapped against ransomware, (6) documented retention per legal or business requirement, (7) with documented and measured RTO and RPO.
The 3 concepts that change the conversation
RPO (Recovery Point Objective) — How much data can you afford to lose? If your RPO is 24 hours, your last copy is from yesterday and everything that happened today is lost if a disaster hits now. For transactional systems, RPO is typically hours or minutes.
RTO (Recovery Time Objective) — How long can you be down? An RTO of 8 hours means in 8 hours your business must be operating, not that the backup takes 8 hours to run. Mass restoration includes preparing the environment, restoring data, validating, and re-granting access.
Retention — How long do you need to keep copies? Legal or regulatory requirements may demand 7 years or more for tax and personal data matters. Operationally, 30-90 days usually suffices for human errors (someone deleted a file).
The 3-2-1 rule (and why today it falls short)
The classic rule: 3 copies of data, on 2 different media, with 1 offsite copy. The modern evolution is 3-2-1-1-0: add 1 immutable copy and 0 errors in restoration tests. Without immutability, your backups are vulnerable to the same ransomware that wiped out production.
Immutable backups vs ransomware
By default, your backups are connected to the network. If the network is compromised, modern ransomware seeks and destroys backups before encrypting production. Immutability breaks that vector: once a backup is written, it cannot be modified or deleted — not even with compromised admin credentials. Technologies: WORM (Write Once Read Many), logical air-gap, cloud immutability (S3 Object Lock, Azure Blob immutable, Wasabi).
What to back up: the per-system matrix
| System | Frequency | Retention | Target RTO |
|---|---|---|---|
| Production databases | Daily | 30 days | 2 h |
| NAS / shared files | Daily | 90 days | 4 h |
| M365 (Exchange/OneDrive/SharePoint) | Daily | 7 years (legal) | 4 h |
| Production VMs | Weekly full + daily incremental | 90 days | 8 h |
| Executive endpoints | Weekly | 30 days | Best-effort |
How to choose between on-prem, cloud, or hybrid
On-prem is optimal when you have large volumes (>10 TB), limited connectivity, or a regulatory requirement to keep data on-site. Cloud is optimal when you want predictable operating cost, don't want to maintain hardware, and need resilience against geographic disasters. Hybrid combines the best: local copy for fast RTO + cloud offsite for resilience. It's the most common model for SMBs in Colombia.
What it really costs
Honest ranges in COP: initial setup 4-12 million depending on complexity. Typical monthly fee for an SMB with 500 GB of data + M365 30 users: between 800,000 and 1,800,000 COP/month depending on RTO and retention. If someone quotes "business backup" below that, ask what's included — most likely missing immutability or testing.
How to test a backup correctly
Monthly DR test minimum. Real restoration (not simulated) to an environment isolated from production. Measure real recovery time vs target RTO. Validate data integrity. Document the result in an executive report. If you've never tested it, you don't have backup — you have a file you think is backup.
Common errors that invalidate the entire strategy
- "I have the backup, but I never tested it." When you need it, you'll discover it was broken months ago.
- "The backup is on the same network as production." Ransomware eliminates it as a first step.
- "I configured it once 3 years ago." Things changed — users, systems, volumes. Your backup probably no longer covers what you think.
- "I only back up files, not databases." Databases in use require transactional backup, not file copy.
- "The person responsible left the company." If no one knows how to restore, the backup doesn't exist.