Backup encryption and off-site copies (practical minimum)
Short answer: Backups should be off-site, tested restores, and encrypted if they contain customer or commercial data—so a stolen laptop or breached panel does not leak the whole business.
Ransomware and host failures both exist; “same server copy” is not a backup.
Practical minimum for NZ SMEs
- Automated daily files + database to a different cloud account than production.
- 30–90 day retention depending on compliance and how often you publish.
- Quarterly restore drill to a staging URL—discover corruption before a crisis.
Encryption in plain terms
Encrypt backups at rest if your provider supports it, restrict who holds keys, and avoid emailing database dumps. For regulated sectors, align with your adviser’s expectations—this article is general guidance only.
3-2-1 mindset
Three copies, two media types, one off-site is the classic mantra. Adapt to cloud reality: immutable backup buckets and versioned objects often satisfy two goals at once.
Frequently asked questions
Does my host “backup” count?
Only if you can restore on demand and it is independent of a single panel login—verify, do not assume.
Should backups include uploads?
Usually yes—media is often the largest and hardest to reconstruct part of a brochure site.