Backup is not DR – and the difference could cost you business

\n\n

Almost all companies have backups. That’s a fact. But ask an IT manager when was the last time they actually tested the restore – not just ran a script and got a green checkmark, but actually restored a complete environment and verified that everything worked. The answer is usually an awkward silence.

There is another, even more sensitive topic: the disaster recovery plan. The one that will save the business when things really go wrong. Many organizations have a document called a ‘DR plan’. Fewer have a plan that actually holds up under pressure. And even fewer have defined what they actually promise their business in terms of RPO and RTO – the two metrics that determine whether you survive a disaster or not.

This post clarifies the concepts. Not to be academic, but because misunderstanding the difference between backup, replication, disaster recovery and business continuity can be exactly what determines whether you’re up and running on Monday morning – or not.

Four concepts that are often confused

backup

Backup is a copy of data at a given point in time. It is copied to a separate medium – another storage system, another site, the cloud – and stored there until it is needed. A classic backup strategy works with scheduled jobs: nightly full backups, incremental or differential runs in between.

What backups are not, despite popular belief: a guarantee of fast recovery. A backup is an archive. Retrieving something from an archive takes time – sometimes hours, sometimes days depending on volume and technology.

Backup answers the question: Can we recover the data if we lose it?

Replication

Replication is the continuous or near real-time copying of data to another system or location. Unlike backup, replication is not an archive – it is a mirror. This means that if you accidentally delete a file, ransomware encrypts your files, or an application writes corrupt data, that damage is mirrored directly to the replica.

So replication alone does not protect against logical errors or human mistakes. It protects against hardware failures and site disasters – but with one important difference from backup: you can potentially switch over to the replicated environment in minutes rather than hours.

Replication answers the question: can we quickly have a working copy of the environment in another location?

Disaster Recovery (DR)

DR is the whole picture – the orchestrated process of restoring IT environments and business processes after a disruption. It can involve activating a secondary data center, failover to the cloud, or a combination of both. A DR plan without defined RPO/RTOs is not really a plan – it’s a wish list.

• RPO – Recovery Point Objective: How old can the data be that we recover? Do we accept to lose 24 hours of transactions? Four hours? Fifteen minutes? The RPO determines how tight your backup or replication strategy needs to be.
• RTO – Recovery Time Objective: How long can it take to be up and running again? Three hours? Twelve? Three days? RTO determines how complex and costly your DR infrastructure needs to be. Lower RTO = higher cost.

DR answers the question: How quickly can we restore functionality, and with how old data?

Business Continuity (BC)

Business continuity is the broadest concept and is about how the business continues to function during and after a breakdown – not just the IT systems. It includes contingency plans for manual handling, communication plans, alternative premises, staff planning and customer communication.

A perfectly functioning DR plan but without a BC plan means that IT is up and running – but no one knows what to do, who to communicate with customers, or how to manage the three days without system support.

BC answers the question: How do we keep business going, no matter what happens?

Three scenarios that reveal where you actually are

Theory is one thing. This is reality.

Scenario 1: Ransomware

Monday morning. Employees cannot log in. A ransom note appears on the screen. The ransomware encrypted all files on Friday night – and the mirroring replicated the encryption directly to your secondary data center.

The organizations that do best out of ransomware attacks are not necessarily the ones with the best security. They are the ones that have prepared the recovery process and know exactly what they are doing when it happens.

Scenario 2: Hardware failure in primary data center

Friday afternoon. A SAN controller fails, taking a critical production system with it. The backups are in place – but it takes six hours to restore the system from scratch and another two hours to verify the data.

Eight hours may be acceptable for an internal HR system. It is not acceptable for an order system that processes millions of dollars per hour.

The crucial question is: Have you defined different RTOs for different systems? And is your infrastructure built to deliver on that promise?

Scenario 3: Fire or total loss of place

Unusual, but it happens. Firefighter shuts off power, sprinklers activate, water leak from floor above – your primary server room is unusable.

Here, backup on an external disk in the desktop is irrelevant. Replication to another geographical site decides everything. But have you tested the failover process? Do staff know what to do? Are DNS records, licenses and configurations documented and accessible outside the data center that is now under water?

What should a modern backup architecture include in 2026?

The threat landscape has changed dramatically in the last five years. A modern data protection architecture needs to address:

The 3-2-1-1-0 rule – the new basic pattern

The classic 3-2-1 rule (three copies, two media, one offsite) is no longer enough. Modern recommendations add up:

+1: A copy that is offline or air-gapped and inaccessible from the network
+0: Zero undetected errors – the backup is regularly verified with automated integrity tests

Immutable storage

Ransomware-protected storage that cannot be modified or deleted for a defined retention period. Many modern platforms, including Cohesity and Rubrik, offer this as a standard feature with object locking (WORM).

Automated recovery tests

A backup you’ve never tested is a backup you can’t trust. Modern solutions can automate recovery tests in isolated sandbox environments and report that the recovery actually works – without you having to involve a person.

Granular recovery

Having to restore an entire virtual machine to retrieve a single file is not acceptable. Modern data protection platforms allow file-level, object, application, and database granular recovery without the need to roll back the entire environment.

Integration with the cloud

The cloud is no longer an add-on – it is a strategic part of the DR architecture. The ability to failover workloads to Azure, AWS or a private cloud environment provides a flexibility that previously required a secondary physical data center.

Centralized management and visibility

Having ten different backup agents for ten different systems is an administration that fails under pressure. A unified platform with uniform policy, reporting and alert management makes a difference – not least when it comes to proving compliance with NIS2, for example.

Cohesity and Rubrik – modern data protection platform in practice

The market for enterprise data protection has consolidated significantly. Cohesity and Rubrik are the two dominant platforms addressing the very challenges described above – and they are fundamentally different in their architecture.

What they have in common is that they replace fragmented backup environments with a unified platform that handles backup, replication, DR orchestration and data management. They offer immutable storage, automated recovery tests and native integration with the major cloud platforms.

Cohesity focuses heavily on data intelligence and managing the data landscape at large – classification, compliance, and the ability to actually use your secondary data analytically.

Rubrik has made security integration its strongest card – with cyber resilience features deeply embedded in the platform, including threat detection in the backup data.

We’ve done a deep dive into the differences in a separate post: The architecture duel: Cohesity vs Rubrik.

Backup as a service – when personal responsibility is too heavy

Many organizations lack the resources, skills or time to build and maintain a modern data protection infrastructure in-house. This is not a sign of weakness – it is a realistic assessment of what is reasonable to manage in-house.

Backup as a Service (BaaS) means that an external partner takes responsibility for the infrastructure, monitoring, testing and – when required – recovery. Properly designed, it includes:

• Defined RPO/RTO commitments in the contract (not wishful thinking)
• Regular tests with documented results
• 24/7 monitoring and alarm management
• Transparent reporting on backup status and coverage

The core of a BaaS contract is not the technology – it is the actual SLA commitments. Always make sure that RPO and RTO are specified per system class, that testing frequency is contracted, and that responsibilities in case of a failure are crystal clear.

Where do you start?

If this post has raised questions about your own environment, it’s a good start. There are some concrete steps you can take already this week:

1. inventory and classify your systems

Which systems are business-critical? Which are important but can wait? Which are nice-to-have? The answer to that question determines the level of protection each system needs.

2. define RPO and RTO per system class

Not what you think you have – but what you can actually deliver based on current infrastructure, and what the business actually needs.

3. test your backup

Plan an actual recovery exercise. Not a theoretical test – an actual recovery of a critical system in an isolated environment. Document the outcome.

4. Review where your backups are stored

Are they accessible from the same network as your primary environment? If the answer is yes – you have a problem if ransomware strikes.

5. evaluate whether the current architecture matches your actual RTO commitments

It’s better to know now than to find out during an ongoing breakdown.