Skip to content
Intro
8 min

Backup Security: Encryption, Access Control, and Retention

Secure your backups with encryption at rest and in transit, role-based access controls, and retention policies that match your business and legal requirements.

Last updated: March 20, 2026

A Mobile insurance agency stored encrypted backups in the cloud. When their office was broken into, thieves took three laptops and an external hard drive. The laptops were encrypted — BitLocker had been enabled. The external hard drive was not. It contained unencrypted backups of client policy documents, Social Security numbers, and claims history.

Encryption doesn't help if the backup itself isn't encrypted.

Here's what backup security actually requires.

The Three Layers of Backup Security

1. Encryption

Encryption converts your data into unreadable code that can only be decrypted with the correct key.

Two types that matter:

Encryption at rest: Protects data stored on a drive, NAS, or cloud storage. If someone steals the hardware or breaks into your cloud account, they see gibberish without the key.

Encryption in transit: Protects data moving between your computers and your backup destination. Without this, a man-in-the-middle attack could intercept and read your data as it uploads.

What most backup tools do:

  • Cloud backup services (Backblaze, Carbonite, CrashPlan): Encrypt at rest and in transit by default
  • Built-in OS tools (Windows Backup, Time Machine): Encrypt if you enable BitLocker/FileVault
  • Most business backup software: Encrypt if you configure it — often off by default

What most SMBs actually do: Leave encryption off because it complicates setup, then are surprised when a stolen laptop or breached cloud account exposes their backup data.

Encryption standards that matter:

  • AES-256: Military-grade, standard for financial and healthcare data. Use this.
  • AES-128: Still secure for most purposes, faster.
  • DES/3DES: Outdated. Don't use anything older than AES.
  • Vendor proprietary: Ask what standard they use. If they can't answer, assume they're using something weaker than AES-256.

2. Access Control

Access control determines who can view, modify, and restore your backups.

The problem: Most backup systems grant broad access by default. The same account that backs up your data can also restore it anywhere. If that account is compromised, attackers can:

  1. Download your entire backup
  2. Delete your backups (so you can't restore)
  3. Modify backup retention (delete evidence)
  4. Use backup access to pivot into other systems

What you need:

Separate credentials for backup administration vs. backup restoration. The person who sets up backups shouldn't necessarily be the only person who can restore. The person who can restore shouldn't be able to delete all backups.

Multi-factor authentication (MFA) on backup accounts. This is non-negotiable for business data. If your backup vendor supports MFA and you haven't enabled it, enable it today.

Role-based access control (RBAC): Different staff should have different levels of backup access. Your accountant might need to restore accounting files but not HR files. Your IT person might need full access. Your office manager might need no backup access at all.

What most backup vendors provide:

  • Backblaze B2: IAM policies, bucket policies, signed URLs, MFA
  • AWS S3: Full IAM, RBAC, bucket policies (complex but powerful)
  • Synology NAS: Local user accounts, group permissions, no MFA without a Synology account
  • Veeam: Role-based access, MFA if configured

3. Retention Policies

Retention policies determine how long backup data is kept.

The business question: If a file is accidentally deleted today, how far back can we go to recover it?

The legal question: Are we legally required to keep certain records for a specific period?

Common retention mistakes:

  • Keeping backups too short: 30-day retention sounds fine until you realize someone accidentally deleted a file and didn't notice for 45 days.
  • Keeping backups too long: Unlimited retention sounds safe but can expose you to legal liability if old data is breached.
  • No clear ownership: Nobody knows who decides retention policy, so it never gets reviewed.

Retention requirements by business type:

| Industry | Typical Requirement | |----------|-------------------| | General business | 7 years for tax records | | Healthcare (HIPAA) | 6 years for records containing PHI | | Legal | 7 years after case close (varies by state) | | Construction | 7 years after project completion | | Financial services | 7 years (SEC) to life of entity (FINRA) | | Restaurants | 3 years (tax), 1 year (health inspections) |

For backup purposes: Keep full backups for at least 30 days, ideally 90 days. After that, you can archive weekly or monthly snapshots if space costs are manageable.

What It Costs

Encryption:

  • Built-in OS encryption (BitLocker, FileVault): Free with Windows Pro/macOS
  • Third-party encryption software: $0-200 one-time (VeraCrypt is free)
  • Most business backup software: Encryption included, no extra cost

Access Control:

  • Most cloud backup services: Included with standard accounts
  • Synology NAS: Built-in, MFA requires Synology account
  • Azure AD/Google Workspace admin controls: Included with business subscriptions

Retention Management:

  • Manual (calendar reminders, manual cleanup): Free, time-intensive
  • Automated (built into backup software): Included with most tools
  • Compliance-specific (legal hold, eDiscovery): $100-500/month in additional software

What Can Go Wrong

Your backup drive is stolen and it's not encrypted. This happened to a Gulfport medical practice. Laptop was encrypted. Backup external drive sitting next to it was not. Patient records were on that drive. State notification requirements kicked in. HIPAA fine: $50,000. Legal fees: uncountable.

MFA isn't enabled on your backup account. A Niceville architecture firm used Backblaze B2 for backups. An employee's email was compromised. The attacker used the same password on the backup account. They couldn't decrypt the data (it was encrypted with the employee's key), but they deleted all the backups. The architecture firm lost three months of project files.

Your encryption key is lost. A Pensacola CPA firm enabled BitLocker on their server backups. They stored the recovery key in an Excel file. That Excel file was on the same server. The server crashed. They couldn't restore from backups because they couldn't decrypt them. This is more common than you'd think.

Your retention policy is too short. A Destin property management company kept 30 days of backups. A long-term tenant claimed they never received lease renewal notices. They didn't — the property manager had accidentally deleted them. But the property manager didn't notice for 45 days. The 30-day backup window had already passed. The tenant sued. Without proof of delivery, the property management company had no defense.

Vendor Questions (Copy/Paste)

  1. "Is data encrypted at rest and in transit? What encryption standard do you use?"
  2. "Who has access to my encryption keys? Can I manage my own keys (customer-managed encryption)?"
  3. "What access controls do you offer? Can I set up role-based access so not everyone can restore everything?"
  4. "Is MFA available and enforced on backup administrator accounts?"
  5. "Can I set custom retention policies? For example, can I keep monthly backups for 7 years for tax compliance?"
  6. "What happens to my backups if I stop paying? Is there a grace period, or do they get deleted immediately?"
  7. "Can you provide a log of who accessed backups, when, and what they did?"

Minimum Viable Implementation

  1. Enable BitLocker (Windows) or FileVault (Mac) on every computer that stores business data. This is the minimum for encryption at rest. It's built into your OS. Use it.

  2. Enable MFA on your backup service account today. If your backup vendor supports it (Backblaze, Carbonite, AWS, Google Cloud all do), enable it now. This takes 5 minutes and prevents the most common breach vector.

  3. Use separate credentials for backup administration. Don't use your personal Google account to back up business data. Create a dedicated backup service account with its own credentials.

  4. Set retention to at least 30 days. If you can afford the storage, 90 days is better. This gives you time to discover accidental deletions without panic.

  5. Store encryption keys somewhere separate from the data. Password manager, printed in a sealed envelope in a locked drawer — just not on the same system being backed up.

When to Hire Help

  • You store HIPAA-regulated data (patient records) and need documented security controls for compliance audits
  • You store financial data subject to FINRA or SEC regulations
  • You've had a security incident (breach, theft, unauthorized access) and need to assess what was exposed
  • You have multiple staff with varying levels of backup access and need a clear access control policy
  • Your encryption key management is ad-hoc (key stored on the server, no written record of recovery procedures)

Most Gulf Coast businesses with fewer than 20 employees and no specialized compliance requirements can implement this checklist without professional help. The key actions — enabling BitLocker, enabling MFA, setting retention — take less than an hour total and close the most common security gaps.

The hard part isn't the technology. It's having the discipline to actually do it.

Need Help Implementing This?

If you'd like guidance tailored to your specific infrastructure, we offer focused consultations. No sales pressure, just practical next steps.

Get in Touch