This article is the eighth and final in a series examining the Australian Cyber Security Centre’s Essential Eight — a baseline set of mitigation strategies recommended for all Australian organisations.
The first seven Essential Eight strategies are all, in varying ways, about preventing attacks from succeeding or limiting their impact. The eighth is different. Regular backups do not prevent attacks. They ensure that when an attack succeeds — and the ACSC, along with every credible security framework, treats this as a matter of when rather than if — a business can recover without capitulating.
A backup is not a security control in the traditional sense. It is the foundation of organisational resilience.
What the Strategy Requires
The ACSC’s backup requirements address four distinct elements: what is backed up, how backups are stored, who can access them, and whether they have been tested.
Important data, software, and configuration settings must be backed up in a coordinated and resilient manner aligned with business continuity requirements. At Maturity Level One, backups of important data must be performed at least daily. Critically, backups must be stored in a manner that prevents them from being accessed, modified, or deleted by the accounts most likely to be compromised in an attack — including both unprivileged user accounts and administrative accounts that are not specifically designated as backup administrators.
Backups must be retained for a minimum of 90 days, unless regulatory requirements specify otherwise. And they must be tested: restoration from backup sets should be conducted as part of regular disaster recovery exercises, at least annually.
Why Backup Security Is as Important as Backup Existence
Modern ransomware operators are well aware that backups are the primary recovery path. A significant number of ransomware attacks now specifically target backup systems before deploying the encryption payload — deleting or encrypting backups first, then encrypting production data, to eliminate the recovery option.
This is why the ACSC’s guidance does not simply require backups to exist. It requires that backups be protected from the accounts most likely to be compromised. Backups accessible from a compromised administrator account are not secure backups — they are deferred encryption targets.
The 2019 Norsk Hydro ransomware attack — which affected one of the world’s largest aluminium producers — disrupted operations globally. Recovery was possible in part because offline backups were available and had not been compromised. The estimated cost still exceeded USD $70 million. For an SMB with no accessible offline backup, the same scenario typically ends in ransom payment or permanent data loss.
The Testing Requirement: Backups That Cannot Be Restored Are Not Backups
One of the most common and costly discoveries following a ransomware incident is that backups existed but could not be restored — due to corruption, misconfiguration, incomplete coverage, or simply never having been tested. A backup is not a recovery capability until it has been demonstrated to work.
The ACSC’s requirement for annual restoration testing is a minimum. For critical data and systems, more frequent testing is prudent. The test should include the full restoration process — not merely verifying that backup jobs completed successfully, but actually restoring data to a test environment and confirming its integrity.
Backups and the Complete Essential Eight Picture
The Essential Eight constructs a layered security posture across three objectives: prevent attacks, limit their impact, and recover from them. Regular backups are the entirety of the recovery objective — the control that, when everything else has been attempted and failed, determines whether a business continues to operate.
No other Essential Eight control can substitute for a tested, protected, offline backup. It is the last line, and it must hold.
For Australian SMBs building a security posture from the ground up, the message of this series is consistent: no single control is sufficient, all eight are interdependent, and the value of the framework lies in implementing them together at a consistent maturity level. The ACSC recommends that businesses do not mix maturity levels across the eight strategies — a gap in any one of them represents an exploitable weakness in the overall posture.
This concludes the Essential Eight series. The next article in this series examines the role of a Threat Intelligence Platform in enhancing and contextualising the Essential Eight controls.
Further reading: ACSC Essential Eight, ACSC Small Business Cyber Security Guide, Luminol Cyber
