A backup policy should be created that defines for which systems, how often and for which data backups are made, where they are located and how they are protected (e.g., by appropriate encryption). In addition, responsibilities for backup management must be defined. This policy helps to quickly resume business operations in the event of an emergency. Even if cloud providers are used, the contracts must specify whether, what type and to what extent data is backed up.
There are various approaches to creating backups. A common approach is the so-called "3-2-1 rule". Through this approach three copies of the data are be backed up on two different media (e.g. hard disk, NAS, cloud, etc.), and one of the backups is kept physically separate from the others, at least in a different fire compartment.
If only external providers in the form of cloud providers are to be used for backups, mutliple providers should be used. Even if a cloud provider guarantee a high level of data security, they can also be affected by attacks. Diversification of the use of providers, e.g., using a second provider, offers a higher level of security in case that on provider defaults. The contracts, especially the service level agreements, should be scruitinized and explicitly cover backups, not just the storage of data.