AIRGAPPING - To have a node or nodes dedicated to storage is an obvious but often not actually used method. Probably a sub-concept of network segmentation in a proper hierarchy, a clumsy way to state it would be to tell an administrator not to put the backups on the same network as what's being backed up (AND to give that admin or admin group the authorization and money to set the system up and maintain it...). USB HDDs and thumb drives are there if you're really strapped for cash.
BACKUPS - Sort of off the subject, but security concerns extend to backups as well as "live" parts of your operation. The important stuff lives there as well. Not only should there be a program of backing up confidential things and testing the backups regularly, there should be a scheme in which the form of storage (encryption?) is considered, the storage location is considered (not only cloud, but an alternative to cloud if there's a provider issue) and the security of the communication route TO the backup storage locations is considered. This last would be a candidate for a latter-day form of vampire tapping. No need for tar commands later.
NETWORK SEGMENTATION - Any organization that has proprietary data could use particular subnets for not only that data but for financial people or groups, the managerial and scientific research groups and high-level admin people who might need a method of access for evaluation and countermeasures related to network attacks (to the extent effective).
SECONDARY PROVIDER - one's infrastructure or cloud provider might be a center of or source of the problem, so backup relationships would be good there, sort of as a 'warm site' as described in the sense of physical locations. And this would be good in case of the financial predicament I often bring up: I was once told of a large bank that failed to pay a monthly bill to a cloud provider and a few days after the first of the month, several virtual machines, switches, routers, lots of data, hourly transactions, logs and things just went POOF. While working all that out, one could hot-switch to the secondary provider perhaps.
So a combination of segmentation and backup sequestering seems to be the way to go about this. Communication channels are also a concern. All three items are a risk, since if I were a cyber soldier for a third world country and wanted to score some free research results from a first world nation, I'd look at them all. Are backups and communications in the clear? Is everything on the same network? Did management spend much on security? Did they spend much on network architecture originally or is this a (typically) patched-together situation? Do they even have IT??
I'll leave us with a checklist:
SEGMENTATION: separate node(s), directories, networks
ENCRYPTION: nothing in the clear
BACKUPS: data, configurations, locations, multiple copies
COMMUNICATIONS: multiple providers, devices, virtual devices, financial contingencies
