Most small businesses believe they have a backup. They have something running — an external drive, a sync to OneDrive, an automated cloud backup they set up a couple of years ago. What almost none of them have done is test whether that backup would actually let them recover their business after a serious incident. There is a significant difference between having a backup and having a backup that works.
This distinction is not academic. Ransomware attacks increasingly target backup systems as a first priority — precisely because attackers know that an intact backup removes their leverage. Businesses that thought they were protected have discovered, at the worst possible moment, that their backups were incomplete, corrupted, or connected to the same network the attacker had already compromised. This post explains what a genuinely resilient backup strategy looks like, why standard approaches often fail against ransomware, and how to run a basic recovery test without specialist tools.
The Gap Between "We Have Backups" and "We Can Recover"
69% of UK businesses back up their data, according to the Cyber Security Breaches Survey. But research from Veeam and Sophos consistently shows that a large proportion of ransomware victims who had backups still could not fully recover from them — either because the backups were encrypted alongside the primary data, because recovery was too slow, or because critical systems were excluded.
The failure modes are predictable. Cloud sync services like OneDrive and Google Drive are not backups — they are synchronisation tools. When ransomware encrypts files on your device, the encrypted versions sync to the cloud within minutes, overwriting the originals. By the time you realise what has happened, the "backup" contains the same encrypted files as the device that was attacked.
External hard drives that remain connected to a computer are similarly vulnerable. Ransomware routinely scans for connected drives and encrypts them alongside the primary storage. A backup that is permanently connected to the machine it is backing up provides minimal protection against the attack type it is most needed for.
The most dangerous belief in backup strategy is "we sync to the cloud, so we're fine." Cloud sync is valuable for accidental deletion and device failure. It provides little or no protection against ransomware, which will encrypt your files faster than most version history systems can preserve them.
The 3-2-1 Rule
The 3-2-1 rule is the standard framework for backup resilience. It is simple, well-tested, and provides meaningful protection against the failure modes that most commonly affect small businesses.
3 — Three copies of your data
The original plus two backups. Having a single backup means a simultaneous failure of the primary and backup leaves you with nothing. Two backup copies provides meaningful redundancy.
2 — Two different storage media
Store your copies on at least two different types of storage — for example, local storage and a cloud backup service. This protects against hardware failure affecting a single storage type, and against a ransomware attack that reaches one medium but not the other.
1 — One copy offsite
At least one copy should be stored in a different physical location. A fire, flood, or physical theft that destroys your premises takes out both your primary data and any on-site backup simultaneously. An offsite copy — whether that's a cloud service or a physically separate location — ensures you can recover even from a total on-site loss.
For many small businesses, a practical implementation of 3-2-1 is: primary data on your devices, a local backup (NAS device or disconnected external drive), and a cloud backup service such as Backblaze, Acronis, or a dedicated Microsoft 365 backup. The key word in that last item is "dedicated" — Microsoft 365's native retention features are not a backup, and Microsoft's shared responsibility model explicitly places data recovery responsibility with the customer.
Making Backups Ransomware-Proof
The 3-2-1 rule provides a resilient architecture, but it does not automatically make backups safe from ransomware. Two additional properties are needed: isolation and immutability.
Isolation
A backup that is always connected to your network is reachable by ransomware. Isolation means the backup is either physically disconnected (an external drive that is plugged in only during the backup window and then removed), logically separated (a cloud backup service that does not mount as a network drive), or network-segmented in a way that prevents ransomware from reaching it.
The simplest implementation for a small business is a rotation of two or three external drives, kept off-site when not in active use. It requires discipline but costs nothing beyond the drives themselves. A cloud backup service that uses its own client software — rather than presenting as a network share — provides isolation by default.
Immutability
An immutable backup is one that cannot be modified or deleted for a defined period, even by an administrator. Many cloud backup services now offer immutable storage — backups are written once and cannot be altered by ransomware or by a compromised administrator account. This is increasingly the gold standard for ransomware protection.
AWS S3 Object Lock, Azure Immutable Blob Storage, and several purpose-built backup services offer this at relatively low cost. If you are evaluating backup solutions, immutability should be on your checklist.
Testing Your Recovery: A Basic Process
A backup that has never been tested is an assumption, not a control. The test does not need to be complex — it needs to answer a simple question: if you needed to restore from this backup today, could you, and how long would it take?
- Pick a representative sample of files to restore. Choose files from each of the key data categories your business relies on — client records, financial documents, operational files. Restore them to a test location (a different folder, a different device) without overwriting the originals.
- Verify the restored files are intact and usable. Open them. Check that the content is correct and uncorrupted. A backup job that completes without errors can still produce files that are corrupted or incomplete — the only way to know is to open them.
- Time the recovery. How long did it take to restore those files? Extrapolate: if your entire data set needed restoring, how long would that take? Is that acceptable given your business operations? If the answer is "days" and your business cannot function for days, that's a risk to address.
- Test the full system recovery at least annually. For critical systems, a file-level recovery test is not enough — you should periodically test full system restoration to a clean machine or VM. This is the only way to be confident that your backup would genuinely let you rebuild after a total loss.
- Document what you find. Note the date of the test, what was restored, whether it was successful, and how long it took. This documentation supports cyber insurance claims, demonstrates due diligence to clients, and creates an audit trail for your own governance.
What Your Backup Strategy Should Cover
Many businesses back up file storage but overlook other critical data. Before assuming your backup is comprehensive, check that it covers:
- Email — Microsoft 365 and Google Workspace email is not automatically backed up by the provider. Dedicated backup tools are needed if email recovery is a requirement.
- Line-of-business applications — Accounting software, CRM systems, project management tools. Does the backup include the application data, or just the files on the server?
- System configuration — Server configurations, network settings, application configurations. Recovering data onto an unconfigured system is significantly slower than recovering both together.
- Shared drives and collaboration tools — SharePoint, Teams, Google Drive. Sync services are not backups — dedicated backup coverage for these platforms requires specific tooling.
The Recovery Time Question
The practical measure of a backup strategy is not whether you have one — it is how long recovery takes. This is your Recovery Time Objective (RTO): the maximum time your business can be down before the impact becomes unacceptable. For most small businesses, this is somewhere between a few hours and a couple of days.
If your backup strategy would take a week to restore your business to full operation, and your RTO is two days, you have a gap. Closing that gap might mean investing in faster backup infrastructure, maintaining a warm spare server, or accepting a higher cloud storage tier. The point is to know the number — because most businesses that discover the gap do so during an incident, when it is too late to close it.
The average cost of downtime for a small business is significantly higher than the cost of the ransomware demand itself. Research from Datto found that the average downtime cost per incident for SMBs was more than 50 times the average ransom demand — meaning businesses that pay to avoid downtime often pay far more in lost productivity and recovery costs regardless.
The Practical Takeaway
A backup strategy that has never been tested is a comfort blanket, not a control. The businesses that recover quickly from ransomware and data loss incidents are not necessarily the ones with the most sophisticated backup systems — they are the ones that know their backup works, know how long recovery takes, and have made deliberate decisions about what they are protecting and how.
Start with the 3-2-1 rule. Add isolation. Test the recovery. Document what you find. That process, applied consistently, puts you in a substantially better position than the majority of small businesses — and it costs a few hours and the price of an external drive or a cloud backup subscription.
Assess Your Backup and Recovery Readiness
Faradome RisQ walks you through a free cyber risk assessment — including your backup strategy, recovery time objectives, and the gaps that leave most small businesses exposed when they need their backups most.
Start Free Assessment → Talk to Us