Backups: The One Control That Could Save Your Business

If there is one post in this entire series that you read thoroughly and act on immediately, it should be this one.

Every other security control in this series reduces the probability of a damaging incident. A working backup is the only control that determines what happens after the worst occurs. It is the difference between a serious but recoverable incident — expensive, disruptive, stressful, but survivable — and a business-ending catastrophe from which recovery is impossible. That is not hyperbole. We have seen it.

We have sat with the owners of small businesses that had no working backup when ransomware encrypted every file on their systems. A law firm that lost 14 years of client matter files. A medical practice whose patient records were gone. An accountancy firm whose financial data — including client tax records — was unrecoverable. All of them had backups. None of them had working backups.

This post covers everything you need to know to ensure that your backups will actually protect you when you need them most.

Why Most Backups Fail When They're Needed

The gap between "we have a backup" and "we have a backup that will actually work in a ransomware incident" is wide, and most small businesses are on the wrong side of it without knowing it. Here are the most common failure modes.

The Backup Is Connected to the Network

This is the most critical failure mode and the most common. Modern ransomware is specifically designed to find and encrypt backup systems. If your backup is a network-attached storage (NAS) device that is permanently connected to the same network as your computers, the ransomware will find it and encrypt it alongside everything else. If your backup syncs to a cloud storage service that is mapped as a drive on your computers — a common configuration with OneDrive, Dropbox, and Google Drive — the ransomware will encrypt those files too, and the sync will helpfully propagate the encrypted versions to the cloud, overwriting your good copies.

A backup that ransomware can reach is not a ransomware-proof backup.

The Backup Has Never Been Tested

A backup you have never tested is not a backup — it is a hypothesis. Backup failures are silent: the backup process completes, the log says success, and nobody discovers that the restored files are corrupted, that the restore process requires software that no longer exists, or that the backup captured the folder structure but not the file contents, until the moment when they need to restore. By then, it is too late.

The Backup Only Covers Some Systems

Backups that cover the main file server but not laptops, that cover documents but not the email archive, that cover the company server but not the cloud services the organisation has migrated to over the years. An incomplete backup does not become apparent until the incident reveals which systems weren't included.

The Backup Is Too Old

A weekly backup, if the last successful job ran five days ago, means up to five days of data loss in a worst-case incident. For most businesses, losing a week of work is a serious consequence. For a practice that has been processing client transactions for five days, it may be a regulatory consequence too.

There Is Only One Copy

A single backup copy that fails — through hardware fault, corruption, or the same incident that affected the primary data — leaves nothing. Redundancy is not paranoia; it is basic risk management.

The 3-2-1 Rule

The 3-2-1 rule is the standard framework for backup architecture that has stood the test of time, and it is the right starting point for any small business:

• 3 copies of your data
• 2 different storage media or locations
• 1 copy stored completely offline, or off-site

In practice for a small business, this typically means: your live data (copy 1), a local backup to a dedicated backup device (copy 2), and an off-site or offline backup — either a cloud backup service or a removable drive stored off-premises (copy 3). The critical element is that at least one copy is genuinely inaccessible to ransomware running on your network.

A modern extension of this is the 3-2-1-1-0 rule, which adds: 1 copy stored in an immutable or air-gapped location, and 0 errors verified through regular testing. The additional requirements address modern ransomware's ability to target cloud backups and the critical importance of verification.

What "Offline" Actually Means

An offline backup is one that ransomware cannot reach. There are several ways to achieve this:

Physically Disconnected External Drives

An external hard drive used for backup that is disconnected and stored off-site after each backup job. This provides an air gap — a physical separation between the backup and the network — that ransomware cannot cross. The practical requirement is discipline: the backup must be connected, run, verified, and disconnected on schedule. If the drive is left connected permanently, it is not an offline backup.

For a small office, a rotation of two or three external drives — one connected for the current backup job, others stored off-site — is a practical, low-cost implementation of offline backup.

Immutable Cloud Backup

Cloud backup services that implement immutability — the inability to overwrite or delete backup data, even by an authenticated user or process — provide protection against ransomware that attempts to delete or encrypt cloud backups. The key distinction is between a cloud backup service with immutability (such as Veeam Cloud Connect, Backblaze B2 with Object Lock, or AWS S3 with Versioning and MFA Delete) and a cloud sync service (OneDrive, Dropbox, Google Drive) that mirrors your files in real time. Sync services are not backup services. They mirror your files — including encrypted ones.

Air-Gapped Tape

Less common in small businesses but worth mentioning: magnetic tape backup is still used by organisations that need long-retention, high-volume archival storage. Tape that is removed from the drive after writing is completely air-gapped. For most small businesses, external drives or immutable cloud storage are more practical.

What Must Be Backed Up

Walk through every place your business data lives and confirm it is covered by your backup. Common gaps:

• Staff laptops. Data saved locally on a laptop rather than to a shared drive or cloud storage is often not in any backup. As remote working has increased, the proportion of business data on individual laptops has grown significantly.
• Email. Microsoft 365 and Google Workspace both provide some data retention, but this is not the same as a backup. Microsoft's retention policies are designed for compliance, not recovery. A third-party email backup service — Veeam Backup for Microsoft 365, Backupify, Spanning — provides genuine email backup.
• Line-of-business applications. Your practice management system, CRM, accounting software, or case management system may store data in a database that is not captured by a file-level backup. Confirm with your application vendor what a complete backup of their system requires and ensure your backup process includes it.
• Cloud services. Data in cloud services your staff use — shared documents in SharePoint, project data in Asana or Trello, client records in a SaaS CRM — may not be included in your on-premises backup process. Review each cloud service and confirm whether it has its own backup and recovery capability, and whether that capability meets your recovery objectives.

Recovery Time and Recovery Point Objectives

Two questions every business owner should be able to answer about their backup:

How much data can we afford to lose? This is your Recovery Point Objective (RPO). If your backup runs daily overnight and you have an incident at 4pm, you will lose a day's work. If losing a day's work is acceptable, daily backups meet your RPO. If it is not acceptable, you need more frequent backups or continuous data protection.

How long can we afford to be without our systems? This is your Recovery Time Objective (RTO). If the answer is "less than four hours", a backup that requires a day and a half to fully restore to new hardware does not meet your RTO. Closing the gap between your RTO and your actual recovery capability may require investment in faster restore technology, spare hardware, or a tested disaster recovery plan.

Testing: The Non-Negotiable Requirement

A backup that has not been tested is not a backup.

Test your backup by restoring from it. Not by checking that the backup job completed — by actually restoring a sample of data to a test environment and confirming it is complete, accessible, and uncorrupted. Do this quarterly, at minimum. Once per year, run a full recovery test: restore everything to a clean system and confirm you can return to normal operations.

The things to verify in a restore test:

• Files restore successfully and open correctly
• The restore process completes in a time consistent with your RTO
• Application data (databases, email archives) restores to a working state, not just individual files
• The restore process is documented and can be followed by someone who wasn't present when the backup was configured

If your restore test reveals a problem — corrupted data, missing files, a process that takes far longer than expected — you want to discover this during a test, not during an incident. Recovery tests that reveal gaps are valuable. Recovery tests that confirm everything works are reassuring. Either way, they are time well spent.

Backup Security

Backups contain copies of everything sensitive in your organisation. They should be treated with the same security controls as the primary data: encrypted at rest, access-controlled, and not accessible to anyone who doesn't need to manage them. Unencrypted backup drives left in an unlocked cupboard, or backup credentials shared widely so that anyone can restore data, create their own security risks.

Encrypt backup data with a strong key, store the encryption key separately from the backup itself, and document the recovery process including how the encryption key is accessed.

A Practical Backup Plan for a Small Business

For most small businesses, the following configuration provides a proportionate, cost-effective backup foundation:

1. Daily automated backup of all business data — file servers, line-of-business applications, databases — to a local backup appliance or NAS device dedicated to backup.
2. Daily automated backup to an immutable cloud backup service — Veeam, Backupify, or equivalent — providing an off-site copy that ransomware cannot reach.
3. Weekly backup to removable external drives, rotated and stored off-site (a different physical location — a director's home, a partner's office). This provides a completely air-gapped copy.
4. Separate email backup via a dedicated email backup service, not relying on Microsoft or Google's retention policies alone.
5. Quarterly restore test — restoring a sample of files from the cloud backup and the local backup to confirm both are working.
6. Annual full recovery test — restoring everything to a clean environment and confirming the business can operate from the restored data.

The total cost of this configuration for a small business is typically in the range of £100–£300 per month, depending on data volumes and the specific products chosen. Against the cost of a ransomware incident — and the cost of a business that cannot recover because it had no working backup — this is one of the most unambiguous investments in this entire series.