Your Backup Isn't a Backup Until You Can Restore It

Ask any small business owner if they back up their data and almost everyone says yes. Ask when they last successfully restored a file from that backup and the room goes quiet. That gap between "we have backups" and "we can actually recover" is exactly where ransomware turns a bad week into a closed business.

Why local backups alone keep failing

A single external drive plugged into the server is not a backup strategy — it's a target. Modern ransomware looks for connected drives, network shares, and cloud sync folders, and encrypts them all in the same run. If your "backup" is reachable from the infected machine, assume it's gone too.

The 3-2-1 rule, in plain English

• 3 copies of your data total (the live copy plus two backups)

• 2 different storage types (for example, a local NAS and a cloud service)

• 1 copy stored off-site and offline, where ransomware can't reach it

• Bonus: at least one copy should be immutable — written once and locked, so even an admin account can't delete it

What "cloud backup" should actually mean

• It runs on a schedule without anyone clicking anything

• It versions your files, so you can roll back to last Tuesday, not just last night

• It covers Microsoft 365 and Google Workspace mailboxes, OneDrive, SharePoint, and Google Drive — these are NOT backed up by default

• It tells you when a backup fails, not just when it succeeds

• You can test a restore without a support ticket

Signs your current backup is more story than safety net

• Nobody on staff has restored a real file in the last 90 days

• Microsoft 365 or Google Workspace data isn't backed up to a separate service

• The backup credentials are the same as a domain admin account

• There's no off-site or offline copy

What you can do this week

• Pick one important file and actually restore it from backup — time how long it takes

• Confirm your Microsoft 365 or Google Workspace mailboxes and files are covered by a real backup service, not just the platform's built-in retention

• Make sure at least one backup copy is off-site and can't be deleted by a logged-in user

A backup you've never tested is just a hope. Five minutes of restoring a single file tells you more about your real recovery posture than any vendor dashboard ever will.