Bottom line

  • An untested backup isn’t a backup - it’s an assumption. Test restores at least quarterly.
  • Aim for the 3-2-1 rule: 3 copies, 2 different media, 1 offsite. Microsoft 365 alone is not a backup.
  • Decide your RTO and RPO (recovery time and acceptable data loss) before an incident, not during.

Every owner knows backups matter. Yet the most common issue we find on a new client is that backups are either not happening, not comprehensive, or have never been tested. It’s the IT equivalent of a fire extinguisher that’s never been serviced - it might work when you need it, but you won’t know until it’s too late.

Why this matters more than it used to

The main reason is ransomware - software that encrypts your files and demands payment to unlock them. A successful ransomware attack without working backups can be genuinely existential for a small business. Accounting data, client records, project files and email history can all become inaccessible in minutes.

But ransomware isn’t the only reason. Hardware failure, accidental deletion, software corruption, fire, flood and theft all result in the same outcome: data you can’t get back. The question is when, not if.

The 3-2-1 rule

The accepted standard for backup strategy is the “3-2-1 rule”:

  • 3 copies of your data - including the live copy
  • On 2 different types of storage
  • With 1 copy offsite (in another building or in the cloud)

For most SMBs that translates to: your live data on laptops/servers, a local backup to a separate device, and a cloud backup to a secure offsite location. The offsite copy is critical because it protects against scenarios where your whole office is affected - fire, flood, theft, or ransomware spreading across your network.

What should you actually back up?

Everything that would cost you time, money or reputation to lose. For most businesses, that means:

  • Email and mailbox archives
  • OneDrive and SharePoint (yes, even though it’s “in the cloud”)
  • Accounting and financial data
  • Client records and project files
  • Databases and any line-of-business applications
  • Server configurations and system images

Microsoft 365 is not a backup

This one catches a lot of business owners off guard. Microsoft 365 has resilient infrastructure - they make sure your data stays available on their side. But if a user permanently deletes emails or someone overwrites a SharePoint file, Microsoft’s own documentation puts default retention at typically 30 to 93 days depending on the service and settings, and recovery options are basic.

A proper third-party backup for Microsoft 365 lets you restore email, OneDrive and SharePoint to any point in time. It’s relatively inexpensive and closes a gap most owners don’t know they have.

If you don’t test it, it doesn’t count

A backup that hasn’t been restored is an assumption. A good IT provider runs test restores on a regular schedule and reports the result back to you. Test restores confirm:

  • The backup data is intact and complete
  • The restore process actually works
  • You know how long a restore takes (vital for planning)
  • The team knows the procedure

If you’ve never seen a backup report or been told about a test restore, that’s a conversation to have with your provider this week.

Ransomware-resistant design

Modern ransomware is designed specifically to find and destroy backups. Sophisticated variants look for backup drives connected to the network, attempt to delete shadow copies, and even try to compromise cloud backup accounts using stolen credentials.

A ransomware-resistant backup setup includes:

  • Immutable backups - copies that can’t be modified or deleted even by an admin during the retention period
  • MFA on backup management accounts - so a stolen password doesn’t expose your safety net
  • Separate credentials for backup systems, not stored on the main network
  • Offline or cloud-based copies that aren’t permanently connected to your production environment

If ransomware gets in, those measures are what let you walk away from the ransom note instead of paying it.

RTO and RPO: two numbers worth knowing

Disaster recovery planning sounds enterprise-y but the core ideas are simple. There are two numbers every owner should know:

  • RTO (Recovery Time Objective) - how quickly you need to be back up and running. Hours? A day? Two days?
  • RPO (Recovery Point Objective) - how much data loss is acceptable. The last hour’s work? The last day’s?

These two numbers drive the design of your backup system. A 1-hour RPO is achievable but costs more than a 24-hour RPO. Decide what your business actually needs - before an incident, not during one.

What to do this week

If you do nothing else, ask your IT provider three questions and get the answers in writing:

  1. Show me the last 30 days of backup reports.
  2. When did we last successfully test a restore, and what was the result?
  3. What’s our RTO and RPO for Microsoft 365 and for our server data?

The answers tell you everything you need to know about whether your safety net is real or theoretical.

Backup is one strand of the Essential Eight and underpins the downtime numbers we’ve covered elsewhere.