Backup basics that actually work.
Most small businesses have backups. Far fewer have backups that actually restore. Here's the 3-2-1 rule and the test that separates real from theater.
Almost every business we meet has backups. Far fewer have backups that actually work when it matters. A backup you've never tested is a theory — and during a ransomware event, theories don't restore files. The discipline here is simple but unforgiving.
The 3-2-1 rule, updated
Three copies of your data. Two different storage types (local disk plus cloud, for example). One copy offline or in a separate account an attacker can't reach from your network. Modern ransomware specifically hunts backup servers — if your only backup lives on the same domain as your file server, attackers will wipe both before encrypting.
What typically fails
“A property management company had nightly backups running for four years.”
Red flag: Nobody checked the logs. They'd silently failed nine months prior. When ransomware hit, the most recent good backup was almost a year old.
“A medical practice relied on a single NAS sitting next to their server in a closet.”
Red flag: Attackers reached the NAS from the same network and erased it alongside encrypting the server. No offsite copy existed.
The test that separates real from theater
Once a quarter, pick a random folder and restore it to a test location. Time how long it takes. Confirm the files open. If the restore fails, if it takes eight hours, if the files are corrupt — you've found the problem on a Tuesday afternoon instead of during a crisis. Write the test date on a calendar.
Want us to audit your backups?
We'll verify your backups, test a restore, and tell you exactly where the gaps are. One session, no sales pitch.
- 1Confirm today: when did your last backup actually complete successfully?
- 2Make sure one backup copy lives offline or in a separate cloud account your network can't reach.
- 3Block a Saturday this quarter and restore a real folder to prove it works.
- 4Put someone in charge of checking backup reports weekly. It's a 5-minute job.
- 5Document your RTO (how fast you need to be back) and RPO (how much data loss is acceptable).
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
Encrypt before you send.
Emailing sensitive files in the clear is still the #1 way data leaks from small businesses. Encryption takes thirty seconds and zero training.
ReadTip #32 · Data protectionData classification in 10 minutes.
You don't need a 40-page policy. Three labels — Public, Internal, Confidential — cover most of what small businesses actually need.
Read