Article · 6 min · For Owners
Backup that's never been restored is hope, not a plan
Most small businesses have backup software. Most of them have never tested a restore. When ransomware hits and the backup product silently failed three weeks ago, the discovery happens at exactly the moment you need it to work. Don't be the person finding out at 9 a.m.
The three layers every business needs
Local backup for fast recovery (file-level mistakes, hardware failures). Cloud or off-site backup for ransomware and physical incidents. Immutable copies the attacker cannot delete even with admin credentials. Two of the three is the minimum; three is the discipline.
Test it the way you'd hate it
Quarterly, schedule a real restore drill — pick a server, pretend it died last night, see how long it takes to bring back. Time the steps. Document the failures. Fix them. The drill is the only way you find out the backup product didn't actually retain that VM, or that the restore needs a license you no longer have.
When ransomware hits, your only friend is yesterday's backup
There is no clever decryption. There is no negotiating that ends well. The only path back to working is a clean restore from a backup the attacker couldn't reach. Build that path now, and test it, so the worst day of the year is the day you discover the playbook actually works.
Frequently asked questions
How often should we test a restore?
Monthly for the production-critical datasets, quarterly for the rest. Carriers and auditors typically want evidence of a restore within the last 90 days at minimum. The discipline matters more than the frequency — a documented monthly test is worth more than an undocumented "we tested last year, I think."
What exactly should we back up?
Three categories: production servers and file shares (image-level if possible), Microsoft 365 mailboxes and SharePoint/OneDrive (M365 has retention but is not a backup), and the cloud SaaS your business runs on (CRM, accounting, dispensing system, EHR). Confirm each vendor's backup model and add third-party SaaS backup if the vendor's own retention isn't enough.
How long should we retain backups?
Operational rule of thumb: 30 days of daily backups, 12 months of monthly backups, and longer-term yearly snapshots for any regulated data class. HIPAA effectively requires 6 years of relevant retention; PCI and CJIS have their own clocks. Check the rules for your industry, then match the backup retention to them with margin to spare.
Are Microsoft 365 mailboxes backed up by default?
Microsoft replicates data for resilience and offers retention policies, but it's not a third-party backup — deleted items still age out, malicious deletion is hard to recover beyond the retention window, and a compromised account can damage data faster than retention compensates for. Add a third-party M365 backup (Datto SaaS Protection, AvePoint, Veeam) for any production tenant.
Related reading
