Here's a question that separates businesses that will survive a disaster from those that won't: When did you last test a restore?
Not "when did you last run a backup." When did you actually pull data from your backup and verify it works?
If you're like most business owners, you're suddenly feeling a little uncomfortable. That's the point.
The Backup You Think You Have vs. The Backup You Actually Have
We have to be honest here. In our years of working with growing businesses, we've seen the same story play out dozens of times. A company comes to us after a crisis — ransomware attack, hardware failure, accidental deletion — and discovers their "backup" isn't what they thought it was.
The backup hadn't run in three months. Or it was running, but only capturing half the data. Or it was complete, but stored on a drive sitting six feet from the server it was supposed to protect.
These aren't edge cases. They're the norm.
The most dangerous backup is the one you assume is working. Untested backups aren't backups — they're false confidence.
The Four Ways Backups Fail
Let's talk about the specific ways your backup strategy is probably broken:
1. Not running. The backup job failed weeks ago. Maybe the drive filled up. Maybe a software update broke something. Nobody noticed because nobody was watching.
2. Not complete. The backup captures your file server but misses your database. Or it gets the database but not the application configurations. Or it backs up the old location but your team started saving files somewhere new.
3. Not tested. You've never actually restored from backup. You don't know if the data is corrupted. You don't know how long a restore takes. You don't know if you even have the software to read the backup format anymore.
4. Not offsite. Your backup sits in the same building as your production data. A fire, flood, or theft takes both.
Any one of these failures means you don't have a backup. You have a hope.
The Ransomware Reality Check
Let's talk about the threat that changed everything: ransomware.
In a ransomware attack, criminals encrypt your data and demand payment for the decryption key. Your options are pay the ransom (which doesn't guarantee you get your data back), rebuild from scratch (which can take months and cost more than the ransom), or restore from backup.
That's it. Those are your choices.
Here's what makes ransomware particularly nasty: attackers specifically target backups. They know that if they can encrypt your backups too, you have no choice but to pay. Modern ransomware will sit dormant in your network for weeks, quietly corrupting backup files before triggering the visible attack.
Your backup isn't just a convenience anymore. It's your only recovery option when — not if — you face a ransomware attack.
The 3-2-1 Rule: Your Minimum Viable Backup
The gold standard for backup strategy is the 3-2-1 rule:
- 3 copies of your data (production plus two backups)
- 2 different media types (local disk plus cloud, or disk plus tape)
- 1 copy offsite (physically separated from your primary location)
This isn't paranoia. It's math.
If you have one copy and it fails, you lose everything. If you have two copies in the same location, a single disaster takes both. If both copies are on the same type of media, a systematic failure (like a firmware bug) can corrupt both simultaneously.
The 3-2-1 rule ensures that no single failure mode can take all your data.
| Backup Strategy | Protects Against | Vulnerable To |
|---|---|---|
| Local backup only | Accidental deletion, hardware failure | Fire, flood, theft, ransomware |
| Local + offsite tape | Most disasters | Slow recovery, tape degradation |
| Local + cloud backup | All common disasters | Internet-dependent recovery |
| 3-2-1 with cloud | Virtually everything | Minimal — this is the target |
Why Local Backup Isn't Enough
"But we have a backup drive," you might say. "It's right here in the server room."
That's exactly the problem.
What happens if the building floods? What happens if there's a fire? What happens if someone breaks in and steals your servers — and the backup drives sitting next to them?
We worked with a company that lost everything in a hurricane. Their servers were destroyed. Their backup drives, stored in the same building, were destroyed. Years of customer data, financial records, and proprietary processes — gone.
They had backup. They just didn't have offsite backup.
The Cloud Backup Advantage
Cloud backup solves the offsite problem by default. Your data lives in geographically distributed data centers, far from whatever disaster might hit your office.
But that's just the beginning. Here's what cloud backup actually gives you:
Automatic offsite storage. No tapes to rotate. No drives to transport. Your data is offsite the moment it's backed up.
Managed infrastructure. You're not responsible for maintaining backup hardware. No failed drives to replace, no firmware to update.
Continuous monitoring. Cloud backup services alert you when backups fail. No more discovering three months later that nothing was running.
Encryption in transit and at rest. Your data is protected from interception and unauthorized access.
Geographic redundancy. Major cloud providers store your data across multiple data centers. A disaster at one location doesn't affect your backup.
Scalable storage. You pay for what you use. No more running out of space on your backup drive.
What Actually Needs Backup?
Here's where most backup strategies fall apart: they don't capture everything that matters.
A complete backup strategy covers:
Operating systems and configurations. Can you rebuild your servers from scratch? Do you have the settings, the configurations, the customizations that make your systems work?
Databases. Not just the files — the actual database state, captured in a way that ensures consistency. A file-level backup of a running database can produce corrupted data.
Application data. All the files your business creates and uses. Documents, spreadsheets, images, everything.
Email and communications. If you're running your own email server, this needs backup. If you're using cloud email, verify what retention and recovery options you have.
SaaS configurations. Your cloud applications have settings, workflows, and integrations. These need documentation and backup too.
Credentials and secrets. Passwords, API keys, certificates. Stored securely, but stored.
Create a data inventory before designing your backup strategy. You can't protect what you don't know exists.
Recovery Time: The Number Nobody Knows
Here's a question that should keep you up at night: If you lost everything right now, how long would it take to recover?
Most businesses have no idea.
Recovery time depends on factors most people never consider:
- How much data needs to be restored?
- What's your internet bandwidth for downloading from cloud backup?
- Do you have replacement hardware ready?
- Do you have the software licenses and installation media?
- Does anyone know how to actually perform the restore?
We've seen businesses with "good" backups take two weeks to fully recover because they never planned the restore process. They had the data. They just couldn't get it back into production quickly.
Recovery time objective (RTO) is how long you can tolerate being down. Recovery point objective (RPO) is how much data you can afford to lose. If you can't answer both of these questions, you don't have a backup strategy — you have a backup hope.
The Testing Discipline: Backups You Don't Test Aren't Backups
This is the part everyone skips. And it's the part that matters most.
A backup you've never tested is a backup you can't trust. Full stop.
Testing means:
Regularly restoring files. Pick random files from your backup and restore them. Verify they open and contain the right data.
Periodically restoring entire systems. At least annually, restore a complete system to verify the process works end-to-end.
Documenting the restore procedure. The person who set up the backup might not be available when you need to restore. Write it down.
Timing the restore. Know how long recovery actually takes so you can plan accordingly.
Verifying data integrity. Check that restored databases are consistent and applications function correctly.
We recommend testing file restores monthly and full system restores at least twice a year. Put it on the calendar. Make it non-negotiable.
AWS Backup Services: What's Actually Available
If you're running on AWS — or considering it — you have native backup capabilities built into the platform.
AWS Backup provides a centralized service to manage backups across AWS services. You can create backup policies, automate backup schedules, and monitor backup health from a single console.
Amazon S3 offers multiple storage classes for backup data, from frequently accessed to deep archive. Versioning protects against accidental overwrites and deletions.
Amazon EBS snapshots capture point-in-time copies of your server volumes. These can be automated and copied across regions for geographic redundancy.
Amazon RDS automated backups handle database backup with point-in-time recovery. You can restore to any second within your retention period.
AWS Backup Vault Lock provides immutable backups that can't be deleted — even by administrators. This is your ransomware protection.
The Cost Perspective: Backup vs. Data Loss
Let's talk money.
Cloud backup costs vary, but for a typical small business, you're looking at somewhere between $100 and $500 per month for comprehensive backup coverage. Maybe more if you have large amounts of data.
Now let's talk about what data loss costs:
Direct costs: Lost revenue during downtime. Cost to recreate lost data. Emergency IT services. Potential regulatory fines.
Indirect costs: Customer trust damage. Employee productivity loss. Competitive disadvantage. Delayed projects.
Existential costs: Some businesses never recover from major data loss. The statistics are grim — a significant percentage of businesses that experience catastrophic data loss close within a year.
A few hundred dollars a month for backup is insurance. And unlike most insurance, you will almost certainly need to use it at some point.
| Scenario | Typical Cost |
|---|---|
| Monthly cloud backup | $100-$500 |
| One day of downtime | $10,000-$50,000+ |
| Ransomware ransom | $50,000-$500,000+ |
| Complete data loss | Business closure |
Getting Started: Assessing Your Current State
If you've read this far and you're worried, good. Worry is appropriate. But worry without action is just anxiety.
Here's how to assess and improve your backup strategy:
Step 1: Audit what exists. What backup systems are currently in place? When did they last run successfully? What data are they capturing?
Step 2: Identify the gaps. What data isn't being backed up? Is anything offsite? Has anyone ever tested a restore?
Step 3: Define your requirements. What's your acceptable recovery time? How much data can you afford to lose? These answers drive your backup design.
Step 4: Implement 3-2-1. At minimum, get one copy of your critical data into the cloud. This is your foundation.
Step 5: Test immediately. Don't wait. Restore something today and verify it works.
Step 6: Schedule ongoing tests. Monthly file restores. Quarterly system restores. Put it on the calendar.
The Question You Need to Answer
We started with a question, and we'll end with it: When did you last test a restore?
If the answer is "never" or "I don't know," you have work to do. The good news is that cloud backup is more accessible and affordable than ever. The bad news is that threats are more sophisticated than ever too.
Your backup is the insurance policy you don't think about until you need it. Unlike most insurance, you will need it. Hardware fails. Humans make mistakes. Criminals attack.
The only question is whether you'll be ready.
Don't wait for the disaster to find out your backup doesn't work. Test it today. Improve it this week. And sleep better knowing that when something goes wrong — and something will go wrong — you can recover.
Entvas Editorial Team
Helping businesses make informed decisions
