Backups Are Not Finished Until They Are Tested
Every business says it has backups. The real question is whether those backups can restore the data, systems, and operations the business needs after a failure, deletion, ransomware event, hardware problem, or account compromise.
A backup that has never been tested is not a recovery plan. It is a guess. Backup strategy should answer practical questions: what is backed up, how often, where it is stored, who receives alerts, how long data is kept, how fast recovery needs to happen, and what happens if ransomware tries to delete or encrypt the backups.
Common Backup Mistakes
- Backing up only one computer when business data is stored in several places
- Assuming Microsoft 365 is fully backed up by default
- Never testing restores
- Using the same password for backups and daily administration
- Keeping backups permanently connected and easy for ransomware to reach
- Not monitoring failed backup jobs
- Not documenting where backups are stored
- Not planning for internet speed during large restores
The 3-2-1 Backup Rule
The traditional 3-2-1 rule is still useful: keep three copies of important data, on two different storage types, with one copy off-site or isolated. The exact implementation may be different today, but the principle remains sound. Do not put all recovery options in one place.
Local Backup vs Cloud Backup
Local backup can provide faster recovery for large data sets because restoration happens over the local network. Cloud backup provides off-site protection and can be valuable if the building is damaged or local equipment is compromised. Many businesses benefit from both.
Ransomware Changes Backup Planning
Ransomware may try to encrypt or delete backups. Backup systems should be protected with separate credentials, restricted access, immutable storage where practical, monitoring, and alerts. The backup repository should not be treated like an ordinary shared folder.
Recovery Time Matters
Backup planning is not only about whether data exists. It is also about how long recovery takes. Restoring a few files is different from restoring a server, a full NAS, a Microsoft 365 mailbox, or a line-of-business application.
Businesses should identify which systems must come back first: email, accounting, front desk systems, shared files, phones, point-of-sale, cameras, or remote access.
Backups for Microsoft 365
Microsoft 365 includes retention and recovery capabilities, but it is not the same as a dedicated backup. Businesses should review Exchange Online, SharePoint, OneDrive, Teams files, retention settings, deleted item recovery, and third-party backup options.
Frequently Asked Questions
Is cloud backup enough?
Cloud backup can be useful, but the right design depends on recovery time, data size, internet speed, ransomware risk, and whether local recovery is also needed.
How often should backups be tested?
Backups should be tested regularly. A backup that has never been restored is not a proven recovery plan.
Can backups protect against ransomware?
Backups do not prevent ransomware, but properly protected backups can make recovery possible without paying attackers.
What is the 3-2-1 backup rule?
The 3-2-1 rule means keeping three copies of data, on two different types of storage, with one copy off-site or otherwise isolated.
Do Microsoft 365 files need backup?
Many businesses should consider Microsoft 365 backup for OneDrive, SharePoint, and Exchange Online, especially when long-term recovery or protection from account compromise matters.