Backups That Matter: What to Back Up and How to Know It Works

Backups That Matter: What to Back Up and How to Know It Works

Everyone says “back up your data.” Few people say what that actually means in practice, or how to find out if your backups would actually save you when you need them.

Here’s the plain version.

Why this matters

Ransomware encrypts your files and demands payment. Hard drives fail. Laptops get stolen. Someone accidentally deletes the wrong folder. These aren’t exotic scenarios—they happen to small businesses constantly. A working backup turns a disaster into an inconvenience. A missing or broken backup turns it into a crisis.

The 3-2-1 rule in plain English

This is the standard recommended by CISA, and it’s simple:

  • 3 copies of your important data
  • 2 different types of storage (for example, your computer’s hard drive and a cloud service)
  • 1 copy offsite (somewhere physically separate, like the cloud or a drive stored elsewhere)

The point is redundancy. If one copy fails, you have another. If your office floods, the offsite copy survives.

What to back up

You don’t need to back up everything. Focus on what you can’t recreate:

  • Business documents: contracts, proposals, client files, financial records
  • Email: if it’s not already in a cloud service that retains it
  • Databases: if you run any business applications with a database backend
  • Configuration and settings: for systems that would take hours to set up again
  • Photos and media: if relevant to your business

You probably don’t need to back up applications themselves—you can reinstall those. Back up the data they create.

Cloud vs. local

Cloud backups (OneDrive, Google Drive, Backblaze, etc.) are great for offsite protection. They run automatically and survive local disasters. But “synced to the cloud” isn’t the same as “backed up.” If ransomware encrypts your files and they sync, your cloud copy is encrypted too. Look for services with version history or point-in-time recovery.

Local backups (external hard drives, NAS devices) are fast to restore from and don’t depend on internet speed. But they’re vulnerable to the same fire, flood, or theft that hits your office.

Use both. That’s what 3-2-1 is about.

What ransomware does to backups

Ransomware is designed to find and encrypt your backups too. If your backup drive is always plugged in, it’s a target. If your backup service uses credentials saved on the infected machine, it’s a target.

Protect at least one backup:

  • Use an offsite/cloud backup that the ransomware can’t reach from the infected machine
  • If using local backups, disconnect or rotate drives so at least one is offline at any time
  • Some backup services offer immutable storage—backups that can’t be modified or deleted for a set period

The restore test

This is the part most people skip, and it’s the most important part.

Do this once a quarter:

  • Pick a file or folder from your backup
  • Restore it to a different location
  • Open it and verify it’s intact and current

That’s it. Ten minutes. If the restore works, your backup is real. If it fails—or the files are weeks out of date—you found the problem before it mattered.

Common mistakes

  • “It’s in the cloud, so it’s backed up.” Cloud sync is not backup. If you delete a file from your computer and it syncs, the cloud copy is gone too (unless versioning is enabled).
  • Never testing a restore. Backups fail silently. The software says it’s running, but the files might be corrupted, incomplete, or not backing up what you think.
  • Backing up to a drive that’s always connected. Ransomware will find it. Rotate drives or use a cloud backup that’s not directly accessible from your machines.
  • No one knows how to restore. If only one person knows the backup system and they’re unavailable, your backup might as well not exist. Document the restore process.

Quick checklist

  • Critical business files identified and backed up
  • At least one offsite/cloud backup in place
  • At least one backup that ransomware can’t reach
  • Restore test completed (and scheduled quarterly)
  • Restore process documented so more than one person can do it

This post is part of the Minimum Security Posture series.

If you’d like a second set of eyes, I can run through this with you and point out the top risks in your setup—no pressure.

Share this post
X Facebook LINE