When asked about backups, most business owners will say they have them. They point to cloud sync, external drives, or automated systems set up years ago. But backup isn't really about creating copies—it's about the ability to recover. And that's where many assumptions break down.

The Gap Between Backup and Recovery

Having backup is not the same as being able to recover. The distinction matters because recovery requires:

  • Backups that are current and complete
  • Data that hasn't been corrupted or encrypted
  • The ability to actually restore to a working state
  • Tested processes that work under pressure

Each of these can fail even when "we have backups" is technically true.

Common Assumptions That Fail

"Our Files Sync to the Cloud"

Cloud sync services like OneDrive, Google Drive, or Dropbox are valuable for access and collaboration. But sync is not backup. If a file is deleted, corrupted, or encrypted by ransomware, that change syncs too. While these services often have version history, it may not extend far enough or cover all scenarios.

"We Back Up Every Night"

Automated backup schedules are set and forgotten. But "it runs every night" doesn't confirm that:

  • It's actually succeeding
  • It includes everything needed
  • The backup media isn't failing
  • Anyone is monitoring for problems

Backup systems can fail silently for months before anyone notices.

"We Keep Copies on External Drives"

External drives connected to the network share the network's risks. Ransomware that encrypts primary systems often reaches attached backup drives too. Truly isolated backups require intentional separation.

We discussed this challenge in our article on protecting backups from ransomware.

"We Could Restore in a Few Hours"

Recovery time estimates are often optimistic. In practice, restoration involves:

  • Identifying what needs to be restored
  • Ensuring the target environment is clean
  • Actually transferring the data (which takes time)
  • Reconfiguring systems and applications
  • Testing that everything works

What seems like a few hours often extends to days. We explored the broader impact in our piece on the cost of downtime.

"Our IT Provider Handles It"

Delegating backup to an IT provider is reasonable, but understanding what's actually covered remains important. Questions worth clarifying include what's included in backups, how long retention extends, and what the provider's responsibilities are if restoration fails.

The Ransomware Dimension

Modern ransomware attacks often specifically target backup systems. Attackers understand that victims who can recover from backups won't pay ransoms. Common tactics include:

  • Deleting accessible backup files before encrypting primary data
  • Corrupting backup software or configurations
  • Dwelling in systems for extended periods to ensure backups contain compromised data
  • Encrypting backup repositories that are network-accessible

We covered ransomware considerations in our article on understanding ransomware.

What Needs to Be Backed Up

Organizations often focus on obvious data—documents, databases—while overlooking:

  • Configurations and settings for critical systems
  • Credentials and encryption keys
  • Application-specific data stored in unexpected locations
  • Cloud-based data that may have different backup requirements
  • Email, depending on how it's hosted

Discovering gaps during recovery is significantly worse than discovering them during planning.

The Testing Question

The single most important question about any backup system is: when was it last tested? Not "when did we check that the job ran," but "when did we actually restore data and confirm it worked?"

Untested backups are assumptions, not assurances. Organizations that periodically test recovery—even just partial tests—have much higher confidence in their ability to actually recover.

Cloud Backup Considerations

Cloud-based backup services offer advantages: off-site storage, automated management, and often better resilience than on-premises solutions. But they introduce their own considerations:

  • Recovery speed depends on internet bandwidth
  • Costs may scale with storage volume
  • Understanding what's included requires careful review
  • The provider's security becomes relevant to yours

We discussed third-party dependencies in our article on vendor risk.

Questions for Reflection

Rather than prescribing specific solutions, here are questions worth considering:

  • If systems were encrypted tonight, what would actually be recoverable tomorrow?
  • How would you know if your backups were failing?
  • When was the last time a restore was actually tested?
  • If your backup provider had a breach, what would the impact be?

Honest answers to these questions often reveal where attention is warranted.

This article is intended for informational purposes only and does not constitute professional security advice. Organizations should consult with qualified professionals to assess their specific backup and recovery needs.