Local Business

You Do Not Have a Backup Until You Have Watched It Restore

Why small-business backups fail silently — sync is not backup, Microsoft 365 is not backed up by default, ransomware hunts backups first — and how to run a real restore test this quarter.

11 de julio de 2026 5 min de lectura backupssmall businesssecurityMicrosoft 365disaster recovery

Ask a room of small-business owners whether they have backups and nearly every hand goes up. Ask who has watched one restore in the last year and the room goes quiet. That gap — between running backups and proving them — is where businesses actually get hurt, because a backup only ever fails at the exact moment you need it.

The good news: proving a backup takes about an hour a quarter. Here is why it matters and how to do it.

The four ways backups fail silently

Sync is not backup. OneDrive, Dropbox, and Google Drive mirror your files — including your mistakes. Delete a file, and the deletion syncs. Overwrite it, and the overwrite syncs. Get hit by ransomware, and the encrypted copies sync too, sometimes faster than you can react. Version history and recycle bins soften this, but they have retention limits and they are not designed as a recovery system. Sync answers “can I get this file on another machine?” — not “can I get my business back?”

Microsoft 365 is not backed up by default. The mailboxes, OneDrive files, SharePoint sites, and Teams history your business runs on live under retention policies, not backups — and Microsoft’s own guidance is to back up the content you store in its services regularly. A departed employee’s deleted mailbox, a retention window that lapses, an admin mistake: all recoverable with a real backup, all potentially gone without one. We covered what this looks like in practice on our device management page.

The scope drifted. The backup was configured three years ago. Since then you added a new shared drive, moved the accounting data, and started using a new app — none of which are in the backup job, because nobody’s job is to notice. Backups protect the business you had when they were configured, not the one you have.

Ransomware hunts backups first. Modern attacks do not encrypt your files and hope. They find the backups — the NAS in the closet, the always-connected USB drive, the network share named BACKUP — and encrypt or delete those first. A backup that is always online and reachable from your network is, to an attacker, just another folder. Real protection means at least one copy that is offline, offsite, or immutable.

The restore test

This is the whole discipline, and it fits in an hour:

  1. Pick a real target. Not the easiest file — a meaningful one. A folder of client records. Last month’s accounting data. One employee’s mailbox.
  2. Restore it to a different location. Never restore over the live copy. A separate folder or a spare machine proves the backup without betting the original.
  3. Open what came back. Files exist is not the test. Files open, spreadsheets calculate, the database mounts — that is the test. Corrupt backups list beautifully.
  4. Time it. If one folder takes an afternoon, a full server will take a week — better to learn that on a calm Tuesday than during an outage.
  5. Write down what happened. Date, what was restored, how long it took, what surprised you. Four of these notes a year is a recovery capability. Zero is a hope.

Then put it in the calendar, quarterly, owned by a named person. The businesses that survive data disasters are not the ones with the fanciest backup software — they are the ones where restore-testing was boring routine.

The standard worth holding

The classic rule is 3-2-1: three copies of your data, on two different kinds of storage, one of them offsite — and at least one copy offline or immutable so ransomware cannot reach it. You do not need enterprise tooling for this; you need someone to own it.

That last point is the honest one. Every failure mode above is a symptom of the same cause: backups are nobody’s job. If they are yours and this list made you uneasy, start with one restore test this week. If you would rather they were a professional’s job — with the restore tests run, documented, and reported to you monthly — that is exactly the kind of thing our managed practice exists for. And if you are evaluating any IT provider, ours included, the first question to ask is when they last restored a client’s backup — not ran one, restored one.

Send us two paragraphs about how your data is protected today, and we will reply in writing within one business day.

— Boletín

Recibe nuestros artículos por correo.

Una nota ocasional del equipo — casos de estudio, nuevas herramientas gratuitas, ensayos de ingeniería. Nunca a diario.

Tres campos, sin rastreo. Política de privacidad.