Most businesses think they are backed up. Most discover they are not at the worst possible moment. Here is how to be genuinely safe.
Why this matters more than ever
Ransomware has turned backup from an IT housekeeping task into a survival issue. The ACSC receives tens of thousands of cybercrime reports a year, and studies repeatedly show that a large proportion of small businesses that suffer major data loss never fully recover. Your backup is the one control that lets you say no to a ransom demand. It is worth getting right.
The 3-2-1 rule
The gold standard is simple and forty years old: keep three copies of your data, on two different types of media, with one copy off-site. The three copies guard against any single failure; the two media types guard against a whole class failing at once; the off-site copy guards against fire, flood, and theft. If your current setup does not meet all three, it has a gap.
Cloud sync is not backup
This is the most expensive misunderstanding we see. OneDrive, Dropbox, and Google Drive are sync tools — they faithfully copy your latest changes everywhere, including your mistakes and any ransomware encryption. If a file is deleted or encrypted, that change syncs too. True backup keeps point-in-time versions you can roll back to. You need both, and they are not the same thing.
An untested backup is just a hope
The only backup that counts is one you have proven you can restore from. We have lost count of the businesses whose backup had been silently failing for months — nobody checked until they needed it. For managed clients we test restores on a schedule, because the moment of truth is a real recovery, not a green tick on a dashboard.
What good looks like
Modern backup needs an immutable, off-site copy that attackers cannot reach or encrypt, plus fast recovery so a failure becomes an inconvenience rather than a closure. At Elevate we use Datto: an on-site appliance for instant local recovery, an immutable cloud copy off-site, with a recovery-point objective measured in minutes. We have used it in anger more than once — and that is exactly the point of having it.
Why recovery speed is the real metric
Backups are only half the story; recovery is the half that saves the business. The sobering statistic is downtime: studies of ransomware incidents have put average business disruption at around three weeks. Few small businesses can survive 21 days offline. This is why we talk in terms of two numbers — your recovery point objective (how much data you could afford to lose, ideally minutes) and your recovery time objective (how fast you are back, ideally hours). A backup that technically exists but takes a week to restore has already failed the test. At Elevate we design backup around those two targets and then prove them with scheduled test restores, because the only acceptable answer to "are we covered?" is one you have actually demonstrated, not one you hope is true.