“We’ve got backups, so ransomware doesn’t worry us.”

I hear this constantly. And every time, I ask the same question: when did you last restore from those backups?

The answer is usually silence.

Having backups is not the same as being able to recover. Let me explain why your current backup strategy might fail when you need it most.

Common Ways Backups Fail

The backup includes the ransomware.

Ransomware often sits dormant in your systems for weeks before activating. By the time you see the ransom note, your recent backups are also infected. You restore from backup, and a week later the ransomware activates again.

The backup storage was compromised too.

Modern ransomware specifically targets backups. If your backup drive is connected to the network, attackers will find it and encrypt it. Cloud backups with always-on sync can push encrypted files to the cloud before you know what’s happening.

Nobody knows how to restore.

The backup runs automatically. Nobody’s actually done a full restore since the system was set up. When you need to recover, you’re learning the process under extreme pressure, with no documentation, and the person who configured it left two years ago.

It takes too long.

Restoring a full system from cloud backup over typical Australian internet? That could be days or weeks. How long can your business operate without its systems?

Critical data wasn’t being backed up.

The backup covers file servers and email, but what about:

• SaaS application data?
• Cloud storage?
• Configuration settings?
• Server state and applications?
• Databases?

Every gap is a potential point of failure.

The backup is corrupted.

Backups can fail silently. Corrupted files, incomplete backups, failed verification. If you’re not checking, you won’t know until you need to restore.

The 3-2-1 Rule (And Why It’s Not Enough)

You’ve probably heard the 3-2-1 rule:

• 3 copies of your data
• 2 different media types
• 1 offsite location

This is a good starting point, but it’s incomplete for modern threats. You need to add:

1 immutable or offline copy.

Immutable means it can’t be modified or deleted, even by an admin with full access. Offline means it’s physically disconnected from any network. Either approach protects against ransomware that compromises your entire environment.

1 tested restore.

A backup you’ve never restored from isn’t a backup. It’s hope.

So the modern rule is more like 3-2-1-1-1.

Implementing Proper Backups

Cloud backup with ransomware protection.

Services like Acronis, Veeam, and Datto offer features specifically designed to survive ransomware:

• Immutable backup storage (can’t be modified even with credentials)
• Anomaly detection (alerts when backup data looks like it’s being encrypted)
• Air-gapped or isolated backup infrastructure
• Point-in-time recovery (restore to any moment, not just latest)

Microsoft 365 backup.

A common misconception: Microsoft backs up your data. Sort of. They maintain infrastructure availability, but they’re not backing up your data for recovery purposes. Their retention policies might not match your needs, and recovering deleted items has limitations.

Consider third-party Microsoft 365 backup solutions that create independent copies of your Exchange, SharePoint, OneDrive, and Teams data.

Offline backups.

The simplest form of protection: a backup that’s physically disconnected. External hard drives rotated offsite. Tape backups (yes, tape still exists and is quite good for this). Air-gapped storage.

These can’t be encrypted by ransomware because they’re not connected. The downside is they’re more manual and might not be as current.

Backup verification.

Your backup solution should verify integrity:

• Hash verification of backed-up files
• Automated restore tests
• Monitoring and alerts for failed backups
• Regular review of backup scope (what’s covered, what’s not)

Testing Your Recovery

I cannot stress this enough: test your backups regularly.

Quarterly restore tests: Pick a random file, folder, or system and restore it. Time how long it takes. Verify the data is intact. Document the process.

Annual full recovery test: Simulate a complete disaster. Can you rebuild your environment from backups? How long does it take? What’s missing?

Tabletop exercises: Walk through a ransomware scenario with your team. What would you restore first? Who’s responsible? Where’s the documentation? What decisions would leadership need to make?

Testing reveals problems:

• Gaps in backup coverage
• Unclear procedures
• Missing credentials
• Unrealistic recovery time expectations

Better to discover these during a test than during an actual incident.

Recovery Time and Business Continuity

Ask yourself: how long can you operate without your systems?

If the answer is “not long,” you need more than just backups. You need:

Recovery time objectives (RTO): How quickly must systems be back online?

Recovery point objectives (RPO): How much data loss is acceptable? An hour? A day?

Business continuity plans: How do you operate while systems are down?

For critical systems with low RTO, consider:

• Standby environments that can be activated quickly
• Replication to secondary sites
• Hot failover capabilities

These are more expensive than basic backups, but for some businesses, the cost of extended downtime justifies it.

The Real Question

Here’s what you need to answer honestly:

If ransomware encrypted everything in your environment right now - workstations, servers, cloud storage, everything the attackers could reach - could you recover?

How long would it take?

Would you lose any data?

Do you know, or are you hoping?

If you can’t answer confidently, your backup strategy needs work. Not tomorrow. Not next quarter. Now.

Because ransomware doesn’t wait for convenient timing.

Getting Help

If backup and recovery feels overwhelming, you’re not alone. For businesses that need help designing and implementing proper backup strategies, working with specialists can make sense. Firms like AI consultants Brisbane combine security expertise with automation to help SMBs implement enterprise-grade protection without enterprise-grade complexity.

Backups are your last line of defence. Make sure they actually work.