Ask a small business owner whether they back up their data, and the answer is almost always yes. They have an external hard drive, or they have OneDrive sync turned on, or they remember seeing something about backups in their software settings.
Ask whether they’ve ever actually restored from those backups — tested that they work, measured how long it takes, verified the data comes back intact — and the answer is almost always no.
This is the backup gap. The difference between having a backup and having a backup you can actually recover from is wider than most businesses realise. And a backup you can’t recover from isn’t a backup — it’s a false sense of security.
Why Common Backup Approaches Fail
External hard drives. A backup on a drive plugged into your computer or server is typically destroyed alongside your data in a ransomware attack. Ransomware actively looks for and encrypts backup drives. If it’s connected, it’s compromised.
OneDrive and Dropbox sync. Sync services are not backups. When ransomware encrypts your local files, the sync service faithfully copies the encrypted versions to the cloud, overwriting the good versions. Many ransomware victims have discovered this the hard way.
Backup software running to an attached NAS. Better than a USB drive, but if the NAS is connected to the same network as the infected systems, it too may be reachable and encrypted.
No versioning. Even if a backup isn’t directly destroyed, if it lacks versioning — the ability to go back to versions from before the incident — a backup taken after infection is useless.
Never tested. A backup process that has never been tested has unknown reliability. Backups fail silently. Corrupt data, configuration errors, and storage failures can mean your backup contains nothing useful.
What Good Cloud Backup Actually Looks Like
Effective backup for small businesses in 2025 typically involves cloud backup services that are purpose-built for resilience. The key characteristics:
Offsite and isolated. The backup destination must be genuinely separate from your production systems — not a drive on the same network, not a sync folder. A proper cloud backup service stores data in infrastructure with no direct connection to your systems.
Immutability. Modern cloud backup services offer immutable storage — a retention period during which backed-up data cannot be deleted or modified, even by someone with administrator access to the backup account. This prevents ransomware (and malicious insiders) from destroying backups.
Versioning and retention. You need the ability to restore from a point in time before an incident occurred. This means retaining multiple versions over a meaningful period — not just the most recent backup.
Encryption. Backup data should be encrypted in transit and at rest, with encryption keys held separately from the backup data itself.
Monitoring and alerting. Backup jobs should be monitored. You should receive alerts when a backup fails, and have visibility into the last successful backup for each system.
Tested regularly. A backup process that isn’t tested is a process of unknown reliability. Restoration should be tested at a frequency appropriate to how much data loss is acceptable — for most small businesses, that means at least quarterly.
The Recovery Time Question
Beyond whether data is recoverable, there’s the question of how long recovery takes. If a ransomware attack encrypts your systems on a Monday morning, can you restore critical systems by Monday afternoon? By Tuesday? By next week?
Recovery time depends on:
- How much data needs to be restored
- The speed of your internet connection
- The complexity of your systems
- Whether you have documented recovery procedures
- Whether anyone knows how to execute those procedures under pressure
For most small businesses, the answer to “how long would it take to recover?” is “we don’t know.” Finding out before you need to — through a real restoration test — is one of the most valuable exercises a business can do.
What to Look For in a Cloud Backup Service
Several providers offer purpose-built cloud backup for small businesses. Key things to evaluate:
- Backup frequency (hourly? daily? real-time?)
- Retention period (how far back can you go?)
- Immutable storage (can the backup be deleted or modified?)
- Restore testing capability (can you do a test restore without disrupting production?)
- Monitoring and alerting
- Pricing based on data volume
W3IT assesses backup configuration as part of every security review. We frequently find that businesses believe they’re protected but have gaps — sync services mistaken for backups, backup jobs that have been failing silently for months, or no versioning in place. It’s one of the areas where a small investment in getting it right has the highest potential return.