When we ask business owners if they have backups, the answer is almost always yes. When we ask if they've ever tested a restore, the answer is almost always no. That gap is where businesses get destroyed.
A backup you haven't tested isn't a backup. It's a file that might restore your data, or might not — and you won't find out which until you need it most. Here's what's actually going wrong with most business backup setups, and what a real backup strategy looks like.
The Most Common Backup Failures We See
1. The backup job has been silently failing for months
Backup jobs fail. Drives fill up. Agents lose their authentication token after a password change. The cloud sync gets stuck. Without someone actively monitoring backup job status, these failures go unnoticed until recovery day — when there's nothing to recover.
2. Backups are on the same system being backed up
Keeping a backup on the same server or network share as the original data means a ransomware attack, hardware failure, or fire takes out both copies at once. Your backup needs to be physically or logically separate from the data it's protecting.
3. Ransomware encrypted the backup too
Modern ransomware specifically targets backup systems. If your backup destination is network-accessible from the infected machine, attackers will encrypt it along with everything else. Immutable backup storage — where data can't be modified or deleted for a set retention period — is now a baseline requirement, not a premium feature.
4. Only files are backed up, not the whole system
Many businesses have file-level backups but no image-level backup of their servers or workstations. Recovering from a file backup after a server failure means rebuilding the operating system, reinstalling applications, reconfiguring settings, and then restoring files. That process can take days. A system image backup can restore a server to a new machine in hours.
5. Nobody knows how long recovery actually takes
A backup that takes 72 hours to restore is fine for archiving compliance records. It's catastrophic if it's your ERP database and your business can't operate without it. Recovery Time Objective (RTO) — how long you can be down — needs to drive how your backup solution is designed, not the other way around.
Reality check: The average cost of IT downtime for small businesses is estimated between $8,000 and $74,000 per hour depending on the industry. For most businesses, a proper backup solution costs far less annually than a single day of downtime.
The 3-2-1 Backup Rule
The 3-2-1 rule is the industry standard for backup architecture and it's simple to understand:
- 3 copies of your data
- 2 different storage media types (e.g. local NAS + cloud)
- 1 copy offsite (cloud, or physical media stored at another location)
Many modern backup strategies add a fourth element: at least one copy must be immutable — meaning it can't be altered or deleted, even by an administrator. This is specifically to protect against ransomware that targets backup infrastructure.
What You Actually Need to Know: RTO vs RPO
Two numbers should drive every backup decision your business makes:
Recovery Time Objective (RTO): How long can your business operate without this system? For most businesses, the answer is hours, not days. Your backup solution needs to be designed to hit that target.
Recovery Point Objective (RPO): How much data can you afford to lose? If your backup runs at midnight and you have a failure at 4 PM, you've lost a full day of work. If your RPO is two hours, you need backups running every two hours at minimum.
Most small businesses haven't defined either of these numbers, which means their backup vendor defined them instead — usually in favour of whatever was cheapest to implement.
A Backup Checklist for Alberta Businesses
- Backup jobs are monitored and someone receives alerts when they fail
- At least one copy is stored offsite or in cloud storage
- Backups are tested with an actual restore at least quarterly
- Backup destination is not accessible from the primary network (immutable or air-gapped)
- Both file-level and system image backups are in place for critical servers
- RTO and RPO have been defined and the current solution can meet them
- Microsoft 365 data (email, SharePoint, OneDrive) is backed up separately — Microsoft does not back up your data on your behalf
Microsoft 365 note: Many businesses assume Microsoft backs up their email and files. Microsoft provides infrastructure redundancy, not backup. Deleted emails beyond the recycle bin period, accidental overwrites, and ransomware-encrypted OneDrive data are your responsibility to recover. A separate M365 backup solution is essential.
What a Modern Managed Backup Looks Like
A properly managed backup solution for a small or mid-sized business typically includes automated monitoring of every backup job, alerting on failures, monthly or quarterly restore tests, and a documented recovery runbook so that when a failure happens, recovery is a process — not a scramble.
The backup solutions we deploy for Alberta clients use immutable cloud storage with local cache for fast recovery, monitor backup job health daily, and include a documented RTO/RPO commitment so there are no surprises when it matters most.
Not Sure if Your Backups Are Actually Working?
We'll review your current backup configuration, test a restore, and tell you exactly what your recovery looks like in a real failure scenario. Free, no pressure.
Book Your Free Assessment