The Backup You Have Never Tested Is the Backup You Do Not Have

Every small business has data it cannot afford to lose: client records, financial files, email history, contracts. Most have some form of backup in place. Very few have ever tested whether that backup actually works.

The UK Government’s Cyber Security Breaches Survey (DSIT 2025) found that 43% of UK businesses experienced a cyber attack in the past year. The average cost of an impactful breach reached GBP 8,260. For many small businesses, the damage is not the attack itself but the discovery that their backup was incomplete, corrupted, or had stopped running weeks ago.

A backup that has not been tested is a guess, not a plan. This guide covers how to build a recovery strategy that actually works when you need it.

Not sure if your backups would survive a real incident? Book a Cyber Risk Check and we will assess your backup, email, and recovery posture. Or call 0151 452 3060.

Why “It Backs Up to the Cloud” Is Not Enough

Many businesses believe that because their files are in Microsoft 365 or Google Workspace, they are backed up. They are not. Cloud platforms provide uptime and sync, not disaster recovery. If a file is deleted, overwritten, or encrypted by ransomware, the cloud will faithfully sync those changes.

OneDrive retains deleted files for 93 days. Google Drive gives you 30. After that, recovery is not possible. If ransomware encrypts files on a synced device, the encrypted versions replace the originals in your cloud storage.

A proper backup is an independent copy, stored separately, that you can restore from regardless of what happens to your primary systems.

Even if you never work with us, test your backup this week

Pick a file that was modified three months ago. Try to restore it. If you can get it back in under 30 minutes, your backup is working. If you cannot, or if nobody on your team knows how to do it, you have a gap that needs addressing before a real incident forces the issue.

The Three Principles of a Working Recovery Plan

1. Define what matters most

Not all data is equal. Your client database and financial records are more critical than last year’s marketing photos. Map your data by priority:

  • Critical: Data that stops the business if lost (client records, financial systems, email). Back up daily.
  • Important: Data that causes significant disruption (templates, project files, HR records). Back up weekly.
  • Useful: Data that is inconvenient to lose but replaceable (archives, reference materials). Back up monthly.

2. Follow the 3-2-1 rule

Keep at least three copies of your data, on two different types of storage, with one copy stored off-site. For most small businesses, this means:

  • Your working copy in Microsoft 365 or on your server
  • A local backup on a NAS or encrypted external drive
  • A cloud backup stored independently from your main platform

This protects against hardware failure, ransomware, accidental deletion, fire, theft, and any single point of failure.

3. Automate everything

Manual backups are unreliable. People forget, get busy, or make mistakes. Set your backups to run automatically:

  • Daily for critical data
  • Weekly for important files and full system images
  • After business hours to avoid disrupting staff

If a backup fails, you need to know immediately, not discover it weeks later during an emergency.

Test Your Recovery, Not Just Your Backup

A backup is only useful if you can restore from it quickly enough to keep the business running. That means defining two metrics:

  • Recovery Time Objective (RTO): How long can you afford to be down? Four hours? One day?
  • Recovery Point Objective (RPO): How much data can you afford to lose? One hour’s worth? One day’s?

Run a test restore at least once a quarter. Simulate a scenario: “We lost yesterday’s data. Can we get it back within our RTO?” If the answer is no, adjust your backup strategy until it is yes.

Train Your Team

Your employees are both your biggest risk and your first line of defence. With 85% of cyber attacks starting with phishing (DSIT 2025), training your team to recognise threats is as important as any technical control.

Every team member should know:

  • Where and how to save files so they are captured by backup
  • Who to contact if they suspect a security incident
  • What not to do: clicking links in unexpected emails, using personal USB drives, sharing passwords

How This Works Alongside Your Existing IT

If you already have an IT provider managing day-to-day support, backup strategy and disaster recovery testing is exactly the kind of specialist layer they may not have in place. We work alongside existing IT teams, handling the backup architecture, testing, and recovery planning while your provider continues with business-as-usual support.

What To Do Next

The cost of a proper backup and recovery plan is a fraction of the cost of losing your data. For most small businesses, the gap between what they have and what they need is configuration and testing, not expensive new systems.

Here is how we help:

  • Cyber Risk Check – We assess your current backup, email security, and recovery posture. You get a clear report showing exactly where the gaps are and what to fix first.
  • H-Protect Standard (from GBP 55/user/month) – Includes cloud backup for Microsoft 365, endpoint protection, credential breach monitoring, and quarterly vulnerability scanning.
  • H-Protect Complete (from GBP 89/user/month) – Adds 24/7 security operations centre monitoring, continuous vulnerability management, and security awareness training.

Book your Cyber Risk Check or call 0151 452 3060. We are based in Liverpool and work with businesses across the North West.