Every small business owner I've worked with has backups. Far fewer have backups that actually work when they're needed. The gap between those two states is where most ransomware payments happen. A good backup strategy is not expensive - it just needs to be intentional.

The 3-2-1 rule

The industry standard for backup design is simple and worth memorizing:

  • 3 total copies of your data
  • 2 different types of storage media
  • 1 copy stored off-site

For most SMBs this looks like the live data on a workstation or server, a local backup on a NAS or external drive, and a cloud backup with a provider like Backblaze, Wasabi, or Microsoft 365 backup.

Immutable backups matter more than ever

Modern ransomware doesn't just encrypt your files - it hunts down and deletes your backups first. That's why immutable backups have become critical. An immutable backup cannot be modified or deleted for a set retention period, even by an administrator. Most reputable cloud backup providers offer this feature, sometimes called object lock or WORM (write once, read many).

If your current backup solution allows an attacker with admin credentials to wipe your recovery data, it is not a backup - it is a liability.

Test your restores

A backup you have not tested is a wish, not a plan. Schedule quarterly restore tests where you actually pull a file, a folder, or an entire virtual machine from backup and verify it works. The most common failures we see are silent - the backup job ran successfully every night for two years, but nobody ever tried to open a file until the day they needed to.

What to protect

SMBs often over-focus on servers and forget the rest:

  • Microsoft 365 or Google Workspace - Microsoft and Google do not backup your mailboxes and drives in a way that helps you recover from ransomware or accidental deletion after 30 days. Use a third-party backup.
  • Endpoints - laptops with local project files, especially for creative or engineering teams.
  • SaaS tools - your CRM, accounting system, and any other cloud tool that holds your operational data.

Key takeaways

  • Follow the 3-2-1 rule: three copies, two media types, one off-site.
  • Use immutable backups to survive a ransomware attack that reaches your admin accounts.
  • Test restores quarterly - a backup you can't restore is not a backup.
  • Back up your SaaS tools, not just your servers.