“We have backups.” Good. But has anyone checked them?
In over 15 years of audits, “do you have backups?” has nearly always drawn the same answer: “yes, we do.” It’s the second question that separates the companies that are genuinely calm from the ones that only think they are: when did you last try to recover something from them? That’s usually where the silence sets in.
The backup that exists only in theory
The pattern repeats so often that we can tell it in advance. Someone, a former employee, a company that handled things at some point, “the IT guy,” set up a backup once. On an external drive, on a NAS in a closet, somewhere. Ever since, everyone sleeps soundly, because “we have backups.” Meanwhile the disk has filled up, the schedule stopped after an update, or the copies run on empty against folders that no longer hold anything important. Nobody looks, because nobody has a reason to look. A backup, by its nature, is the thing you only look at once it’s too late.
This isn’t a story meant to scare anyone: it’s the average case. An unverified backup isn’t a backup, it’s a hope, and the difference between the two always reveals itself at the worst possible moment.
What a verified backup actually means
Verified means one thing only: someone took the copy and actually recovered from it, a file, a folder, ideally a full test restore, and confirmed the data was there, intact and usable. Not “the job ran,” not “there’s a green check”: recovered, opened, working. That verification has to be scheduled and logged, not left to inspiration, because the things left to inspiration are precisely the ones that never happen.
Two more details matter, and we check them on every audit. First, where the copy lives: if the backup sits on the same server or the same network as the data it protects, a single incident takes both. A copy in the cloud, separated from the office network, solves exactly that, and in our offering it is €30 a month for 500 GB, just to give you an order of magnitude. Then, who knows about it: if all the knowledge of the backup walks out the door with one person, the company doesn’t have a backup, it has a dependency.
Ransomware: the day plan B becomes plan A
A lot gets written about ransomware, but for a small company it all comes down to a single sentence: on the day your data is encrypted, a verified backup is the difference between a bad weekend and a lost month. Attackers who encrypt data go looking for the backups too, which is exactly why a separate copy matters, one kept off the network where they can’t reach it.
And there’s one more detail few people think about beforehand: how many hours (or days) you sit idle until we recover your data. A full restore doesn’t happen in an hour, and if no one has ever done one as a test, no one knows whether we’re talking about a day or a week. At the companies where it’s been tested even once, that dark day has a known script. At the rest, it has only improvisation.
What you can check tomorrow morning, in ten minutes
Three questions, to put to whoever handles your IT, employee, company, friend: when did the last backup run, and how do we know? When was something last recovered from it as a test? And if the office loses its server tomorrow, fire, theft, encryption, where do we get the data back from, and how long does it take? Anyone who answers all three clearly sleeps soundly, and rightly so.
If any of the answers starts with “well…,” that’s where you start. Our free audit goes through all three, plus access, updates, and the rest of the security hygiene, and leaves you a written report of what we found. No alarmism: just the list, in black and white, with what needs doing.