“I back everything up to the cloud, so I’m safe… right?”

If that sentence sounds familiar, you’re not alone. Many business owners do the “right” thing by using cloud backups—and still feel uneasy. That unease is justified. Modern ransomware doesn’t just lock up your files and demand money. It actively looks for your backups and tries to encrypt or delete those too.

So the real question isn’t whether you back up your data. It’s whether your backups can survive an attack.

This article explains, in plain English, how ransomware targets backups, why cloud backups alone aren’t enough, and what you can do—realistically—to protect your data and recover without paying a ransom.

How Ransomware Actually Goes After Your Backups

Ransomware today is strategic. Once attackers get into a system, they don’t immediately pull the trigger. They look around first.

What are they searching for?

• Network-connected backup drives
• Backup software dashboards
• Cloud storage tied to the same login credentials
• Admin accounts with permission to delete or overwrite backups

(They look for other things, too, such as your cyber insurance policy coverage, but we’ll just focus on backups right now.)

If your backup system is always online and accessible with the same credentials as your regular systems, ransomware can often reach it. And if it can reach it, it can usually encrypt it—or erase it entirely.

This is why some businesses discover, too late, that their “secure” cloud backups are unusable after an attack.

Key idea: Backups that are easy for you to access are often easy for attackers to access too.

Why “Cloud Backup” by Itself Isn’t a Strategy

Cloud backup is a tool, not a strategy.

Many people assume:

• “My cloud provider will protect my data.”
• “It’s encrypted, so ransomware can’t touch it.”
• “The cloud automatically means offsite and safe.”

Here’s the reality: cloud providers protect their infrastructure. You are still responsible for how your backups are configured, who can access them, and how long versions are kept.

If an attacker compromises your admin account, they may be able to:

• Delete backups
• Encrypt backups
• Disable version history
• Shorten retention periods

This isn’t a failure of the cloud. It’s a reminder that backup design matters more than backup location.

The 3-2-1 Backup Rule (Still the Gold Standard)

Security professionals keep coming back to the same principle because it works: the 3-2-1 backup rule.

It means:

• 3 copies of your data
• 2 different types of storage
• 1 copy that’s offsite or disconnected

This rule wasn’t designed only for ransomware. It protects against hardware failure, accidental deletion, natural disasters, and human error. Ransomware just makes it more urgent.

In practical small-business terms, this might look like:

• Your working files (the original data)
• A cloud backup
• One additional copy that’s either “immutable” (unchangeable) or disconnected from your network

If ransomware takes out one or even two of those copies, the third should still be recoverable.

The Most Important Upgrade: Immutable Backups

Here’s the concept that changes everything: immutability.

An immutable backup is one that cannot be changed, encrypted, or deleted for a set period of time—even by administrators.

Think of it like a time-locked vault. Once data is written, it’s frozen until the lock expires.

Why this matters:

• Ransomware relies on being able to modify or erase data
• Stolen credentials don’t help attackers if backups are locked
• Even accidental deletions can’t destroy immutable backups

Many cloud platforms now support immutability features, such as object locking or write-once storage. These features are powerful precisely because they remove control—even from trusted users.

That loss of flexibility is the point.

When backups are immutable, ransomware can’t “finish the job.”

Air-Gapped Backups: Old-School, Still Effective

Immutability is powerful, but there’s another concept worth understanding: air-gapped backups.

An air-gapped backup is fully disconnected from your network. If there’s no connection, ransomware can’t reach it.

Examples include:

• An external drive that’s only connected during backups
• A backup system that syncs, then disconnects automatically
• Offline storage kept in a secure location

Air-gapped backups are less convenient. They require more discipline. But they are extremely resistant to ransomware.

Think of them as your last-resort parachute. You hope you never need it—but if everything else fails, it’s there.

What Actually Needs to Be Backed Up (and What Doesn’t)

This is one of those questions where the right answer depends on how your business actually works—not on what security people wish everyone did.

Here’s how to think about what to back up, in plain language, without overengineering it.

Start with the business question (not the tech one)

Ask yourself:

“If this disappeared tomorrow, would my business stop or seriously suffer?”

Anything that makes the answer “yes” belongs in a backup.

From there, most backups fall into four practical categories.

1. Files (almost everyone needs this)

Examples

• Documents
• Spreadsheets
• PDFs
• Photos, videos, design files
• Contracts, proposals, client work

Who this covers

• Solopreneurs
• Coaches, consultants, creatives
• Most service-based businesses

What this looks like in practice

• Backing up:
  • Your Documents/Desktop folders
  • Shared team drives
  • Cloud storage folders (depending on the tool)
• Using version history so you can recover older copies

Common mistake: Assuming cloud apps “just handle this.” Many do—but retention is limited, and deletions often sync everywhere.

2. Databases (when your data lives inside software)

Examples

• Customer records
• Appointment systems
• Membership platforms
• Accounting databases
• CRM data

Who this covers

• Businesses using:
  • Self-hosted tools
  • Local accounting software
  • Custom or industry-specific systems

What’s different about databases

• You usually don’t back them up by “grabbing files”
• Backups often require:
  • Built-in export tools
  • Scheduled database backups
  • Vendor-supported backup options

Important distinction
If your software is SaaS (web-based), you may not control the database backups—but you should still:

• Export critical data periodically
• Confirm retention and recovery options

(Some SaaS vendors do offer customer-initiated restores or extended retention—but often at higher tiers or with limitations.)

3. Entire devices (image-based backups)

Examples

• Laptops
• Desktops
• On-prem servers

Who this is most useful for

• People with:
  • Local apps
  • Complex setups
  • Lots of custom configurations
• Businesses where downtime is expensive

What an “entire device” backup includes

• Files
• Operating system
• Installed software
• Settings and configurations

Why people do this

• Faster recovery after:
  • Ransomware
  • Hardware failure
  • Stolen or destroyed devices

Tradeoff

• Uses more storage
• Restores are heavier
• Overkill for some file-only workflows

Tools like Acronis support full-image backups for this reason.

4. Cloud app data (the most misunderstood category)

Examples

• Email
• Cloud storage
• Project management tools
• Calendars and contacts

The misconception: “I use the cloud, so it’s backed up.”

The reality

• Many cloud apps focus on uptime, not recovery
• Deleted data may be unrecoverable after a short window
• Ransomware can encrypt files and upload them back to the cloud

Some backup tools (like Backblaze or SaaS-specific backup services) exist specifically to cover this gap.

How people usually combine these 

Files only

• Local files + cloud copies
• Good for:
  • Solopreneurs
  • Simple workflows
• Risk:
  • Slow rebuild if a device is lost

Files + cloud app exports

• Files backed up automatically
• Periodic exports from key platforms
• Very common and very practical

Full device + files

• Image-based backups for machines
• File-level backups for quick restores
• Common in small teams with local software

Everything critical, nothing unnecessary

• Back up what stops the business
• Skip:
  • Apps you can reinstall
  • Data that’s easily recreated

This last one is what most experts actually recommend—even if they don’t always say it clearly.

What you usually do not need to back up

This surprises people:

• Operating systems (if you have full-device backups)
• Applications you can reinstall
• Temporary files
• Cached data
• Content that lives entirely inside well-managed SaaS tools (unless you need long-term retention)

A simple rule that works

Back up data. Rebuild software.

Unless rebuilding software would be painful, slow, or business-ending—in which case, back up the whole device.

The Step Almost Everyone Skips: Testing Restores

Here’s the uncomfortable truth: untested backups are just a comforting story.

Many businesses don’t discover problems until they try to restore data during an actual incident. Common surprises include:

• Files that won’t open
• Missing folders
• Corrupted databases
• Restore processes that take days instead of hours

Backup success is not “the job ran.”

Backup success is “I restored what I needed, when I needed it.”

That’s why experts consistently recommend testing restores on a schedule—quarterly for most small businesses is realistic.

A test doesn’t have to be dramatic. It can be as simple as:

• Restoring a few files
• Confirming permissions and access
• Timing how long recovery actually takes

Businesses that test their backups recover faster, spend less, and avoid panic-driven decisions.

But… How Exactly Do I Test the Backups?

It’s one thing to say back up and test. But how, where? The files or the whole device? To a test laptop? A folder? Let’s take a look at your options. 

The simplest (and most common): restore to a folder

Best for: solopreneurs, small teams, file-based work (documents, PDFs, photos, spreadsheets)

How it works

• Pick a few files you know matter
• Restore them from your backup
• Put them in:
  • A new folder on your laptop (e.g. Backup Test – March 2026)
  • Or a test folder on a shared drive
• Open the files and confirm:
  • They open correctly
  • They’re the right versions
  • Nothing is missing

What this tells you

• The backup actually exists
• You can access it
• The files aren’t corrupted
• You understand the restore process

What it doesn’t test

• Full system recovery
• Apps, databases, or permissions

For many small businesses, this alone is already better than what they’re doing now.

Slightly more advanced: restore to a different location or account

Best for: teams, shared systems, cloud-based environments

How it works

• Restore data to:
  • A different folder
  • A different cloud location
  • A non-production account
• Keep it separate from live work so nothing gets overwritten

Why people do this

• Avoids accidentally replacing good data
• Lets you confirm:
  • Folder structure
  • File permissions
  • Access control

This is common with cloud storage and managed backup tools, where “restore to alternate location” is a built-in option.

Extra machine or “spare laptop” testing

Best for: businesses with:

• A server
• Line-of-business software
• Local applications
• Compliance requirements

How it works

• Use:
  • An old laptop
  • A spare desktop
  • A temporary virtual machine (VM)
• Restore:
  • An image backup
  • Or a full system backup
• Boot it up and confirm:
  • The system starts
  • Apps open
  • Data is there

This does not have to be fancy or permanent. Many people:

• Borrow a machine
• Reuse old hardware
• Spin up a temporary VM, test, then delete it

This approach is often used with platforms like Acronis, which support “test restores” without touching live systems.

Virtual machines: common in IT, optional for small businesses

Best for: IT-managed environments, hybrid teams, regulated industries

How it works

• Restore a backup into a virtual machine
• Test without affecting production systems
• Shut it down when done

Why IT teams like this

• No risk to live data
• Repeatable
• Fast

Why most small businesses don’t need it

• Extra complexity
• Extra cost
• Overkill for file-based work

If you’re mostly using cloud apps and files, you can safely skip this.

What you’re really testing (no matter where)

No matter where you restore, you’re answering the same questions:

• Can I access my backups?
• Can I restore them without panic?
• Do the files work?
• How long does it take?
• What steps would I need in a real emergency?

If you can confidently answer those, your test was successful.

How often people actually test

Real-world norms (not idealized IT advice):

• Files-only businesses: every 3–6 months
• Mixed systems (files + apps): quarterly
• After major changes: new software, new computer, new backup tool

Testing once a year is better than never. Testing quarterly is excellent.

What a Solid, Ransomware-Resistant Setup Looks Like

You don’t need enterprise complexity to do this well. A strong setup usually includes:

• A cloud backup with version history
• At least one immutable backup copy
• One backup that is disconnected or not always online
• Separate admin credentials for backups
• Restore testing on a regular schedule

Some businesses use platforms that combine backup and security features, such as Acronis Cyber Protect Cloud, which includes backup, encryption, and ransomware protection in one system. Others use simpler tools like Backblaze for automated, encrypted backups and then add immutability or offline copies on top.

At a cloud-storage level, services such as Amazon Web Services S3 Object Lock or Microsoft Azure Immutable Blobs provide immutability when configured correctly.

The tools matter less than the structure. Automation helps, but design is what keeps backups alive.

Backups Are About Recovery, Not Perfection

You don’t need to outsmart ransomware. You need to outlast it.

Ransomware succeeds when businesses have no good recovery options. When backups are protected, tested, and accessible under pressure, the power shifts back to you.

Backing up your data is step one.

Designing backups that survive an attack is what turns backups into a real safety net.

The goal isn’t perfection.

It’s knowing that if the worst happens, you can recover—and keep your business moving forward.

If ransomware hit today, do you know which backup you would restore first?

 

What Should I Back Up?

A Simple Decision Tree for Small Businesses

Start at the top and follow the YES / NO path.

1. If this data disappeared tomorrow, would your business stop or be seriously disrupted?

❌ NO → You probably don’t need to back it up (Examples: test files, old drafts, temporary downloads)

✅ YES → Go to Question 2

2. Is the data something you created or can’t easily recreate?

Examples:

• Client work
• Contracts
• Financial records
• Photos, videos, designs
• Custom templates
• Research or notes

❌ NO → You may not need a backup (Examples: apps you can reinstall, stock images you can re-download)

✅ YES → Back up the files.
✔ File-level backups
✔ Version history enabled
✔ Protected from ransomware

Then go to Question 3.

3. Does this data live inside software rather than as normal files?

Examples:

• Accounting systems
• CRMs
• Appointment systems
• Membership platforms
• Databases

❌ NO → Skip to Question 4

✅ YES → Go to Question 3a

3a. Is the software web-based (SaaS), like “log in through a browser”?

✅ YES →
✔ Check the platform’s retention policy
✔ Export critical data on a schedule
✔ Back up exports if possible
(You usually can’t back up the underlying database directly.)

❌ NO (installed locally or self-hosted) →
✔ Back up the database itself
✔ Or back up the entire device/server

Then continue to Question 4.

4. If your computer was stolen, destroyed, or encrypted, would rebuilding it be painful or slow?

Think about:

• Specialized software
• Custom configurations
• Local-only apps
• Time pressure to get back to work

❌ NO →
✔ File backups are probably enough
✔ You can reinstall software if needed

✅ YES →
✔ Back up the entire device (image-based backup)
✔ This includes files, apps, and settings

Then go to Question 5.

5. Do multiple people rely on this data to keep the business running?

Examples:

• Shared drives
• Team systems
• Client-facing tools

❌ NO →
✔ Personal backups may be sufficient
✔ Still protect against ransomware

✅ YES →
✔ Centralized backups
✔ Access controls
✔ Restore testing is critical

6. Could ransomware realistically reach this data?

Ask:

• Is it always connected to the internet?
• Is it accessible with your main login?
• Does deleting it delete all copies?

❌ NO → You’re in good shape (Still test restores.)

✅ YES →
✔ Add immutability (can’t be changed or deleted)
✔ Add air-gapped or disconnected backup
✔ Separate backup credentials from daily use

Where most people land (and that’s okay)

Most small businesses end up with:

• File backups (non-negotiable)
• Cloud + one protected copy
• Optional full-device backups
• Not everything backed up—and that’s intentional

You generally do not need to back up:

• Operating systems you can reinstall
• Apps you can re-download
• Temporary or duplicate data

The guiding principle to remember

Back up what would hurt to lose.
Protect what ransomware would target.
Test what you expect to save you.