_Part 9 of 12 in the Cyber security for the small business series._

Backups are your insurance against the worst outcomes. Ransomware encrypts your files? Restore from backup. A laptop is stolen? Restore from backup. Someone accidentally deletes a critical folder? Restore from backup. A fire destroys your office? Restore from backup. No other single measure provides such comprehensive protection against such a wide range of threats.

And yet backups are one of the areas where small businesses are most consistently let down — not because they do not have backups, but because their backups do not work when they need them.

The 3-2-1 rule

The gold standard for backup strategy is the 3-2-1 rule:

3 copies of your data — the original and two backups.

2 different types of storage media — for example, a local external drive and a cloud service.

1 copy stored offsite — physically separate from your premises, or in the cloud.

This protects against a wide range of failure scenarios. If your external drive fails, you have the cloud copy. If your cloud provider has an outage, you have the local copy. If your office floods, the offsite copy is safe. If a ransomware attack reaches your network, the disconnected offsite copy survives.

The 3-2-1 rule is old enough that it predates the cloud, but it has aged well. Modern interpretations sometimes call it 3-2-1-1-0 (adding one immutable copy and zero errors after verification) — useful if you want to go further, but 3-2-1 is the minimum that defeats most threats.

What to back up

At a minimum, back up everything that your business cannot easily recreate:

Documents and files — financial records, contracts, customer information, project files, templates, correspondence.

Email — if you use Microsoft 365 or Google Workspace, your emails are stored in the cloud, but consider whether you also need an independent backup. Cloud services have their own data loss scenarios (accidental deletion, account compromise, retention policy mishaps). Products like Backupify and SkyKick exist precisely for this.

Databases — your accounting system, CRM, website database, or any other structured data store. Confirm that your cloud accounting provider (Xero, QuickBooks, Sage) lets you export a full backup, and run that export monthly.

Configuration and settings — website configurations, software licence keys, network settings. These are time-consuming to recreate from scratch and easy to overlook.

What you do not need to back up: things you can easily reinstall. Your operating system, your applications, your browser. The list of what is installed where is worth recording; the binaries themselves are not.

Testing your backups

A backup that has never been tested is not a backup. It is a hope.

Regularly testing your ability to restore from backups is critically important. At least quarterly, select a sample of files and verify that you can restore them completely. At least annually, test a full restoration of your critical systems.

Testing also reveals practical issues: how long does restoration actually take? Does everyone know how to initiate a restore? Are the backup instructions written down somewhere accessible (and not only on the system being restored — a remarkably common mistake)?

Put a recurring entry in the calendar for backup test, sample files every quarter, and backup test, full restore every year. Without the calendar entry, it will not happen.

Protecting backups from ransomware

Modern ransomware specifically seeks out and encrypts backups. If your backup drive is permanently connected to your network, it will likely be encrypted alongside everything else. To protect against this:

Keep at least one backup disconnected. An external drive that is only connected during the backup process and then physically disconnected (and ideally stored offsite, in a drawer at a colleague's home, in a fireproof safe) is immune to network-based ransomware. This is called an air gap. It is the single most effective defence against ransomware destroying your backups.

Use immutable cloud backups. Some cloud backup services offer immutable storage, meaning that once data is written, it cannot be modified or deleted for a defined period. This prevents ransomware from destroying your cloud backups even if it compromises your cloud credentials. Backblaze B2, AWS S3 (with Object Lock), and Microsoft Azure Blob Storage (with immutability policies) all support this.

Use a separate account for backup administration. The credentials used to manage your backups should not be the same as those used for day-to-day work. If an attacker compromises a staff member's account, they should not automatically have access to the backup system. MFA on the backup account, please.

A working pattern for a 10-person business

A reasonable backup posture for a typical small business looks like:

That is 3-2-1. It is not expensive. It would save the business in the bad scenarios.

What September looks like

Three things:

Confirm where your data lives. If you cannot list every place your business-critical data is stored, that is the first piece of work.

Set up the offsite copy if you do not have one. The cheapest way is a £5/user/month cloud backup service pointed at your existing cloud storage.

Test a restore. Pick a single file from last month, delete it deliberately, and restore it from backup. If you cannot, you have just discovered something important.

Next month

October: the basics you can pick up and walk away with — physical security, screen locks, and the social media risks most businesses do not think about.

Cyber Essentials note

Backups sit slightly outside the five Cyber Essentials controls, but they are explicitly listed in the NCSC's 10 Steps to Cyber Security as a foundational practice. They are the difference between a bad day and a closed business.