It was a Tuesday morning when the call came in.
A 22-person accounting firm had arrived at the office to find their server completely unresponsive. A ransomware attack had encrypted every file overnight — client records, tax documents, years of financial data — all of it locked behind a demand for $47,000 in cryptocurrency.
Here’s the part that hurt most: they thought they were backed up.
They had an external hard drive plugged into the server. They had set up an automated backup months ago. What they didn’t know was that the backup software had been silently failing for six weeks — and that same ransomware had encrypted the backup drive too, since it was physically connected to the infected machine.
They lost 18 months of data. Recovery cost them more than the ransom — in lost billable hours, emergency IT work, and client trust.
This isn’t a horror story we made up. Scenarios like this happen often to businesses that believed they were protected.
In the past year, several ransomware attacks have hit organizations across New Mexico. Reported victims include a major university, multiple school districts, local governments, and healthcare providers. These organizations often have dedicated IT security teams—yet they were still significantly impacted. So, what does that mean for small businesses with fewer resources?
The difference between companies that recover and companies that don’t usually comes down to one thing: whether they actually understood what “backed up” means.
What “backed up” actually means — and what most businesses get wrong
When most business owners say they’re backed up, they mean one of two things: they save files to an external hard drive, or they store documents in a cloud folder like Dropbox or OneDrive.
Both of these feel like backups. Neither of them is a backup strategy.
An external hard drive that sits next to your server will be stolen in the same burglary, burned in the same fire, or encrypted in the same ransomware attack. A synced cloud folder mirrors deletions instantly — meaning if someone accidentally deletes a folder, or ransomware scrambles your files, that damage syncs to the cloud within seconds.
A real backup strategy is deliberate, layered, and regularly tested. It protects you from hardware failure, human error, cyberattack, and physical disaster — ideally all at once. That’s exactly what the 3-2-1 rule is designed to do.
The 3-2-1 backup rule explained in plain English
The 3-2-1 rule is the gold standard framework for data protection. It’s been recommended by cybersecurity agencies, IT professionals, and government bodies for over a decade — and it’s still the most practical starting point for any business.
Here’s what it means:
3 — Keep at least 3 copies of your data. The original, plus two backups. If one is destroyed or corrupted, you still have two others.
2 — Store those copies on 2 different types of media. For example: your primary server plus an external drive, or a local NAS (network-attached storage) plus a cloud backup. Different media types fail for different reasons, so having both dramatically reduces the chance of simultaneous failure.
1 — Keep at least 1 copy offsite. This is the step most businesses skip. If your office floods, burns, or gets broken into, an offsite or cloud-based backup is the only thing standing between you and starting from zero.
Copy | Where | Purpose |
Copy 1 | Primary server or workstation | Live working data |
Copy 2 | Local backup (NAS or external) | Fast on-site recovery |
Copy 3 | Offsite or cloud | Disaster recovery |
Simple in theory. Surprisingly rare in practice.
The 5 most common backup mistakes we see in business audits
When we perform IT audits for new clients, backup failures are among the most common — and most preventable — problems we find. Here are the five that show up most often.
No tested restores
A backup you’ve never tested is a backup you can’t trust. Software glitches, corrupted files, and configuration errors can all cause backups to fail silently. We recommend running a test restore at least quarterly — actually pulling a file or folder from the backup and verifying it opens correctly.
No offsite copy
Most businesses have a local backup. Far fewer have an offsite or cloud copy. If your office experiences a fire, flood, theft, or power surge, a local-only backup offers zero protection.
Backup software that fails silently
This is the one that catches businesses off guard most often. Many backup tools will run until they hit an error — a full disk, an expired license, a changed file path — and then simply stop, without sending any alert. Weeks later, the business assumes everything is fine. It isn’t.
No data retention policy
How far back can you go? If ransomware has been dormant in your system for 30 days before triggering, a backup from yesterday won’t help you. A proper retention policy keeps multiple versions of your data over days, weeks, and months — so you can roll back to a point before the damage occurred.
Forgetting SaaS data
Microsoft 365, Google Workspace, Salesforce, QuickBooks Online — none of these platforms back up your data for you in a way you can fully control or restore from. Microsoft’s own documentation recommends using a third-party backup for business continuity. If your business runs on cloud apps, that data needs its own backup strategy.
How long would it take your business to recover?
Before you can choose a backup solution, you need to answer two questions that most businesses have never thought about.
Recovery Time Objective (RTO)
How long can your business operate without access to its data? For a retail shop, maybe a few hours. For a medical practice or law firm, potentially minutes. Your RTO defines how fast your backup system needs to get you back online.
Recovery Point Objective (RPO)
How much data can you afford to lose? If your backups run every 24 hours and a disaster hits at hour 23, you’ve lost a full day of work. If your RPO is “no more than 1 hour of data,” you need backups running much more frequently.
Most businesses have never explicitly set these numbers — which means they have no way to evaluate whether their current backup solution would actually meet their needs in a crisis. Knowing your RTO and RPO isn’t a technical exercise; it’s a business continuity decision that belongs in a conversation with your leadership team.
What a managed backup solution looks like — and what to ask before you buy
A managed backup solution handles the entire process for you: automated backups on a defined schedule, monitoring to catch silent failures before they become disasters, regular test restores, and a documented recovery plan you can actually execute under pressure.
When evaluating options — whether working with an MSP or choosing software independently — here are the questions worth asking:
How often does it back up? Daily isn’t enough for most businesses. Look for solutions that run hourly or in near-real-time.
Where is the offsite copy stored? Make sure it’s geographically separate from your office, with encryption in transit and at rest.
How do you know if it fails? Monitoring and alerting should be proactive, not reactive.
How fast can we actually recover? Get a concrete answer, not a general assurance. Ask for a recovery time estimate in hours.
Does it cover our cloud apps? Confirm coverage for Microsoft 365, Google Workspace, or any other SaaS tools your team relies on.
How long are backups retained? Aim for at least 30 days of versioned history, ideally 90.
The right solution won’t just store your data — it will give you confidence that when something goes wrong (and eventually, something will), you can recover quickly and completely.
Ready to find out if your backup would actually hold up?
Most businesses don’t discover their backup gaps until it’s too late. A backup audit takes less than an hour and gives you a clear picture of where you’re protected — and where you’re exposed.
Our Zia Networks team will review your current setup, test your restore process, and give you a plain-English summary of your actual risk — no jargon, no pressure.
