I've had a version of this conversation more times than I'd like.

"We have a backup."

Okay. When did you last test it?

"What do you mean test it?"

I mean restore something from it. Verify it actually works.

"...We haven't done that."

That backup might not exist in any practical sense. It's a file somewhere that might work and might not, and you won't find out until you really need it.

The backup most businesses actually have

OneDrive. Dropbox. Google Drive. Maybe an external hard drive someone plugs in when they remember to.

Cloud sync is not backup. When ransomware encrypts your files, it encrypts the synced copies too. That's not protection - that's the same data in two places, both ruined at the same time. External drives are better, but only if they're disconnected when not in use and actually tested on a schedule.

A real backup is separate from your live environment, verified on a schedule, and recoverable in a timeframe your business can survive. Most of what I see has none of those three.

The 3-2-1 rule, briefly

Three copies of your data. Two different types of storage. One offsite.

It's a starting point, not a religion. But it gives you something to measure against. Most businesses I walk into have one copy, one storage type, and nothing offsite. One bad day takes everything.

The question nobody asks

Even if the backup works: how long does recovery take?

A backup that takes four days to restore is a very different situation than one that takes four hours. Depending on your business, four days offline might cost more than the incident itself. Recovery time is part of the backup conversation. It almost never comes up until it's too late to matter.

What actually changes things

Tested backups. A clear picture of what's covered and what isn't. A recovery plan that's been walked through at least once before it's needed. Someone watching the backup jobs so a silent failure doesn't go unnoticed for three months.

None of this is complicated. It just has to be set up, checked, and maintained - like everything else that actually works.

The businesses I've seen lose data almost always had something. Just not something that held up when it counted.