75% of small businesses can't continue operating if hit with ransomware. Proper backups make ransom payment unnecessary. Here's how to set them up right.
75% of small businesses hit with ransomware can't continue operating. Not "experience a slowdown." Can't operate. The Datto Global State of the Channel Ransomware Report found that downtime costs for SMBs after an attack average $274,200 — and that's before you factor in reputation damage, lost contracts, and the regulatory fallout if customer data was involved. The median ransom demand in 2025 is over $200,000, according to Sophos' annual ransomware report.
But here's the part that doesn't get enough attention: businesses with proper backups almost never pay the ransom. They restore from a clean copy and move on. The entire ransomware model collapses when your data exists somewhere the attacker can't reach.
This isn't a complicated problem. It's an under-practiced one.
The 3-2-1 rule has been the standard since before ransomware was a household word, and it still works because the logic is sound:
The reasoning behind each number is about eliminating single points of failure. One backup can fail. Two backups on the same drive die together. A backup sitting on the same network as your production systems can be encrypted by the same ransomware that hit everything else — CISA's ransomware guide specifically warns about this.
The offsite copy is your insurance policy. It's the one that survives when everything on your network is compromised. If you take nothing else from this article, take this: at least one backup must live somewhere your primary network cannot reach.
Most people think of backups as "my documents and photos." That's the floor, not the ceiling. A business backup that lets you actually recover needs to include:
A useful test: if your office burned down tomorrow and you had to set up on new hardware, could you get back to operational from your backups alone? If the answer involves "well, I'd need to call someone to get..." then that thing needs to be in the backup.
The right backup frequency depends on how much work you can afford to lose. This is called your Recovery Point Objective (RPO), and the calculation is straightforward: if you back up nightly and get hit at 4 PM, you lose a full day's work. If that's acceptable, nightly is fine. If losing a day's work means re-entering 200 client records, you need more frequent snapshots.
Practical guidance for most small businesses:
Automated is the operative word. Manual backup processes are backup processes that stop happening the first week someone gets busy. Every modern backup tool supports scheduling. Use it.
This isn't an either/or decision. Cloud and local backups solve different problems:
Local backups (external drives, NAS devices) give you fast restore times. If you need to recover a 50 GB database, pulling it from a drive on your desk takes minutes. Pulling it from the cloud takes hours. Local backups also don't depend on internet connectivity.
Cloud backups give you geographic separation. A fire, flood, or theft that destroys your office won't touch your cloud backup. Cloud storage is also harder for ransomware to reach — particularly if it uses immutable storage, which prevents existing files from being modified or deleted for a set retention period.
The 3-2-1 rule accommodates both. Local drive for speed, cloud for disaster resilience. If you only pick one, pick cloud — the offsite copy is the one that saves you from ransomware scenarios where the attacker has been on your network for weeks before triggering the encryption.
A backup you've never tested is a backup you're hoping works. Hope is not a recovery strategy.
The Veeam Data Protection Trends Report found that 58% of backup restores fail. More than half. The backup ran every night, the logs looked clean, and when it was actually needed, the data was incomplete, corrupted, or in a format nobody could use.
Testing means actually performing a restore — not just checking that the backup job completed. At minimum, quarterly:
Document the results. If the restore took six hours and your business can't survive six hours of downtime, you need a faster restore path — a local backup, a hot standby, or a simpler system architecture. This is exactly the kind of information you want before an incident, not during one. Knowing what the first 48 hours of a breach look like makes it clear why "figure it out during the crisis" isn't a plan.
Ransomware was a blunt instrument. Attackers would encrypt everything they could reach, as fast as possible, and hope the damage was extensive enough to force payment. Backup strategies designed around this — offsite copies, network segmentation, regular rotation — were effective because the attack was indiscriminate. If your backup was separate from your network, it survived.
AI-augmented ransomware changes the calculus. Modern variants can identify your most valuable files before encrypting — prioritizing databases, financial records, and client data over stock photos and old meeting notes. More critically, AI-driven attacks can detect and target backup connections themselves, identifying mounted backup drives, cloud sync agents, and shadow copies, then deleting or encrypting them before the primary attack begins.
The Darktrace threat research has documented ransomware strains that specifically scan for backup infrastructure as a first step. The encryption of production data is the second step — once the safety net is gone.
The defense hasn't changed in principle, but it's gotten more specific: air-gapped backups. An air-gapped backup is one that is physically or logically disconnected from your network except during the backup window. A USB drive that you plug in for the backup and unplug when it's done. A cloud backup that uses write-only credentials (the backup agent can upload but can't delete or modify existing backups). Immutable storage that rejects deletion requests for a set retention period, regardless of who — or what — makes the request.
AI also works on the defensive side. Backup monitoring tools now use anomaly detection to flag unusual patterns — a sudden spike in file modifications (which often precedes encryption), backup sizes that shrink unexpectedly (suggesting files were deleted before the backup ran), or backup jobs that start failing after months of clean runs. These early warnings can be the difference between catching ransomware in its staging phase and discovering it after everything is encrypted.
The principle is the same as it was before AI entered the picture: your last line of defense must exist somewhere the attacker cannot reach. AI just made "cannot reach" a higher bar to clear.
If you have no backup system in place, start here:
The businesses that survive ransomware aren't the ones that paid the ransom. They're the ones that didn't need to. The difference is a backup strategy that was set up correctly and tested regularly — nothing more exotic than that.
A basic 3-2-1 backup setup can cost under $200/year. A quality external drive runs $50-100, and cloud backup services like Backblaze or Wasabi start at $5-7/month per terabyte. Enterprise-grade immutable storage adds cost but is increasingly available at SMB price points. The math is simple: compare $200/year to $274,200 in average ransomware downtime costs. The backup pays for itself if it prevents even a few hours of downtime over its lifetime.
No. Cloud platforms protect against their own infrastructure failures — hardware faults, data center outages. They do not protect against ransomware encrypting files via your synced account, accidental deletion, or a compromised admin account wiping data. Both Google and Microsoft operate on a "shared responsibility model" where data protection is explicitly your responsibility. You need a third-party backup that copies your cloud data to a separate, protected location.
An offsite backup is stored in a different physical location — a cloud server, a drive at a second office. An air-gapped backup goes further: it's disconnected from your network entirely except during active backup windows. A regular cloud backup syncing continuously can still be reached by ransomware through your sync agent's credentials. An air-gapped backup — whether a USB drive that's physically unplugged or cloud storage using write-only, time-locked immutable policies — can't be touched because there's no live connection to exploit.
It depends on data volume and your restore method. A local backup of a small business (under 500 GB) can restore in 1-4 hours. A cloud restore of the same data over a standard business internet connection might take 12-24 hours. Full system rebuilds — where you're reconfiguring servers and applications from scratch, not just restoring files — can take 2-5 business days even with good backups. This is exactly why testing restore times matters: you need to know whether your recovery timeline matches what your business can survive.
Yes, if the backup maintains a live connection to your network. Ransomware that compromises an account with access to cloud storage — through synced folders, API keys, or saved credentials — can encrypt or delete cloud backups just as easily as local files. This is why immutable storage and write-only backup credentials matter. With immutable storage, even a fully compromised account can't modify or delete existing backups during the retention window. It's the closest thing to a guarantee in backup security.
Prevention costs $5K-$15K per year. A single incident averages $254,445. The math is a 50-to-1 ratio. The psychology explains why 47% of small businesses still allocate zero.
60% of breaches involve the human element. Technology alone can't fix that. Security culture means everyone knows their role — not just the person who manages the firewall.
Cyber insurance isn't optional anymore — but most policies have exclusions that only show up after you file a claim. Here's how to have the right conversation before that happens.
Work With Us
Kief Studio builds, protects, automates, and supports full-stack systems for businesses up to $50M ARR.
Newsletter
Strategy, psychology, AI adoption, and the patterns that actually compound. No spam, easy to leave.
Subscribe
