The real size of the risk
- 60 percent of small businesses that lose all their data shut down within 6 months of the incident
- Ransomware attacks on businesses have tripled since 2020, and the average ransom in Europe in 2025 exceeded 1,5 million EUR
- 29 percent of data losses result from hardware failure, most often disks older than 4 years
- Only 25 percent of small businesses have a documented and tested backup strategy, while 50 percent run something that has never been verified
- 22 percent of losses are caused by human error: an employee accidentally deletes a folder, formats the wrong disk, overwrites a file with no prior copy
Why local backup is not backup
An external hard drive plugged into the server, a NAS device in the server room, a USB stick in the director's drawer. None of that is backup in the sense of business protection. The reason is simple: backup that shares a physical location or network with the original is not protected from the same threats hitting the original.
- Fire and flood: the server room and the NAS next to it burn together
- Theft of equipment: a break-in carries off the server, the NAS and every disk
- Ransomware: modern viruses encrypt not only original files but every disk and network share they can reach, including mapped backup locations
- Power surge: destroys every device on the same socket or distribution board
- Malicious insider: an employee with server access deletes both the original and the backup before leaving
The 3-2-1 rule, a standard that still holds in 2026
The best-known backup formula, sufficient for 95 percent of business scenarios:
- 3 copies of every file (original plus two copies)
- 2 different media (e.g. local disk and cloud, not two disks of the same type)
- 1 copy off site (cloud, another city, another region)
The more modern 3-2-1-1-0 standard adds two further conditions: 1 immutable copy (which cannot be altered even by an administrator) and 0 errors on verification (every backup is automatically tested for readability).
RTO and RPO: two numbers you must know
RTO (Recovery Time Objective) is the time within which the business can recover after an incident. The question: how many hours can our business operate without access to documentation? The answer dictates the type of backup solution.
RPO (Recovery Point Objective) is the maximum amount of data you are willing to lose, expressed in time. If you take a backup once a day, your RPO is 24 hours, meaning that in the worst case you lose a full working day.
| Type of business | Typical RTO | Typical RPO |
|---|---|---|
| Small business, manual backup | 2 to 5 days | 24 to 48 hours |
| SMB, daily cloud backup | 4 to 24 hours | 4 to 24 hours |
| Professional DMS with continuous backup | 15 minutes to 2 hours | 1 to 15 minutes |
| Banks, hospitals, critical infrastructure | under 5 minutes | close to 0 |
What exactly to demand from a cloud backup solution
Encryption
AES-256 both in transit (TLS 1.3) and at rest. The encryption key should be under your control (BYOK option) for sensitive industries, or at the very least the provider must guarantee that it has no access to unencrypted files.
Geo redundancy
Backup to at least two physically separate sites, ideally in different EU regions. If the provider's primary region is unavailable (earthquake, power outage, cyberattack on the data centre), the secondary takes over.
Versioning
The ability to roll back to any prior version of a document, not just the latest one. Standard practice is to retain at least 30 versions or 90 days of history, which protects against ransomware attacks (which encrypt the current file but not the historical copies).
Immutability (WORM)
Write Once, Read Many mode means that certain backup snapshots cannot be modified or deleted, even by an administrator. This is the only real defence against modern ransomware that targets the backup system first before it starts encrypting production.
Automatic verification
The system must test itself: monthly automated restore of a sample and a success report. A backup that has never been tried does not count as backup.
Granular restore
The ability to restore just one file, one folder or a whole system, without rebuilding the entire instance. When an employee accidentally deletes a single contract, you do not need a five-hour rebuild of the whole database.
Legal obligation under GDPR and data protection law
GDPR Article 32 and equivalent national data protection laws explicitly require the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. If your business processes personal data (and practically every business does, at minimum employee data), backup is not a choice but a legal requirement. GDPR fines reach up to 4 percent of annual turnover or 20 million EUR, whichever is higher.
For healthcare institutions, financial firms, law firms and businesses processing children's data, additional sectoral obligations often require an RPO under 1 hour and a mandatory restore test at least once a year.
Most common mistakes in practice
- Backing up only important files: when the incident hits, the unimportant folder turns out to have been critical. Rule: back up the entire documentation, selection is risky thrift.
- Backup that shares a network with production: NAS on the same LAN as the server. Ransomware sees it and encrypts it.
- Nobody tests restore: backup runs for years, but when it is needed, the files turn out to be unreadable or partially corrupt.
- Backup password in the same mailbox as the alert: an attacker who takes over the email also takes over the backup account.
- No retention policy: backup grows without limit, consumes resources, and when data from 5 years ago is needed, nobody knows where it is.
- Cloud sync mistaken for backup: Google Drive, Dropbox and OneDrive synchronise the current state, meaning that when you delete a file or ransomware encrypts it, the change propagates immediately to all devices. Without versioning, that is antibackup.
