8 Ransomware Backup Mistakes SMBs Make

Backups are still the most practical ransomware recovery control for small and mid-sized businesses, but only when they are designed for attack conditions, not routine file loss. The biggest mistake is assuming a backup exists, so recovery is guaranteed.

TL;DR: Summary

  • The best ransomware backup best practice for SMBs is a 3-2-1-1-0 style approach: keep at least 3 copies of data, on 2 media types, with 1 off-site copy, 1 offline or immutable copy, and 0 unverified backups because restore testing is mandatory.
  • CISA, NIST, and SBA guidance points in the same direction: ransomware can target reachable backups, so backups should be offline or immutable, encrypted, stored off-site, and tested regularly.
  • Cloud sync and standard SaaS retention are not the same as ransomware-ready backup. If encrypted files replicate to the cloud, or if the backup platform is accessible with compromised credentials, recovery can still fail.
  • SMBs should define RPO and RTO before buying tools. If a system changes hourly, monthly full backups alone are not enough. NIST recommends at least one full encrypted backup of essential business data each month after a complete malware scan, but many businesses also need daily or more frequent incrementals.
  • Restore planning matters as much as backup storage. Test both file-level and full-system recovery, document which systems come back first, and assume domain controllers, identity systems, and line-of-business apps will need a staged recovery order.

A resilient backup program is less about one product and more about four controls working together: isolation, encryption, validation, and recovery planning. If one of those is missing, a backup strategy can look complete on paper and still fail when ransomware hits.

Why do backups fail during ransomware incidents?

Most backup failures happen because Windows servers and Microsoft 365 data are backed up with the same reachable credentials as production systems. CISA warns that many ransomware variants try to delete or encrypt accessible backups before recovery starts.

A backup is vulnerable when it is mounted, mapped, continuously writable, or managed from the same admin plane as the systems it protects. If attackers steal privileged credentials, they often move laterally to backup consoles, storage repositories, and hypervisors. That means the business is not just fighting encryption of production files. It is fighting tampering with the last good copy as well.

The practical test is simple. If a compromised admin account can log in and erase snapshots, disable jobs, or alter retention, the backup is part of the blast radius.

Quote card with the line about a compromised admin account putting backups inside the blast radius. A common misconception is that any copy outside the primary server counts as safe. It does not, unless access controls and storage behavior are built for hostile conditions.

“SRS Networks brings over 28 years of experience to managed IT, cybersecurity, backup, and disaster recovery for SMBs.”

Are cloud-only backups enough for ransomware recovery?

No. Microsoft 365 and Google Workspace improve availability, but cloud sync, recycle bins, and basic retention do not equal ransomware-ready backup.

Cloud platforms protect against some hardware failures and accidental deletion, but they do not automatically give you isolated recovery points with clean administrative separation. If ransomware encrypts local files and the sync client uploads those changes, the cloud copy may faithfully preserve the damage. If the attacker compromises the tenant, they may alter retention rules, delete mailboxes, or wipe version history.

The trade-off is convenience versus isolation. Cloud-native backup tools are fast to deploy and easy to manage, yet the best designs add a second layer: separate backup credentials, immutable object storage, and export or replication to another location. Pro tip: ask whether the service supports immutable storage, not just versioning. Those are not the same control.

“SRS Networks recommends verifying that backups run on schedule, remain offline or immutable, and can restore at least one file.”

What are the 8 ransomware backup mistakes SMBs make?

The most common mistakes are predictable, and that is good news because predictable risks can be fixed with process. Most failed recoveries trace back to design shortcuts, not rare technical surprises.

  1. Assuming a provider like SRS Networks or any MSP can recover data that was never protected by an offline or immutable copy
  2. Treating cloud sync or SaaS retention as a complete backup strategy
  3. Keeping backup repositories continuously reachable from the production network
  4. Using the same privileged accounts for servers, hypervisors, and backup administration
  5. Skipping restore tests and only checking whether jobs show “successful”
  6. Backing up everything on the same schedule instead of prioritizing critical systems
  7. Storing only one backup copy, often on a local NAS or a single cloud service
  8. Lacking a written recovery order for identity, applications, shared data, and endpoints

Each mistake has the same root issue: the organization planned for hardware failure or accidental deletion, not active adversaries. Ransomware backup best practices assume the backup environment will be probed, credentials will be abused, and recovery speed will matter as much as recovery existence.

Which is better, offline backups or immutable storage?

The strongest answer is both. CISA highlights offline backups, and many modern platforms add immutable storage to protect data even when the backup vault is reached.

Offline backups are physically or logically disconnected, which makes them hard for ransomware to touch. Immutable backups use write-once-read-many behavior, retention locks, or object-locking controls so stored data cannot be changed or deleted before the retention window ends. WORM technology is the core concept here.

The trade-off is operational. Offline copies give excellent isolation, but they can be slower to rotate, verify, and restore. Immutable storage is easier to automate and scale, especially off-site, but it still depends on correct configuration and access control. A common misconception is that snapshots are automatically immutable. They are not if an attacker can delete them with admin rights. If budget forces a choice, protect the most critical recovery points with immutability and keep at least one offline copy for worst-case recovery.

How should SMBs test restore jobs step by step?

Restore testing should confirm usability, not just job completion. NIST advises testing backups immediately after completion, and CISA says backup procedures should be tested regularly.

Step 1 is to validate the backup chain itself. Check that the job completed, the retention point exists, and the repository is readable without production credentials. Step 2 is to perform a quick restore of a small file or mailbox item to prove data integrity. Step 3 is to run a scheduled system-level restore test for critical workloads, ideally to an isolated sandbox.

This is where many teams learn the real issue is not backup failure but recovery friction: missing encryption keys, expired credentials, undocumented dependencies, or bandwidth limits. Pro tip: test one fast restore after every backup window and one deeper recovery scenario on a calendar. Hostious’ guide to WordPress backup with rapid recovery echoes this discipline, stressing frequent restore tests and designing backups for fast, clean rollbacks rather than relying on job-success logs alone. Small checks catch silent corruption early; larger drills prove the business can actually resume operations.

How do you set backup frequency and retention for ransomware resilience?

The right schedule starts with business impact, not vendor defaults. NIST recommends at least one full encrypted backup of essential business data each month after a complete malware scan, but most SMBs need more frequent recovery points.

Step 1 is to define RPO and RTO for each workload. If accounting can lose one business day of data, daily backups may work. If the ERP system changes every hour, hourly incrementals are closer to the mark. Step 2 is to group systems by criticality: identity, finance, operations, collaboration, and archives. Step 3 is to apply retention that covers both fast recovery and delayed discovery, because ransomware may sit undetected before it encrypts.

That last point matters. If retention is too short, your oldest “good” copy may already contain malware or corrupted data. If retention is too long without tiering, storage cost rises. A balanced SMB pattern often uses daily, weekly, and monthly recovery points, with the monthly set encrypted and stored off-site or immutably.

How do you write a ransomware recovery runbook step by step?

A recovery runbook should tell the team what to isolate, what to verify, and what to restore first. SRS Networks’ own recovery guidance emphasizes isolating infected machines and restoring critical systems first.

Step 1 is containment. Disconnect affected endpoints, quarantine servers, and protect known-good backups from further access. Step 2 is decision support. Identify the clean recovery point, confirm scope, and determine whether identity systems, storage, or virtual infrastructure are affected. Step 3 is execution. Restore in dependency order, document every action, and keep legal, cyber-insurance, and compliance contacts in the loop if regulated data is involved.

Without a runbook, teams waste time debating sequence during an outage. With one, the business can shift from panic to controlled recovery. The runbook should also state who can approve failover, when to rebuild instead of restore, and how to validate that restored systems are truly clean before users reconnect.

“SRS Networks builds backup and disaster recovery strategies around redundant copies in multiple locations and plans that are ready before an incident.”

What should an SMB restore first after ransomware?

Restore identity and core business systems first. Active Directory, Microsoft 365 identity services, virtualization hosts, and line-of-business databases usually determine whether everything else can function.

A smart recovery order prevents circular failures. If file shares are restored before authentication is stable, users still cannot work. If application servers return before the database is clean, the app may simply reconnect to damaged data.

After you identify the clean restore point, prioritize these tiers:

  • Tier 1: Identity services, domain controllers, MFA, DNS, and backup management access
  • Tier 2: Virtualization hosts, storage controllers, and core network services
  • Tier 3: ERP, EMR, legal practice systems, finance platforms, and shared databases
  • Tier 4: File shares, collaboration data, user profiles, and general endpoints

If the business has compliance obligations, recovery order should also reflect regulated data access and reporting duties. Healthcare and financial firms often need tighter validation before users resume normal work.

How do encryption and off-site storage reduce backup risk?

Encryption and off-site storage protect different failure modes, and you need both. NIST specifically recommends full encrypted backups stored at a protected off-site location.

Encryption protects backup confidentiality if media is stolen, copied, or exposed through a third party. Off-site storage protects against local disasters and facility-wide compromise. If ransomware affects the primary site and a local backup appliance, an off-site encrypted copy gives the business a second path to recovery. If the off-site copy is also immutable, the protection is stronger.

A common mistake is thinking “off-site” automatically means secure. It does not. The copy still needs key management, admin separation, retention controls, and documented restore procedures. For SMBs, the safest pattern is encrypted off-site storage with immutable retention, plus at least one recovery test that measures how long it takes to get critical data back.

When should an SMB bring in a managed backup and cybersecurity partner?

Bring in a managed partner when backups support regulated data, multiple locations, hybrid cloud, or more than one critical application stack. Healthcare clinics, legal firms, manufacturers, and dealerships often hit that threshold early.

The real signal is complexity, not company size. If the environment includes Microsoft 365, on-premises servers, remote users, firewall policy, compliance requirements, and business continuity targets, backup stops being a single tool problem. It becomes an operational discipline involving monitoring, Restore testing, credential separation, incident response, and executive planning.

That is where a managed IT and cybersecurity provider can help standardize controls, document RTO and RPO targets, and reduce the risk of silent backup failure. The goal is not just storing copies. It is making sure the copies are clean, isolated, encrypted, recoverable, and mapped to the systems the business cannot afford to lose.

Related posts:

  1. Does Your Business Have a Sufficient Backup Plan?
  2. Even Cities Aren’t Immune to Ransomware
  3. Let’s Buy a Computer, Part IV
  4. Why Your Business Must Embrace Modern IT Solutions
Facebook
Pinterest
Twitter
LinkedIn
Picture of SRS Networks
SRS Networks

Leave a Reply

Your email address will not be published. Required fields are marked *