37forge.com
HOME / GUIDES / Cybersecurity Essentials
FREE GUIDE · CYBERSECURITY ESSENTIALS

Are your backups actually working? A 5-point test for small businesses

6 min read·By William Edwards, Lead Engineer·Updated July 2026·37 Forge · McKinney TX

A backup you have never restored is only a guess. A green dashboard every morning tells you the backup job ran. It does not tell you the data is complete, uncorrupted, and something you could bring back before the business grinds to a stop. The only real proof a backup works is a restore you have tested. Ransomware crews understand this better than most owners do, and one of their first moves after they get in is to hunt down your backups and delete them.

Why "we have backups" and "we can recover" are different things

Owners find the gap at the worst possible moment. The backup had been running for months, but it was only copying one folder. It captured the file server and quietly skipped Microsoft 365. The restore worked, but it took three days when the business could survive one. Any of these turns a backup into a false sense of security, and you do not learn which one applies to you until you try to recover.

The stakes climb every year because attackers plan around backups now. They get in, study the network, locate the backup system, check what it can reach, and wipe or encrypt it before they trigger the visible attack. If your backups live on the same network with the same logins as everything else, the attacker reaches them too. Our guide on how Collin County businesses actually get hit walks through those entry points in plain terms.

The 5-point test

Run these five checks against your current setup. If you cannot answer all five with confidence, you have a backup, not a recovery plan.

How often to test

Restore a sample file every month so you catch silent failures early. Run a full recovery drill of your most important system at least twice a year, and again after any big change: a new server, a Microsoft 365 migration, or a switch in backup software. Backups drift out of sync with the business quietly, and a schedule is what keeps a stale configuration from becoming the reason a recovery fails. Backups are one control among several, and our small-business cybersecurity checklist shows where they sit alongside MFA, patching, and training.

Who owns the test

A backup nobody is responsible for is a backup nobody is testing. Someone has to own the schedule, run the drills, read the logs, and fix what breaks. For most small businesses that person already wears five other hats, so the testing slips until an outage forces the issue. A managed IT partner makes recovery a monitored, documented routine. If you are weighing that against paying by the hour when something breaks, our guide on managed IT versus break-fix lays out the tradeoffs.

Not sure your backups would hold up?

Book a free 30-minute assessment with a local Collin County engineer. We will walk through your current backups and tell you straight whether you could recover, whether or not you hire us.

Book an assessment →
© 2026 37 Forge LLC · Managed IT, Cybersecurity & Cloud · McKinney, TX · 214-432-0333