Safe Shield IT
← Back to Blog
Security

Is Your Backup Actually Working? How to Find Out Before It Matters

Table of Contents

The backup nobody tested

Here's a scenario that happens more often than anyone admits.

A law firm's server crashes on a Thursday morning. Twenty years of client files, case documents, and email archives are on that server. The office manager calls the IT person who set up their backup system three years ago. He hasn't worked with them in over a year, but he remembers setting up a NAS device in the closet.

They check the NAS. It's powered off. Someone unplugged it months ago to plug in a space heater. Even if it were running, the last successful backup was seven months old because the drive filled up and nobody noticed the error emails.

Three days of emergency data recovery later, they get back about 60% of their files. The rest is gone.

This isn't a hypothetical. Some version of this happens to small businesses every single day. They had a backup. They just never checked if it worked.

What should be backed up

Before you test anything, make sure you're backing up the right things. Here's what a small professional office typically needs to protect:

Critical (loss means the business stops):

  • Client files and documents
  • Accounting data (QuickBooks files, financial records)
  • Email (if hosted on a local server; M365 and Google Workspace have their own retention, but it's worth backing up separately)
  • Line-of-business application databases (practice management, case management, agency management)
  • Shared drive contents

Important (loss means significant disruption):

  • Operating system and application configurations
  • User profiles and settings
  • Templates, forms, and internal documents
  • Scanned records and archives

Often forgotten:

  • Data stored only on individual workstations (desktop files, local Documents folders)
  • Browser bookmarks and saved passwords
  • Voicemail recordings (if using VoIP)
  • Security camera footage
  • Printer/scanner configurations

The goal isn't to back up everything. It's to make sure that if the worst happens, you can get back to a functioning office without losing client data or business records.

The 3-2-1 rule

The standard backup rule of thumb is 3-2-1:

  • 3 copies of your data (the original plus two backups)
  • 2 different types of storage (such as a local NAS and a cloud backup)
  • 1 copy offsite (physically separate from your office)

The reason for this is simple. A single backup can fail. A local backup protects against hardware failure but not against fire, theft, or ransomware that encrypts everything on your network. A cloud backup protects against physical disasters but requires internet access and might take hours or days to fully restore.

Having both gives you options. Local for fast recovery from everyday problems, cloud for disaster-level events.

For small offices, a practical implementation looks like:

  • A NAS device in the office running nightly backups of the server and shared files
  • A cloud backup service (Backblaze, Wasabi, Veeam Cloud, Acronis) running daily
  • Retention of at least 30 days so you can recover from problems that aren't immediately noticed

How to test your backup

Testing a backup means attempting an actual restore. Not checking that the backup software says "completed." Not looking at file sizes. Actually restoring a file and confirming it opens correctly.

Level 1: File restore test (do this monthly)

  1. Pick a file that was backed up recently. Something you know the contents of.
  2. Restore it to a different location (not the original).
  3. Open it. Verify the contents are intact and current.
  4. If it's a database file (QuickBooks, practice management), verify the application can open it.
  5. Record the date and result somewhere. A simple log is fine.

This takes 10 minutes and tells you whether your backup is actually capturing data correctly.

Level 2: Folder restore test (do this quarterly)

  1. Pick an entire folder or directory.
  2. Restore it to a temporary location.
  3. Spot-check several files within the folder for completeness.
  4. Verify folder structure and permissions are preserved.
  5. Delete the test restore when confirmed.

This tests whether your backup handles folder structures and permissions, not just individual files.

Level 3: Full system restore test (do this annually, or hire someone)

  1. Restore a full system image to a spare machine or virtual environment.
  2. Boot it up and verify the operating system loads.
  3. Verify applications launch and data is accessible.
  4. Measure how long the restore takes. This is your actual recovery time.

This is the definitive test. If you can restore a full system to a bare machine and get it working, your backup is real. If you can't, you know before it matters.

Level 3 is harder to do without IT expertise. If you're not comfortable with it, that's a reasonable reason to bring in help.

Common backup problems we find

In nearly every IT assessment we do, we find at least one of these:

The backup that silently stopped. The software crashed, the service stopped, or the credentials expired. No alerts were configured, so nobody knew.

The full drive. The backup destination ran out of space. Newer backups are failing, but older ones (possibly months out of date) are still sitting there looking reassuring.

The backup that doesn't cover what you think it covers. The backup was configured to cover the D: drive, but critical files are on C:\Users. Or the QuickBooks database is in a non-standard location that wasn't included in the backup job.

The local-only backup. Everything backs up to a NAS sitting on the same network as the server. Ransomware encrypts both. Fire destroys both. Theft takes both.

The USB drive rotation that stopped rotating. Somebody was supposed to swap drives every Friday. That stopped happening in February. The same drive has been sitting in the NAS for months.

The cloud backup that would take a week to restore. 500 GB of data backed up to the cloud, but your office has a 50 Mbps connection. Full restore time: approximately 5 days. Is your business prepared to wait that long?

Cloud backup vs local backup

Both have strengths. Neither is sufficient alone.

Local backup (NAS, external drive, dedicated backup server):

  • Fast restores (minutes to hours for most data)
  • No internet dependency
  • One-time hardware cost
  • Vulnerable to physical threats (fire, theft, power surge)
  • Vulnerable to ransomware if on the same network

Cloud backup (Backblaze, Wasabi, Veeam, Acronis, Datto):

  • Offsite by definition (fire, theft, flood don't affect it)
  • Usually encrypted in transit and at rest
  • Ongoing monthly cost ($5 to $50/month for most small offices)
  • Restore speed limited by internet bandwidth
  • Requires configuration to cover the right data

Best practice for small offices: Use both. Local for speed. Cloud for safety. This isn't expensive. A small NAS costs $300 to $500, and cloud backup for a typical small office runs $10 to $30 per month.

How often should you test?

  • File restore test: Monthly. Put it on the calendar. It takes 10 minutes.
  • Folder restore test: Quarterly.
  • Full system restore test: Annually, or whenever you make significant changes to your systems.
  • Backup monitoring check: Weekly. Verify the last backup completed successfully. Most backup software sends email reports. Actually read them.

If nobody in your office is doing any of these, you don't have a backup strategy. You have a backup assumption.

When to call a professional

You should handle backup testing yourself if you can. It's not that complicated, and knowing your backup works is something every office should be confident about.

But call a professional if:

  • You can't figure out how to perform a test restore
  • Your test restore fails and you don't know why
  • You discover your backup isn't covering critical data
  • You don't have any offsite or cloud backup
  • Your recovery time is measured in days instead of hours
  • You're not sure what's being backed up at all

An IT assessment that includes a thorough backup review can identify gaps you might not know about and give you a clear plan to fix them. Safe Shield IT's IT Shield Report covers backup and disaster recovery as one of its core assessment areas.

Don't wait until a Thursday morning to find out your backup isn't working.

Jonathan Caruso is the founder of Safe Shield IT, providing managed IT and security oversight for small professional offices in Central Georgia.

Get Your IT Shield Report