01
Why Most Backups Fail When They Matter Most
The most dangerous backup is one you believe exists but hasn't been tested. We regularly encounter businesses whose backup solution appears to be running โ the job shows as completed โ but whose data is incomplete, corrupted, or stored on a system that's also encrypted in a ransomware event.
A proper backup strategy addresses three questions that most businesses haven't answered: What happens when the primary and backup are both encrypted? How long does it actually take to restore? And when did we last test it?
A backup that hasn't been tested isn't a backup โ it's a hypothesis.
The 3-2-1 rule is the foundational backup design principle. It doesn't guarantee recovery, but it eliminates the most common single points of failure.
| Number | Meaning | Example |
|---|
| 3 | Three copies of your data | Primary, local backup, offsite backup |
| 2 | Two different storage media | Local NAS + cloud storage |
| 1 | One copy offsite or air-gapped | Azure Backup, separate cloud region, or offline tape |
In 2026, the 3-2-1 rule has evolved to 3-2-1-1-0 for ransomware resilience: three copies, two media, one offsite, one immutable, zero backup errors verified through automated testing.
03
Immutable Backup Storage
Standard backups can be encrypted by ransomware if the backup system is connected to and accessible from the compromised network. Immutable backup storage prevents this by making backup data impossible to modify or delete โ even by a compromised admin account.
Immutability options
โAzure Blob Storage with immutability policies โ locked containers cannot be deleted or modified
โAWS S3 Object Lock โ WORM (Write Once Read Many) protection
โVeeam Hardened Repository โ Linux-based, root-inaccessible backup storage
โOffsite tape โ physically air-gapped, immune to network-based attack
If the same account that manages your servers can also delete your backups, your backup is not protected against a compromised admin credential.
Microsoft 365 is not backed up by Microsoft in the way most businesses assume. Microsoft provides high availability โ data is replicated across multiple datacentres โ but this is not the same as backup. If a user deletes data, ransomware corrupts it, or an admin error causes mass deletion, native retention may be insufficient.
What Microsoft provides (and doesn't)
| Feature | Microsoft Native | Third-Party Backup Required |
|---|
| Deleted items recovery | 90 days max | Longer retention per policy |
| Version history | Limited versions | Full version history |
| Ransomware recovery | Limited rollback | Point-in-time recovery |
| Admin error recovery | Limited | Full recovery from clean backup |
| Compliance archive | E3/E5 only | Included in most 3rd party tools |
โVeeam Backup for Microsoft 365
โAcronis Cyber Backup
โDatto SaaS Protection
โMicrosoft 365 Backup (native, now generally available โ verify scope coverage)
A backup is only as good as the restore. Testing must be a scheduled, documented activity โ not something done ad hoc during an incident.
Recovery testing schedule
| Test Type | Frequency | What to Test |
|---|
| Single file restore | Monthly | Restore a random file from 30 days ago |
| Mailbox restore | Quarterly | Restore a mailbox to a test account |
| Full system restore | Annually | Restore a non-critical server to isolated environment |
| RTO test | Annually | Time the complete restore of a critical system |
What to document
โDate and time of test
โWhat was restored, from what backup date
โTime taken to restore
โAny errors or issues encountered
โWhether restored data was verified as correct and complete
06
Recovery Time and Point Objectives
RTO (Recovery Time Objective) and RPO (Recovery Point Objective) are the two metrics that determine whether your backup strategy actually meets your business needs.
| Metric | Definition | Example | Design implication |
|---|
| RTO | How long can the business tolerate downtime? | 4 hours | Need warm standby or hot backup capability |
| RPO | How much data loss is acceptable? | 4 hours | Backup frequency must be at least every 4 hours |
Most small businesses have never formally defined their RTO and RPO. When we ask 'how long could you operate without your email?' or 'how much transaction data could you afford to lose?', the answers drive the backup design โ and often reveal that the current solution doesn't meet the actual business requirement.
07
De4sec Backup Implementation
De4sec designs and implements backup strategies aligned to each client's RTO, RPO, and ransomware resilience requirements.
Assessment
Review current backup configuration, coverage gaps, and test history. Identify single points of failure.
Design
Define RTO and RPO. Design backup architecture covering all data sources โ Microsoft 365, on-premise, cloud workloads.
Implementation
Deploy backup solution, configure immutable storage, test initial restore, document recovery procedures.
Ongoing Management
Monitor backup job completion, quarterly restore testing, annual RTO/RPO review.
โAU: support@de4sec.technology | +61 451 500 909
โKE: support@de4sec.technology | +254 741 777 681
// NEXT STEP
Ready to implement this in your environment?
De4sec provides hands-on implementation, not just advice. Book a free discovery call โ we assess your current environment against this guide at no cost, no obligation.
ยฉ 2026 DE4SEC TECHNOLOGY. ALL RIGHTS RESERVED.