Business IT · ~5 min read

How to verify your small-business backup actually works

By Gary Amick · That Computer Guy 26 · Seymour, Indiana

Most small businesses think they have a backup. About half actually have one that will restore. Here’s a 15-minute test you can run every month that proves it — before ransomware finds out for you.

1. Why “the backup ran” isn’t the same as “the backup works”

Almost every backup tool reports “completed successfully” even when something is silently broken: a permission change excluded a key folder, a database file is locked while the backup runs, the destination drive is full, the cloud sync token expired six weeks ago. The only test that catches all of these is a real restore.

2. The 3-2-1 rule, in 30 seconds

• 3 copies of your data (the original + two backups).
• 2 different media (e.g., NAS + cloud).
• 1 off-site (or off-network) so ransomware can’t reach it.

If you don’t have all three, fix that before you run any restore tests — the test will give you false confidence.

3. The 15-minute monthly restore test

1. Pick one critical file you know the contents of. Usually a current invoice, a payroll spreadsheet, or a customer list. Note the last 3 numbers/lines.
2. Restore it from the backup — to a different folder. Don’t overwrite the live file. Most backup software has “Restore to alternate location.”
3. Open the restored copy. Verify the last lines match. Verify the file size is sane (not 0 bytes, not 1 GB when it should be 50 MB).
4. Now do a folder restore. Pick a small folder (10-50 files), restore it to a temp location, run a count + a spot-check on three random files.
5. Now do an “everything from yesterday” test. Most software lets you list files modified since a date. Restore those, count them. If the count is suspiciously low, your incremental backup isn’t catching changes.
6. Document each test. Date, what you restored, whether it worked, how long it took. A simple spreadsheet is enough.

4. Quarterly: the bare-metal restore

Once a quarter, restore an entire machine to spare hardware (or a VM). This catches the worst silent failures: image-level backups that never actually capture the boot sector, system-state backups that exclude registry hives, server backups that miss SQL transaction logs. Yes, it’s an afternoon. It’s also the difference between “down for an hour” and “down for a week” after a ransomware hit.

5. Red flags I see all the time in southern Indiana shops

• One USB drive plugged into the server. Single-point-of-failure backups are barely backups. Ransomware encrypts USB drives too.
• A cloud sync labeled “backup.” OneDrive / Google Drive / Dropbox sync is not backup — if a file gets corrupted or encrypted locally, the sync pushes the corruption to the cloud. Versioning on most plans only goes back 30 days.
• “Backups are running, but I’ve never restored from one.” An untested backup is a wish.
• The backup destination is on the same domain credentials. If ransomware grabs the domain admin password, it’ll happily delete your backup repository too.

6. The bottom line

Backup verification isn’t a once-a-year compliance checkbox — it’s the single highest-leverage 15 minutes you spend on IT every month. Test the small thing. Test the medium thing. Test the entire-machine thing once a quarter. Document each test. The day you actually need to restore, you will be glad you did.

Want me to set this up properly?

If you’d rather have someone configure 3-2-1 backups, monthly restore tests, and a documented disaster-recovery plan for your business — that’s a thing I do. Free initial audit for businesses in Jackson, Bartholomew, Jennings, Washington, and Scott counties.