The Risk of Not Having Cloud Backup

You probably have something your IT provider calls cloud backup. Whether it would restore your business after ransomware or a hurricane is a different question.

Veeam’s 2025 Ransomware Trends Report surveyed 1,300 organizations, 900 of which had been hit by ransomware in the prior year. Sixty-nine percent of the victims felt well-prepared before the attack. Only ten percent recovered more than ninety percent of their data.¹

The backup was running. The recovery didn’t work.

Cloud Storage With a Backup Label Is Not Cloud Backup

The 2018 version of this conversation asked whether your provider had enough storage, encrypted your data, and charged a reasonable price. Those are still table stakes. They are not the questions that separate real backup from backup in name only.

Across industry surveys, roughly sixty-one percent of cloud backup restore attempts succeed.² Four in ten fail when data is on the line. Only fifteen percent of organizations test their backups daily, and most do not test on any regular cadence at all.³

A backup that runs is not the same as a backup that restores. The process running is not the capability working. In 2026, that gap is where most Florida businesses are exposed.

Five Questions That Separate a Backup Program From a Backup Product

These are the questions that separate providers who run a real backup program from providers who resell a backup product. The right answers are specific and come with evidence. Vague reassurances are the problem the questions are designed to surface.

1. When was the last time you restored my data from scratch, and can I see the report?

A backup program is proven by its last restore, not its last successful job. A green check on a dashboard says a backup job ran. It does not say the backup is restorable, and the sixty-one percent industry success rate is what happens when organizations stop at the job log.

Ask for an actual restore to a usable state, with a timestamped report. A simulated test is not the same thing. If the answer is “we have never had to run one,” ask for a scheduled test this quarter. A real backup program has recent restore evidence on hand. A backup product has job logs.

2. Is immutability on by default, or do I have to enable it and pay for it separately?

Modern ransomware hunts backups before it encrypts production. ESG’s 2025 data shows ninety-six percent of ransomware attacks now target the victim’s backup systems, and thirty-five percent of those attacks leave the victim with missing or incomplete data.⁴ Immutable storage (data that cannot be altered or deleted for a defined retention window, by anyone) is how you keep a backup that survives the attempt. CISA’s #StopRansomware guide now treats immutable, encrypted, offline backups as baseline, not an advanced control.⁵

Some providers still sell immutability as a premium add-on. If your provider’s answer to this question is anything other than “yes, by default, at no additional cost,” your backup is designed to be destructible.

3. If an attacker compromises our domain admin account, can they reach the backup console?

The standard that emerged from the ransomware surge of 2022 through 2024 is 3-2-1-1-0: three copies of data, on two different media types, one offsite, one immutable or offline, and zero errors on verified restore tests.⁶ The “1” and “0” are the 2026 additions. They exist because the old 3-2-1 rule did not survive attackers who go after every online copy they can reach.

The answer to Question 3 should be no, with specifics. Backup credentials should not be federated with your identity system. MFA should be enforced on the backup console. Admin account isolation should survive a full tenant compromise. If the backup sits inside the same identity blast radius as production, it is part of the attack surface, not a defense against it.

4. What does a full restore cost, including egress fees?

Most SMB buyers miss this line entirely. Hyperscaler-backed backup products charge $0.08 to $0.12 per GB to retrieve data during a restore.⁷ A five-terabyte restore runs $400 to $600 in egress alone, on top of the monthly bill and the incident response work. Larger environments with years of SharePoint history or file shares reach four figures fast. Some pricing models also charge per API request, which balloons on small-file workloads.

Ask your provider to show you the full restore cost for your current data footprint. If they cannot produce a number, that is the answer.

5. What is actually covered, and what is not?

A backup that protects the file server but not Microsoft 365 is half a backup. If your business runs in M365 (and most Florida businesses do), the tenant is production, and the data in it is explicitly your responsibility under Microsoft’s shared responsibility model.⁸ Ask specifically which SaaS workloads are covered (email, file sync, chat, shared mailboxes) and check each answer against the shared responsibility model. A backup that leaves half your production out of scope is the same vulnerability as no backup, in a smaller package.

Thirty Days to Notify, and the Clock Starts at Discovery

Florida’s Information Protection Act gives businesses thirty days from discovery to notify affected individuals after a breach of personal information. Breaches affecting 500 or more individuals must also be reported to the Florida Department of Legal Affairs within that same window.⁹

Thirty days is not a long time to stand up a forensic investigation, verify what data was accessed, coordinate with counsel, and issue notifications. It is a much shorter time if you are also trying to restore from a backup that does not work. Every day spent unable to answer “what data was in that system?” is a day burning through the notification clock.

Where We Stand

Every managed IT client we support runs on infrastructure built on the five answers above. Servers are backed up hourly to an immutable Datto BCDR appliance, replicated to two data centers on opposite coasts, and boot-tested every night. Microsoft 365 tenants are backed up three times a day to Datto SaaS Protection, outside the tenant, with credentials a compromised Global Admin cannot reach.

The full recovery system (including how a failed server is virtualized back online in fifteen minutes) is in our business continuity planning post. The M365-specific layer (shared responsibility, the limits of native retention, what three-times-a-day backup actually protects) is in our M365 backup post.

All of it is part of managed IT. Not an add-on, not a premium tier, not a separate contract.

Frequently Asked Questions

If you are not sure whether what you have today would survive the scenarios in this post, start a conversation with us. We will walk the five questions above with you and tell you honestly where you stand.

Sources

1. 2025 Ransomware Trends Report. Veeam, 2025. Survey of 1,300 organizations, 900 of which experienced ransomware attacks. Finding: 69% of victims felt well-prepared pre-attack; only 10% recovered more than 90% of their data. veeam.com

2. 50 Cloud Backup Statistics for 2025. Expert Insights. Aggregated industry data on real-world backup and restore performance, including the ~61% restore success rate. expertinsights.com

3. The State of Backup and Recovery 2025. Unitrends, 2025. Industry survey finding only 15% of organizations test backups daily, with most organizations not testing on any regular cadence. unitrends.com

4. Immutable Backups: Ransomware’s Kryptonite. Blocks & Files, October 2025, reporting on ESG 2025 survey of 200 IT decision makers. Findings: 96% of ransomware victims report backup systems were targeted; 35% were left with missing or incomplete data. blocksandfiles.com

5. #StopRansomware Guide. Cybersecurity and Infrastructure Security Agency (CISA), updated through 2025. Federal guidance recommending immutable, encrypted, offline backups and regular restore testing as baseline practice. cisa.gov

6. The 3-2-1-1-0 Backup Rule Explained. i3 Business Solutions. Industry explainer of the modern backup rule: three copies, two media types, one offsite, one immutable or offline, zero errors on verified restore. i3businesssolutions.com

7. Cloud Backup Pricing. Barracuda. Vendor analysis of cloud backup pricing models, including hyperscaler egress fee structures ($0.08–$0.12 per GB) and their impact on full-restore cost. barracuda.com

8. Shared responsibility in the cloud. Microsoft Learn. Microsoft’s own documentation establishing that customers are responsible for data protection, backup, and recovery of their SaaS data. learn.microsoft.com

9. Florida Information Protection Act, §501.171, Fla. Stat. Florida statute requiring businesses to notify affected individuals within thirty days of discovery of a breach of personal information, with additional notification to the Florida Department of Legal Affairs for breaches affecting 500 or more individuals. leg.state.fl.us

Further Reading

• Microsoft 365 Doesn’t Back Up Your Data by Default. The companion piece on SaaS backup specifically: shared responsibility, the limits of native retention, and what three-times-a-day independent backup actually protects.
• Business Continuity Planning Isn’t About the Disaster. It Never Was. The full recovery system across servers, endpoints, and SaaS, including fifteen-minute virtualization of a failed server and the six threats that actually hit Florida businesses.
• Back Up Your Business Data. CISA guidance for small and medium businesses on the 3-2-1 rule, offline copies, and tested restore procedures. cisa.gov