Last week, a cyber incident hit a major healthcare organization and disrupted work tied to cancer clinical trials. The organization ultimately paid a ransom, then deleted the restored files before bringing systems back online. That kind of cleanup is a reminder of an uncomfortable truth: even when an organization “gets data back,” recovery is messy, expensive, and never guaranteed.
And here’s what I see with small businesses all the time:
They think they’re backed up… until they need to restore.
The Backup Reality in 2026 (What’s Changed)
Backups used to be about hardware failing or someone deleting a folder.
In 2026, the bigger problem is this: attackers go after your backups on purpose. Backup servers have become prime targets because they often hold the “gold copy” of your data. If criminals can wipe or encrypt that “gold copy”, you lose your quickest path to recovery.
Also, more businesses are living inside Microsoft 365 (Email, OneDrive, SharePoint, Teams). That’s great. Fantastic really unless you assume Microsoft is a full backup. Microsoft has built-in retention and restore features, but they have limits (for example, file restore windows like 30 days in some scenarios). That’s not the same thing as a true, independent backup strategy.
3 Backup Myths That Hurt Small Businesses
Myth #1: “We’re in the cloud, so we’re backed up.”
Cloud helps with availability. It does not automatically mean you have point-in-time recovery for everything, forever, in a way that fits your business.
Translation:
- You may be able to recover some things.
- You may not be able to recover fast.
- You may not be able to recover everything you need.
If your business runs on Microsoft 365, you still need to know:
- How far back you can restore
- What’s covered vs not covered
- How long restores take in real life
Myth #2: “We have backups, so ransomware won’t hurt us.”
Ransomware doesn’t just encrypt your files anymore. Many attacks now include:
- stealing data (extortion)
- disrupting operations
- targeting backups so recovery is slow or impossible
If your backups are:
- connected to the same network
- accessible with the same admin credentials
- never tested
…then backups can get taken out right along with production systems.
That’s why immutable backups (backups that can’t be changed or deleted for a set period) are getting so much attention.
Myth #3: “The backups ran, so we’re good.”
This one is the most common trap.
A “successful backup” only means data copied somewhere. It does not mean you can restore it quickly, cleanly, and completely.
Modern best practice has moved beyond “3-2-1” into approaches like 3-2-1-1-0 (including an immutable copy + verified restores with zero errors).
If you’ve never tested restores, you don’t actually know what you have.
The Michigan SMB Lens
If you operate a Michigan business, you don’t just need your files back “eventually.”
You need:
- payroll to run
- email and scheduling to function
- customer work to continue
- invoices, CAD files, case files, contracts, or quoting tools available
Most SMBs don’t have weeks to “figure it out.” That’s why a backup plan is really a business continuity plan.
One Simple Action to Take This Week
Ask your IT provider these exact questions:
“When was the last time you performed a full restore test for our business? How long did it take to get us back to working?”
Not “are backups running.” Not “do we have backups.”
A real restore test with a real timeframe.
If they can’t answer clearly, or they haven’t tested recently, that’s a fixable problem… but still a problem.
What a Solid Backup Plan Looks Like
You don’t need perfection. You need resilience:
- Multiple copies of critical data (not just one)
- One copy that can’t be altered/deleted (immutable)
- A separate identity/permission model so one compromised admin account can’t nuke backups
- Restore testing on a schedule (because “works in theory” doesn’t help on Monday morning)
Your Turn
Be honest: if your systems went down tomorrow…
How long could your business operate without email, files, or line-of-business apps? Comment with a number: “4 hours” / “1 day” / “3 days” / “we’d be toast.”