January 25, 2026 Best Practices 3 min read

Backup and Recovery: 5 Assumptions That Fail When It Matters

By Cybersecurity Canada Editorial Team | Published January 25, 2026

Backups are your last line of defense against ransomware, hardware failure, and accidental data loss. Yet many Canadian small businesses operate on backup assumptions that don't hold up when it matters most.

1. "We Have Backups"

Having backups and having usable backups are two different things. Common problems include:

• Backups that haven't been tested with an actual restore
• Backup jobs that silently failed weeks ago
• Backups that are incomplete — missing critical databases, configurations, or email archives
• Backup media that has degraded or become unreadable

Fix: Test your backups regularly. At minimum, perform a full test restore quarterly. If you can't restore from your backups, you don't have backups.

2. "Our Backups Are in the Cloud"

Cloud backups are convenient, but "in the cloud" isn't automatically safe:

• If ransomware encrypts files that sync to cloud storage, your cloud copy is also encrypted
• Cloud storage is not the same as a cloud backup service — syncing is not backing up
• If your cloud provider account is compromised, the attacker may have access to your backups too
• Cloud services can experience outages or data loss, though rare

Fix: Follow the 3-2-1 rule: three copies of your data, on two different types of storage, with one copy offline or offsite. "Offsite" means physically separate from your network — not just a different folder on the same cloud account.

3. "We'd Be Back Online Quickly"

Most businesses dramatically underestimate recovery time. Restoring from backup involves:

• Identifying exactly what was compromised and when
• Rebuilding or reimaging affected systems
• Restoring data from backup (which can take hours or days depending on volume)
• Verifying data integrity
• Reconnecting systems and testing functionality
• Ensuring the original vulnerability is patched before going back online

For a small business without a documented recovery plan, this process typically takes days to weeks, not hours.

Fix: Create a written recovery plan. Document the steps, assign responsibilities, and know your Recovery Time Objective (RTO) — the maximum acceptable downtime — for each critical system.

4. "Backups Are Only for Ransomware"

Ransomware gets the headlines, but backups protect against much more:

• Hardware failure — hard drives fail, servers die, sometimes without warning
• Human error — accidental file deletion, misconfigured systems, or botched updates
• Software corruption — updates that break things, database corruption
• Natural disasters — fire, flood, power surges, or theft
• Vendor failure — SaaS providers can lose data or shut down unexpectedly

Fix: Think of backups as business continuity insurance, not just a ransomware defense.

5. "Our IT Person Handles It"

Delegating backups to one person without oversight is risky:

• What if that person leaves the company?
• Are they actually monitoring backup success/failure?
• Has anyone verified they can perform a full restore?
• Is the backup strategy documented, or is it all in their head?

Fix: Document your backup procedures. Ensure at least two people understand the system. Review backup reports regularly at a management level.

The Baseline Control

The Canadian Centre for Cyber Security's Baseline Controls include Data Backup (BC.7) as one of the 13 fundamental control areas. It covers backup strategy, encryption, access controls, and recovery testing.

Our free assessment evaluates your backup practices against these standards and provides specific recommendations for improvement.