/ Backup & Recovery

10 Questions Every IT Leader Should Ask

About Their Backup and Ransomware Protection Strategy

Ransomware attacks are no longer a matter of if, but when. Is your backup strategy ready for the challenge?

The Reality of Ransomware

Ransomware attacks are no longer a matter of if, but when. In recent years, we’ve seen everything from hospitals to global retailers brought to a standstill—not because they lacked security tools, but because their backups failed when it mattered most.

For many organizations, backups serve as the ultimate safety net. However, IT leaders often discover too late that their backup strategy wasn’t as solid as they thought. Jobs silently fail. Recovery times are longer than expected. Critical data wasn’t actually backed up.

This article outlines ten essential questions that every IT leader should ask about their current backup and ransomware protection strategy. Whether you’re running backups in-house or relying on a third-party provider, these questions will help you uncover hidden risks and identify opportunities to improve your resiliency before you’re forced to find out the hard way.

❶ When was the last time we successfully tested our backup recovery?

This might be the most critical question on the list. Backup failures are surprisingly common, often resulting in silent job failures, corrupted data, incomplete snapshots, or expired credentials that disrupt automated processes. The only way to know your backups work is to test them regularly.

🚨 Many organizations discover their backups don’t work only during an actual emergency when it’s too late to fix the problem.

Test These Elements:

  • Full system restore (not just individual files)
  • Database integrity after restoration
  • Application functionality post-recovery
  • Time required for complete restoration

❷ How long would it take to recover from a full ransomware incident?

It’s one thing to have backups—it’s another to actually restore them fast enough to keep the business running. Many organizations have never timed a full recovery, and during a ransomware incident, every hour of downtime adds pressure and cost.

Two key metrics help frame this:

RTO (Recovery Time Objective): How long does it take to restore systems and resume operations?

RPO (Recovery Point Objective): How much data loss is acceptable, usually measured in time between backups.

⚠️ Without a real-world test, you’re guessing. And in a ransomware scenario, guessing is expensive.

❸ Are our backups isolated from the rest of the network?

One of the biggest mistakes organizations make is keeping their backups too close to the systems they’re meant to protect. When ransomware hits, it often spreads across the network, and if your backups are accessible, they can be encrypted or deleted right along with everything else.

To prevent this, backups must be isolated. That can mean:

  • Immutability: Backups that can’t be altered or deleted for a fixed period of time.
  • Air-gapped storage: Offline or physically separated backups, such as external drives or tape.
  • Access restrictions: Ensuring backup systems aren’t on the same domain or accessible via the same credentials used elsewhere in the environment.

The 3-2-1 Rule Still Applies

3

copies of your data

2

different media types

1

copy stored offsite and offline

❹ Can we detect if ransomware has made it into our backups?

Ransomware doesn’t always announce itself right away. Some strains remain dormant for weeks or months, gradually encrypting or corrupting files in the background. If your backup system is configured to retain only a few recent versions, there’s a real risk that all your backups contain encrypted data, without you even realizing it.

That’s why early detection is critical. Some modern backup solutions offer:

  • Anomaly detection: Alerts when backup sizes or file change rates deviate from normal patterns.
  • Ransomware scanning: Identifies known ransomware signatures or suspicious file behavior.
  • Extended retention: Lets you roll back to clean versions from weeks or months ago.

Silent ransomware can lurk for months—make sure your backup retention spans longer than typical attack timelines.

❺ Do we know who has access to backup systems—and why?

Your backup system is a high-value target. If an attacker—or even a disgruntled insider—can access your backups, they can delete recovery points, encrypt backup data, or quietly disable jobs without being noticed.

Protect your backups like you protect your production systems—with strict access controls and monitoring.

That’s why access control and audit logging are just as important for backup infrastructure as they are for your production systems. You should have:

  • Role-based access control (RBAC): Only the people who need to manage backups should have access.
  • Separation of duties: No single admin should have end-to-end control over both production and backup systems.
  • Audit logs: Track who accessed what, when, and what changes were made.

❻ Are we covering endpoints, SaaS apps, cloud services, and servers?

Many backup strategies focus heavily on on-prem servers or core databases, but today’s environments are far more distributed. Critical data often lives in:

  • Employee laptops and mobile devices
  • Cloud storage like Google Drive, OneDrive, and Dropbox
  • SaaS platforms like Microsoft 365, Google Workspace, Salesforce, and Slack
  • Cloud-hosted servers and databases

If it has business data, it needs backup protection—regardless of where it lives.

❼ How frequently do we review and update our backup policies?

Backup strategies aren’t “set it and forget it.” Your environment changes constantly—new apps get deployed, teams adopt new tools, and data volumes grow. What worked a year ago might be dangerously outdated today.

Set a reminder to review your backup strategy quarterly—technology changes fast.

❽ Do we back up our security and configuration data?

When disaster strikes, recovering applications and data is just part of the equation. Without the right configuration and security settings, you may find yourself scrambling to rebuild systems manually.

❾ Do we have a ransomware-specific recovery plan?

A generic disaster recovery (DR) plan isn’t enough. Ransomware incidents present unique challenges, including legal implications, containment needs, public relations concerns, and uncertainty about the extent of the infection.

Ransomware isn’t just a technical problem—it requires legal, communication, and business continuity responses.

A ransomware-specific recovery plan should include:

  • Isolation Procedures: How to Prevent the Spread Across Systems.
  • Forensics and evidence collection: Preserving logs and artifacts for investigation.
  • Communication Protocols: What to Share with Employees, Partners, and Potential Customers.
  • Clean restore workflows: Ensuring recovered data isn’t re-infected.
  • Decision trees: When to involve law enforcement, legal counsel, or insurance.

❿ Have we done a backup audit in the last 12 months?

Backups tend to be out of sight, out of mind—until something goes wrong. That’s why a periodic backup audit is essential. It’s your opportunity to verify what’s really being backed up, how fast it can be restored, and whether your systems and processes are keeping up with current risks.

A backup audit is like a fire drill—better to find problems during practice than during the emergency.

A solid backup audit should cover:

  • Coverage gaps: Are all critical systems, SaaS apps, and endpoints included?
  • Recovery tests: Can we restore data within our RTO/RPO?
  • Retention policies: Do we keep data long enough to catch delayed ransomware infections?
  • Access controls and logging: Who has access, and is it being tracked?
  • Compliance and Documentation: Are We in Alignment with Industry Regulations and Internal Policies?

Take Action Before It’s Too Late

In today’s threat landscape, backups are more than a safety net—they’re a strategic asset. But simply having backups isn’t enough. You need to know that they work, cover everything that matters, and can withstand a real-world ransomware attack.

The ten questions in this article are meant to spark a deeper conversation inside your organization. If you couldn’t confidently answer all of them, you’re not alone—and now is the perfect time to close those gaps.

Schedule a backup review. Better yet, conduct a full audit. You’ll gain clarity on your true readiness and may uncover issues that could save your business days—or even weeks—of downtime in a crisis.

Get Your Free Backup Audit Checklist

Want to make sure your current backup setup is secure, compliant, and recovery-ready? Download our free backup audit checklist by filling out the form below: