← Back to the blog

April 22, 2026 · 3 min read

Test your backup: only the restore counts

Test your backup by actually restoring from it. Why a NAS that saves every night is not a strategy and only the tested restore counts.

AA
Anton Anders
IT consultant & developer

Quick answer up front: a backup you’ve never restored from isn’t a backup, it’s a hope. What counts in an incident isn’t that data was saved, but that you can restore it in a tested way and that at least one copy sits where ransomware can’t reach it. Everything else is decoration.

The three sentences that won’t protect you

A NAS that backs up nightly is a start. The only question is whether it hangs on the same network as your workstations. If it does, modern ransomware encrypts it right along with everything else. Reachable backups are the first target, not the last.

“It runs automatically, the software handles it” is the second false comfort. Automatic doesn’t mean monitored. The job dies quietly eight months ago, the error email lands in a mailbox nobody reads, and you find out on the day of the outage. This is exactly what managed operations exist for: someone sees the dead job before it becomes a problem.

Then there’s the immutable appliance that’s supposedly ransomware-proof. Immutability is good. But without a tested restore, all you know is that the data is there, not that you can get it back in a reasonable time. That’s a difference you survive or don’t.

3-2-1-1-0, honestly translated

The old 3-2-1 rule picked up two more digits. What they actually mean day to day:

RuleWhat it really means
3 copiesThe original plus two backups. Not the original plus one copy you call a “backup.”
2 mediaOn two different types of storage. Two folders on the same NAS don’t count.
1 off-siteOne copy in another location, so a different site or a serious cloud or hosting provider.
1 offline or immutableA copy an attacker can’t delete or encrypt.
0 errors on testThe restore was tested and ran through cleanly. This is the most important digit.

That last zero is where nearly everyone falls short. Everyone talks about the backup. Almost nobody practises the recovery. If NIS2 applies to you, the topic is on your desk anyway: recovery is a legal requirement there, not a nice-to-have.

The test almost nobody runs

Take an afternoon, pick a real system, not the smallest one, and restore it from backup into a separate environment. Time it. Two questions answer themselves:

  • How long does it take? That’s your real recovery time. If “a few hours” is actually two days, you want to know that now, not mid-incident.
  • How much is missing? The gap between the last backup and the outage. A day of lost data means one thing for accounting and something else for an online shop.

The background is uncomfortable: 87 percent of German companies were recently hit by data theft, espionage or sabotage, and cyberattacks alone cause 202.4 billion euros in damage per year (Bitkom, 2025). And ransomware goes for the backups first, before it touches the production systems. If you only find out during the incident that the restore doesn’t work, you never had a backup. You had a rumour. And quite possibly no insurance cover either, because gaps like this are the classic case where cyber insurance won’t pay.


Want to know whether your backup survives a real restore test, including a copy that sits out of reach? Get in touch — we test the recovery before the incident does.

Frequently asked questions

How often should you test a restore? +

At least once or twice a year, more often for critical systems. What matters is that the test is documented and the measured recovery time actually fits how long your business can afford to be down.

What does the 3-2-1 backup rule mean? +

Three copies of your data on two different types of media, one of them off-site. The extended 3-2-1-1-0 form adds an offline or immutable copy — and zero errors on a tested restore.

Is a NAS on its own a backup? +

No. A NAS on the same network as your workstations is just a reachable copy, and reachable copies are exactly what ransomware encrypts first. A real backup needs at least one copy that is offline or immutable.

Why isn't an automatic backup enough? +

Automatic doesn't mean monitored. Backup jobs fail silently, the error email lands in a mailbox nobody reads, and the gap only shows up during the incident. Without monitoring and restore tests, a backup is just a hope.

Sounds like your situation?

Let’s talk about it — free and with no strings attached.