Quick answer up front: a backup you’ve never restored from isn’t a backup, it’s a hope. What counts in an incident isn’t that data was saved, but that you can restore it in a tested way and that at least one copy sits where ransomware can’t reach it. Everything else is decoration.
The three sentences that won’t protect you
A NAS that backs up nightly is a start. The only question is whether it hangs on the same network as your workstations. If it does, modern ransomware encrypts it right along with everything else. Reachable backups are the first target, not the last.
“It runs automatically, the software handles it” is the second false comfort. Automatic doesn’t mean monitored. The job dies quietly eight months ago, the error email lands in a mailbox nobody reads, and you find out on the day of the outage. This is exactly what managed operations exist for: someone sees the dead job before it becomes a problem.
Then there’s the immutable appliance that’s supposedly ransomware-proof. Immutability is good. But without a tested restore, all you know is that the data is there, not that you can get it back in a reasonable time. That’s a difference you survive or don’t.
3-2-1-1-0, honestly translated
The old 3-2-1 rule picked up two more digits. What they actually mean day to day:
| Rule | What it really means |
|---|---|
| 3 copies | The original plus two backups. Not the original plus one copy you call a “backup.” |
| 2 media | On two different types of storage. Two folders on the same NAS don’t count. |
| 1 off-site | One copy in another location, so a different site or a serious cloud or hosting provider. |
| 1 offline or immutable | A copy an attacker can’t delete or encrypt. |
| 0 errors on test | The restore was tested and ran through cleanly. This is the most important digit. |
That last zero is where nearly everyone falls short. Everyone talks about the backup. Almost nobody practises the recovery. If NIS2 applies to you, the topic is on your desk anyway: recovery is a legal requirement there, not a nice-to-have.
The test almost nobody runs
Take an afternoon, pick a real system, not the smallest one, and restore it from backup into a separate environment. Time it. Two questions answer themselves:
- How long does it take? That’s your real recovery time. If “a few hours” is actually two days, you want to know that now, not mid-incident.
- How much is missing? The gap between the last backup and the outage. A day of lost data means one thing for accounting and something else for an online shop.
The background is uncomfortable: 87 percent of German companies were recently hit by data theft, espionage or sabotage, and cyberattacks alone cause 202.4 billion euros in damage per year (Bitkom, 2025). And ransomware goes for the backups first, before it touches the production systems. If you only find out during the incident that the restore doesn’t work, you never had a backup. You had a rumour. And quite possibly no insurance cover either, because gaps like this are the classic case where cyber insurance won’t pay.
Want to know whether your backup survives a real restore test, including a copy that sits out of reach? Get in touch — we test the recovery before the incident does.