Part of the 30-Day SME Cyber Security Series
Let’s be direct.

> If your business was locked out of its systems tomorrow… could you recover?

Not “eventually.”
Not “we’ll figure it out.”

👉 **Could you be back up and running within days — without paying a ransom?**

Because that’s the difference between:

* A disruption
* And a business-ending event

—

## What is Ransomware (Plain English)

Ransomware is when attackers:

* Lock your files
* Encrypt your systems
* Demand payment to restore access

You’ll see a message like:

> “Your files have been encrypted. Pay $50,000 to regain access.”

And here’s the reality:

👉 Even if you pay — you might not get your data back.

—

## Why SMEs Get Hit Hardest

Large organisations:

* Have backups
* Have recovery plans
* Have IT teams

SMEs often:

* Assume “the cloud has it covered”
* Don’t test backups
* Don’t know what would actually happen

👉 Attackers know this.

—

## What This Looks Like in the Real World

### 💻 Example: The Silent Infection

An employee clicks a phishing email.

Nothing obvious happens.

Behind the scenes:

* Malware installs
* Spreads across the network
* Waits

Then one morning:

👉 Every file is encrypted.

* Accounting system → locked
* Customer data → locked
* Shared drives → locked

—

### 💸 Example: The “We Thought We Had Backups” Problem

A business believes:

* “We’re safe — everything is in the cloud”

But:

* Backups were syncing corrupted files
* No offline copy existed
* No recovery test had ever been done

👉 Result: total data loss

—

## The Hard Truth

> Backups don’t protect you.
> **Recoverable backups** protect you.

—

## The Fix: The 3-2-1 Backup Rule

This is the global standard — and it’s simple:

* **3 copies of your data**
* **2 different storage types**
* **1 copy offline (not connected to your network)**

—

### Example for an SME:

* Copy 1 → Live system (your working files)
* Copy 2 → Cloud backup (e.g. Microsoft 365 / Google Drive backup)
* Copy 3 → Offline backup (external drive or secure backup service)

—

## What You Actually Need to Back Up

Focus on what matters:

* Financial systems (MYOB, Xero)
* Customer data
* Contracts and documents
* Emails
* Shared drives

👉 If losing it would hurt the business — back it up.

—

## Step-by-Step Setup (Practical)

—

### 🔹 Step 1: Identify Critical Data

Ask:

* What do we NEED to operate?
* What can’t we afford to lose?

—

### 🔹 Step 2: Confirm Existing Backups

Check:

* Are backups already running?
* Where are they stored?
* Are they automatic?

👉 Don’t assume — verify

—

### 🔹 Step 3: Implement Cloud Backup

For:

* Microsoft 365 → use backup solutions (not just OneDrive sync)
* Google Workspace → enable backup tools

👉 Important:
Sync ≠ Backup

—

### 🔹 Step 4: Create an Offline Backup

Options:

* External hard drive (disconnected when not in use)
* Dedicated backup service with offline protection

👉 This protects against:

* Ransomware
* System-wide compromise

—

### 🔹 Step 5: Automate Everything

* Daily backups
* No manual steps
* Alerts if backups fail

—

### 🔹 Step 6: Test Recovery (CRITICAL)

This is where most businesses fail.

Test:

* Can you restore files?
* How long does it take?
* What’s missing?

👉 If you haven’t tested it — it doesn’t count

—

## 🔧 Simple Tool Options

### ☁️ Cloud Backup:

* Microsoft 365 Backup solutions (e.g. Veeam, AvePoint)
* Google Workspace backup tools

—

### 💾 Offline Backup:

* External drives (rotated weekly)
* NAS with offline snapshot capability

—

👉 You don’t need enterprise tools — just **reliable ones**

—

## ⚠️ What Most Businesses Get Wrong

—

### ❌ 1. Thinking “cloud = backup”

Cloud platforms:

* Sync data
* Don’t protect against:

* Deletion
* Corruption
* Ransomware

👉 **Fix:** Use proper backup solutions

—

### ❌ 2. No offline backup

If ransomware hits:

* It can encrypt connected backups too

👉 **Fix:** Maintain at least one offline copy

—

### ❌ 3. Never testing recovery

Backups exist…

…but no one knows if they work

👉 **Fix:** Test quarterly at minimum

—

### ❌ 4. Backing up everything (but nothing useful)

* Junk data backed up
* Critical systems overlooked

👉 **Fix:** Prioritise business-critical data

—

### ❌ 5. No recovery plan

Even with backups:

* Who restores?
* In what order?
* How long will it take?

👉 **Fix:** Define a simple recovery process

—

## 🧠 Simple Rule for Your Business

> If you can’t restore your business within a few days — your backups aren’t good enough.

—

## What You Should Do This Week

### Day 1:

* Identify critical data

### Day 2:

* Review existing backups

### Day 3:

* Implement or upgrade cloud backup

### Day 4:

* Set up offline backup

### Day 5:

* Automate backup processes

### Day 6–7:

* Test recovery

—

## The Outcome

After just one week:

* Ransomware risk → **contained**
* Data loss → **recoverable**
* Business continuity → **protected**

—

## Final Thought

Cybersecurity isn’t about stopping every attack.

It’s about:

👉 **Making sure your business survives when one gets through**

—

**Next:**
👉 *Week 4: Your Laptop Is the Weakest Link — Here’s How to Fix It*

Link to previous post Week 2: Stop Reusing Passwords — Simple Fixes That Actually Work

**Need help setting up reliable backups and recovery?**
IQ People helps SMEs protect their data and ensure they can recover quickly — without enterprise complexity.