Testing and Verifying Your Backups
Testing and Verifying Your Backups

Photo by Ivo Brasil on Pexels
A backup that has never been tested is not a backup — it is a hope. Forty percent of untested backups fail on the first real restore attempt. The only way to know your backups work is to restore from them regularly and verify the data.
The Monthly Backup Test
Schedule a monthly backup test. It does not need to be complex. Pick a few files, restore them, and verify they open correctly. This takes 15 minutes and catches 90% of backup problems.
Monthly test checklist:
- Restore 5 random files from the most recent backup — do they open?
- Restore 1 file from 30 days ago — is it there and intact?
- Check the backup log — were there any errors or warnings in the last month?
- Verify the backup storage has enough free space
- Confirm the backup service account password has not expired
The Quarterly Full Restore Test
Every 90 days, perform a full restore test. This is more involved but critical:
- Select a test environment — A separate computer or virtual machine that is not connected to your production network
- Perform a full restore from backup — Restore the entire server or critical data set to the test environment
- Verify data integrity — Open databases, check file integrity, verify recent transactions are present
- Test application functionality — Can the restored application actually run? Can users log in? Can reports be generated?
- Document the results — How long did it take? What errors occurred? What is missing? This documentation is your Recovery Time Objective (RTO) verification
- Document any gaps — If data was missing or corrupted, note it and fix the backup configuration before the next test
Understanding RTO and RPO
These two metrics define your backup requirements and are often required by cyber insurance and compliance frameworks:
Recovery Time Objective (RTO)
How long can your business survive without its data? This is your maximum acceptable downtime. For most small businesses, the answer is 24-48 hours. Some businesses (e-commerce, healthcare) need RTO of 1-4 hours. Your backup strategy must be able to restore within this time frame.
Recovery Point Objective (RPO)
How much data can you afford to lose? If your last backup was 24 hours ago and your server crashes, you lose 24 hours of data. Your RPO defines how often you need to back up. For most small businesses, daily backups give an RPO of 24 hours. Critical systems may need hourly backups.
Creating Your Backup Documentation
If the person who set up your backups leaves, can someone else restore from them? Document everything:
- Backup software and version — What tool is used, where are the installation files, what is the license key
- Backup schedule — What runs when, what data is included, what is excluded
- Storage locations — Where are local backups, where are cloud backups, what are the credentials
- Encryption passwords/keys — Stored securely (password manager or sealed envelope)
- Restore procedures — Step-by-step instructions for restoring files, databases, and full systems
- Test results — Log of each test with date, what was tested, results, and any issues found
Cloud Backup Considerations for Microsoft 365 and Google Workspace
Many businesses assume Microsoft and Google back up their cloud data. They do maintain infrastructure backups, but their retention policies for user-deleted data are limited:
- Microsoft 365 — Deleted emails are in the Deleted Items folder for 30 days, then permanently removed. Deleted SharePoint files are in the recycle bin for 93 days. After that, gone forever
- Google Workspace — Deleted emails are in Trash for 30 days. Deleted Drive files are in Trash for 30 days. After that, gone
If a user accidentally deletes important emails, or if an attacker deletes data, you have a limited window to recover. Third-party backup services (like Veeam for Microsoft 365, or Backupify) provide independent backups of your cloud data with longer retention and point-in-time recovery.
Key Takeaways
- 40% of untested backups fail on first restore — testing is not optional
- Monthly quick tests catch most problems; quarterly full restores validate complete recovery
- Define your RTO and RPO so you know what your backup system must deliver
- Document everything — a backup system only the IT person understands is a single point of failure
- Cloud platforms are not backups — their retention is limited and user-deleted data is eventually gone
Testing and Verifying Your Backups
A backup that has never been tested is not a backup — it is a hope. Forty percent of untested backups fail on the first real restore attempt. The only way to know your backups work is to restore from them regularly and verify the data.
The Monthly Backup Test
Schedule a monthly backup test. It does not need to be complex. Pick a few files, restore them, and verify they open correctly. This takes 15 minutes and catches 90% of backup problems.
Monthly test checklist:
- Restore 5 random files from the most recent backup — do they open?
- Restore 1 file from 30 days ago — is it there and intact?
- Check the backup log — were there any errors or warnings in the last month?
- Verify the backup storage has enough free space
- Confirm the backup service account password has not expired
The Quarterly Full Restore Test
Every 90 days, perform a full restore test. This is more involved but critical:
- Select a test environment — A separate computer or virtual machine that is not connected to your production network
- Perform a full restore from backup — Restore the entire server or critical data set to the test environment
- Verify data integrity — Open databases, check file integrity, verify recent transactions are present
- Test application functionality — Can the restored application actually run? Can users log in? Can reports be generated?
- Document the results — How long did it take? What errors occurred? What is missing? This documentation is your Recovery Time Objective (RTO) verification
- Document any gaps — If data was missing or corrupted, note it and fix the backup configuration before the next test
Understanding RTO and RPO
These two metrics define your backup requirements and are often required by cyber insurance and compliance frameworks:
Recovery Time Objective (RTO)
How long can your business survive without its data? This is your maximum acceptable downtime. For most small businesses, the answer is 24-48 hours. Some businesses (e-commerce, healthcare) need RTO of 1-4 hours. Your backup strategy must be able to restore within this time frame.
Recovery Point Objective (RPO)
How much data can you afford to lose? If your last backup was 24 hours ago and your server crashes, you lose 24 hours of data. Your RPO defines how often you need to back up. For most small businesses, daily backups give an RPO of 24 hours. Critical systems may need hourly backups.
Creating Your Backup Documentation
If the person who set up your backups leaves, can someone else restore from them? Document everything:
- Backup software and version — What tool is used, where are the installation files, what is the license key
- Backup schedule — What runs when, what data is included, what is excluded
- Storage locations — Where are local backups, where are cloud backups, what are the credentials
- Encryption passwords/keys — Stored securely (password manager or sealed envelope)
- Restore procedures — Step-by-step instructions for restoring files, databases, and full systems
- Test results — Log of each test with date, what was tested, results, and any issues found
Cloud Backup Considerations for Microsoft 365 and Google Workspace
Many businesses assume Microsoft and Google back up their cloud data. They do maintain infrastructure backups, but their retention policies for user-deleted data are limited:
- Microsoft 365 — Deleted emails are in the Deleted Items folder for 30 days, then permanently removed. Deleted SharePoint files are in the recycle bin for 93 days. After that, gone forever
- Google Workspace — Deleted emails are in Trash for 30 days. Deleted Drive files are in Trash for 30 days. After that, gone
If a user accidentally deletes important emails, or if an attacker deletes data, you have a limited window to recover. Third-party backup services (like Veeam for Microsoft 365, or Backupify) provide independent backups of your cloud data with longer retention and point-in-time recovery.
Key Takeaways
- 40% of untested backups fail on first restore — testing is not optional
- Monthly quick tests catch most problems; quarterly full restores validate complete recovery
- Define your RTO and RPO so you know what your backup system must deliver
- Document everything — a backup system only the IT person understands is a single point of failure
- Cloud platforms are not backups — their retention is limited and user-deleted data is eventually gone
There are no comments for now.