Hi, I’m David Evestaff. If you’re running a business in the UK right now, you’ve probably had at least one sleepless night worrying about cyberattacks. We see the headlines every day: another local firm hit, systems locked down, and a ransom demand that looks more like a phone number than a bill.
Most business owners I talk to tell me the same thing: "It's fine, David, we’ve got backups."
And that’s where the trouble starts.
Having a backup is like having a spare tyre. It’s only useful if it’s inflated, if you have the right jack to change it, and if the spare itself hasn't been slashed by the same person who punctured your main wheels. In the world of ransomware, the "hackers" aren't just looking to encrypt your live data anymore; they are actively hunting your backups first. They want to make sure that when they pull the trigger, you have zero options left but to pay.
At Evestaff IT Support and Consultancy, we’ve seen how these attacks play out. Here are the seven most common ransomware backup mistakes we see UK SMEs making, and, more importantly, how you can fix them before the worst happens.
1. The "Set and Forget" Fallacy: Not Testing Restores
This is the number one mistake. I see it all the time. A business has a backup system running, the software shows a green tick every morning, and everyone assumes the data is safe.
But a "successful backup" only means the software thinks it copied data. It doesn't mean that data is usable. Files can become corrupted, encryption keys can be lost, or the backup might only be capturing a fraction of what you actually need.
If you haven’t physically tried to restore your entire system onto a blank machine lately, you don’t have a backup, you have a hope. We recommend a full restoration test at least once a quarter. You need to know exactly how long it takes (your Recovery Time Objective) and if any data is missing (your Recovery Point Objective).
2. Putting All Your Eggs in One Basket (Single Locations)
I’ve walked into offices where the backup is just a USB drive plugged into the main server. If a fire breaks out, both are gone. If a flood happens, both are gone. And if ransomware hits that server, it will immediately crawl down that USB cable and encrypt your backup too.
Relying on a single location, whether it’s just on-premises or just in the cloud, is a recipe for disaster. We advocate for the 3-2-1-1-0 rule:
- 3 copies of your data.
- Stored on 2 different types of media.
- 1 copy off-site (cloud).
- 1 copy offline (air-gapped or immutable).
- 0 errors after automated backup testing.
3. Confusing "Cloud Sync" with "Cloud Backup"
This is a subtle but deadly distinction. Many SMEs use services like Dropbox, OneDrive, or Google Drive and think, "My files are in the cloud, I’m safe."
These are synchronisation services, not backup services. Their job is to make sure the file on your laptop is the exact same as the file in the cloud. If ransomware encrypts your local file, the sync service says, "Oh, the file changed! Let me update the cloud version for you."
Within seconds, your "safe" cloud copy is also encrypted. While some of these services have versioning history, relying on them as your primary recovery strategy against a sophisticated attack is incredibly risky. You need a dedicated, versioned backup solution that operates independently of your file-syncing tools.
4. Ignoring the Power of Immutability
Modern ransomware is "backup-aware." The first thing a sophisticated piece of malware does when it enters your network is sit quietly and look for your backup credentials. Once it finds them, it deletes your backups or encrypts them before touching your live data.
The solution is Immutable Backups.
"Immutable" simply means "unchangeable." It uses WORM (Write Once, Read Many) technology. Once the data is written to the backup storage, it cannot be altered, deleted, or overwritten by anyone, including your admin, for a set period (say, 30 days). Even if a hacker gets your highest-level password, they can’t touch those files. It’s the ultimate "get out of jail free" card in a ransomware scenario.
5. Being Too Selective: The "Important Files Only" Trap
When setting up backups, some businesses try to save on storage costs by only backing up what they deem "important": usually just the SQL databases or the "Accounts" folder.
But what about the bespoke software configurations? What about the digitised records in specialized industries? For example, a company like Property Inventory Clerks handles massive amounts of high-resolution photographic evidence and detailed reports. If they only backed up their spreadsheets but lost the thousands of inventory photos, their business would grind to a halt.
When you are hit by ransomware, you don't just need your data; you need your environment. If you have the data but it takes you four days to reinstall the OS, find the drivers, and reconfigure the network settings, you’re still losing thousands of pounds in downtime.
6. Flying Blind Without a Documented Strategy
In the heat of a cyberattack, adrenaline is high and clear thinking is low. That is not the time to be figuring out which server needs to be restored first or who has the password for the off-site storage.
Many SMEs have the tools but no plan. A documented Disaster Recovery (DR) plan should outline:
- Priority: Which systems are critical for the first 4 hours? (e.g., Email, Phones).
- Ownership: Who is responsible for calling the IT provider? Who talks to the customers?
- Communication: How do you talk to staff if the internal network is down?
Without a written strategy, your recovery will be chaotic, slow, and prone to mistakes that could lead to secondary infections.
7. Ignoring the "Dwell Time" and Exposure Windows
Ransomware rarely attacks the moment it enters your system. On average, attackers lurk in a network for 10 to 14 days before triggering the encryption. This is called "dwell time."
During this period, they are often silently corrupting or slowly encrypting data in a way that you might not notice. If you only keep 7 days of backups, by the time you realize you’ve been hit, every single one of your backups might already contain the dormant malware or partially corrupted files.
You need a retention policy that goes back far enough to ensure you can find a "clean" version of your business. This is why daily backups aren't enough; you need a tiered approach with weekly and monthly snapshots kept in a secure, isolated environment.
How to Secure Your Business Today
The threat landscape in the UK is shifting. Small businesses are no longer "too small to be noticed": you are now the primary target because hackers know SMEs often have weaker defences than the big corporations.
But here is the good news: you don't need a multi-million-pound budget to be secure. You just need a smart, disciplined approach to your data.
If you’re sitting there thinking, "I actually don't know when we last tested our restore," or "I'm not sure if our backups are immutable," don't wait for a ransom note to find out.
At Evestaff IT Support and Consultancy, we specialise in helping UK SMEs build resilient, "ransomware-proof" environments. We can audit your current setup, identify the gaps, and implement a 3-2-1-1-0 strategy that lets you sleep at night.
Let’s get your business protected. Book a discovery call with our team today and let’s make sure your "green tick" actually means something.
Ransomware Protection, Data Backup SME, Disaster Recovery UK.
Leave a Reply