Cyber Insurance Renewal Calendar: What to Fix 90, 60, and 30 Days Before Renewal
A practical 90/60/30-day cyber insurance renewal calendar for small businesses that need cleaner answers, better evidence, and fewer last-minute surprises.
Read articleEndpoint & Detection
A practical restore-testing guide for small businesses that need to prove backups will actually support recovery before ransomware, an outage, or an insurer asks.
A backup is a copy. Recovery is a capability. If your business has never restored the files, application, or system it depends on, you do not know whether you can recover from ransomware. You know only that a backup product says something completed.
That distinction matters for operations, cyber insurance, and leadership trust. CISA's ransomware guidance tells organizations to maintain offline or separate backups and test them, while the FTC's small-business guidance tells companies to back up important files and keep copies offline or in the cloud. The missing word in many real environments is restore.
Sources: CISA StopRansomware Guide, FTC Cybersecurity for Small Business
This guide is the small-business version: how to prove that backups can become recovery before ransomware, a hardware failure, or an underwriter forces the question.
You prove recovery by restoring a meaningful sample of business-critical data, documenting the result, and fixing whatever fails.
At minimum, the test record should show:
That record becomes operational evidence and cyber insurance evidence. More important, it teaches the business what recovery would actually feel like under pressure.
Backup consoles are good at reporting jobs. They are not always good at reporting whether the business can operate from the result.
Common failures include:
None of those problems are theoretical. They are exactly the kind of practical failure that appears only when someone tries to recover.
Start with what would stop the business.
For a small business, that may be:
Do not test the easiest folder first unless it is also important. The goal is not to produce a pretty screenshot. The goal is to find out whether the business can keep moving.
If you are renewing cyber insurance, this restore test pairs naturally with the cyber insurance renewal calendar. Backups are one of the easiest controls to overstate and one of the hardest to fake when someone asks for evidence.
Here is a useful starter exercise.
Choose something specific:
The narrower the sample, the easier it is to complete and document.
Do not overwrite production. Restore to a separate test folder or isolated system.
Record:
This is where many backup checks stop too early. Do not just confirm the file exists.
Open it. Check whether it is readable. Confirm permissions. If it is an application file, test whether the application can use it.
Write the result in plain English:
On 2026-06-29, restored the QuickBooks company file from the 2026-06-28 backup to a test folder. Restore completed in 37 minutes. File opened successfully. Follow-up: confirm monthly offsite retention policy and document who can approve full restore.
That note is more useful than a vague policy statement.
Every restore test should produce at least one improvement:
The test is not a pass/fail ritual. It is a learning loop.
Ransomware changes the backup question. The business does not only need a copy. It needs a copy the attacker cannot easily encrypt, delete, or poison.
Prioritize these controls:
Keep backups separate from the systems they protect. That may mean offline, immutable, MFA-protected, or stored in a different administrative boundary.
Keep enough history to recover from an attack that started before anyone noticed. If clean copies disappear too quickly, the backup window may not help.
Know who can restore, who can approve a restore, and what happens if the primary admin is unavailable.
Protect the backup admin console with MFA. If the attacker takes over the console, the backup system may become part of the incident.
Do not blindly restore compromised files into production. Recovery should include a containment decision: what is clean, what is suspicious, and what must be rebuilt.
CISA's ransomware guidance emphasizes preparation, backups, and response planning because these decisions are much harder during the incident.
Source: CISA StopRansomware Guide
OneDrive, Google Drive, Dropbox, and similar tools are useful. They are not automatically a complete backup strategy.
The issue is sync. If a file is encrypted, deleted, or changed, that change may sync quickly. Version history can help, but the business still needs to know:
Cloud storage can be part of recovery. It should not be assumed to be recovery.
If an underwriter, broker, or client asks whether backups are tested, the strongest answer is short:
Yes. Here is the restore-test record from this date, the system tested, the person who performed it, and the result.
Keep these artifacts:
Evidence does not need to be fancy. It needs to be real.
For a small business, use this rhythm:
If the business cannot tolerate a system being down for a day, annual testing is probably not enough.
Ask:
If the answer to question five is "we monitor backups every day," ask again. Monitoring backup jobs is not the same as proving recovery.
Obsidian Ridge is not a backup reseller pretending backup equals recovery. The work is operational: identify the business-critical systems, confirm coverage, test a restore path, document evidence, and connect the result to incident response and cyber insurance.
If your renewal is coming up, start with the Cyber Insurance Readiness Questionnaire. If the restore evidence is missing or the backup design is unclear, the Cyber Insurance Readiness Sprint is the faster path to a signed evidence pack.
A backup is the copy. Recovery is the proven ability to use that copy to restore business operations. A backup that has never been restored is unproven.
At least annually for critical data, and more often for systems that stop revenue, patient care, legal deadlines, payroll, or financial operations.
Cloud sync can help, but it is not automatically a recovery plan. If bad changes sync quickly, the clean copy may be harder to find than expected.
It is a short record showing what was restored, from which backup date, by whom, where it was restored, whether it opened or worked, how long it took, and what needs follow-up.
Because backup claims are easy to make and hard to trust without proof. Tested backups reduce uncertainty around ransomware recovery and business interruption.
Last updated
July 17, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
A backup is a copy of data. Recovery is the proven ability to bring the business back to an operating state from that copy. A backup that has never been restored is not a recovery plan.
A small business should test restore of critical data at least annually, and more often for systems that would stop revenue, patient care, legal deadlines, payroll, or financial operations.
A useful restore test records the system tested, the data restored, who performed it, how long it took, whether permissions and application access worked, and what failed or needs follow-up.
Cloud sync can help with file access, but it is not automatically a ransomware recovery strategy. If deletions or encrypted files sync quickly, the business may lose the clean copy it thought it had.
Useful evidence includes backup configuration screenshots, restore-test logs, timestamps, recovered sample files, retention settings, MFA settings for the backup console, and notes showing who can perform the restore.
Related reading
A practical 90/60/30-day cyber insurance renewal calendar for small businesses that need cleaner answers, better evidence, and fewer last-minute surprises.
Read articleCompliance is one thing; the attack that stops a dealership is another. Ransomware on the DMS, F&I identity data, and vendor outages like the 2024 CDK attack are the real exposure. What actually hits dealers, and how to be ready.
Read articleContracting services were the second-most-reported non-critical sector in the FBI's 2025 ransomware data. The two exposures that actually hurt a construction firm — project downtime and progress-payment wire fraud — and how to close them.
Read article