Cloud backups that actually restore: how to verify your copy

·

93% of businesses that lose access to their data for more than ten days close within a year. The figure comes from business continuity studies compiled by INCIBE and the European agency ENISA, and it recurs in every industry report because it remains true. Yet the majority of Spanish SMEs confuse having a cloud backup with being able to restore that backup when they need it. These are very different things.

This article explains, without sugarcoating, what makes a cloud backup genuinely useful, how to test it before disaster strikes, how much a properly configured service costs and which warning signs should alert you that your current solution is a security placebo.

The most common mistake: confusing a copy with a recovery

A backup is a two-phase process. The first — copying the data — is what everyone sees and contracts. The second — restoring it within a reasonable time and with guaranteed integrity — is what almost nobody tests until they need it. That gap is the root cause of most serious incidents we handle at Summum Sistemas, where we have been supporting technology projects since 2007.

The most frequent failures we find when auditing cloud backups in SMEs are:

What a cloud backup that actually works needs to include

Before comparing prices, it is worth establishing the minimum technical requirements for an enterprise cloud backup. The table below summarises the most relevant ones and links them to the problem they solve:

Feature What it solves Without it...
Encryption in transit and at rest (AES-256) Protects data against unauthorised access in the cloud GDPR non-compliance and risk of data breach
Immutable storage (WORM) Prevents ransomware or an insider from deleting copies The backup disappears along with the attack
Periodically verified restoration Confirms that data is readable and intact You discover the failure when there is no turning back
Minimum 30-day retention (90 days recommended) Covers the average incubation time of modern ransomware You restore already infected data
Defined and tested RPO (<24 h for critical data) Limits the maximum information loss in the event of an incident You may lose days or weeks of transactions
Defined and tested RTO (<4 h for critical systems) Guarantees the business returns to operation within an acceptable timeframe The outage can last days even if the copy exists
Separate accounts (3-2-1-1 rule) Isolates the backup from the production environment A single attack vector compromises everything
Automatic job failure alerts Detects failed copies before the silence becomes permanent Weeks without a backup and nobody knows

The 3-2-1-1 rule in 2025: why the original is no longer enough

The classic backup rule — three copies, on two different media, one off-site — remains a valid starting point. However, the proliferation of targeted ransomware has forced the addition of a fourth element: an immutable, isolated (air-gapped or WORM) copy that cannot be modified or deleted even if the company's credentials are compromised.

Providers such as Veeam, Acronis and Commvault offer S3-compatible object-lock storage (AWS, Azure Blob, Backblaze B2) that guarantees this immutability. The cost of cloud storage for the immutable copy is relatively low — between €0.005 and €0.023 per GB/month depending on the provider and region — but the value it delivers is disproportionate to that cost.

How to verify that your backup truly restores: the restoration test

The only way to know whether a backup works is to restore it. Not in production, but in an isolated test environment. The minimum recommended procedure for an SME is:

  1. Schedule the quarterly test: set a date and a test environment (a temporary virtual machine, a staging server or a cloud sandbox).
  2. Select the restore point: choose a backup from 7 to 30 days ago (not the most recent one, which may have just been compromised).
  3. Restore the system or critical application: not just the files, but the complete service, including the database and configuration.
  4. Run a functional checklist: verify that the application starts, that the data is consistent with the backup date and that test users can operate normally.
  5. Measure the actual restoration time: compare it with the contracted RTO. If the RTO was 4 hours and the actual restoration took 11, there is a configuration or bandwidth problem that must be fixed before the real incident.
  6. Document and archive the result: a written record of the test also serves as evidence of due diligence in cybersecurity audits or with cyber-risk insurers.

Our cloud backup service for SMEs includes these restoration tests on a scheduled basis and delivers a documented report with every test. Not as an add-on, but because without that verification the backup has no real value.

What a verified cloud backup costs for an SME: real 2025-2026 ranges

The cost of a cloud backup depends on several factors: data volume, number of protected systems, backup frequency, retention period and whether the service includes active management and monitoring or is pure self-service. The following are indicative market ranges based on offerings available in Spain in early 2026, excluding our own pricing:

Scenario Description Monthly cost range (market)
Basic self-service 1-2 servers, 500 GB, no management, 7-day retention (e.g. Acronis True Image or Veeam Essentials with own storage on Azure/AWS) €30 – €80/month
Managed service — small SME 3-5 servers/VMs, up to 2 TB, 30-day retention, monitoring and alerts, no restoration test included €150 – €350/month
Managed service — mid-sized SME 5-15 servers/VMs, 2-10 TB, 90-day retention, quarterly restoration tests, WORM immutability, SLA with documented RTO/RPO €350 – €900/month
Full BDR (Backup + Disaster Recovery) Replicated cloud environment ready to boot (failover), M365/Google Workspace protection included, monthly tests, ransomware coverage €900 – €2,500/month

Reference sources for these ranges: public tariffs from Veeam Cloud & Service Provider (VCSP), Acronis Cloud Partner Program, Datto SIRIS and Gartner Peer Insights sector comparisons (2025). Prices vary based on negotiated volume and data centre region.

Factors that push the price up

Signs that your current backup is a placebo

There are clear symptoms that a backup solution is not delivering the protection it promises. If you recognise any of these in your company, it is worth reviewing the configuration before it is too late:

Cloud backup and regulatory compliance: GDPR, ENS and NIS2

Beyond operational continuity, cloud backup has regulatory implications that have become more relevant for Spanish SMEs in 2025-2026:

If your company works with Public Administrations or belongs to regulated sectors (health, food, transport, finance), having a verified cloud backup is not optional but an auditable obligation. The Summum Sistemas team can support you in both the technical implementation and the documentation required to pass audits.

Cloud backup for Microsoft 365 and Google Workspace: the most common blind spot

One of the most dangerous misconceptions we encounter in SMEs is the belief that Microsoft or Google back up their email, calendar and Drive or SharePoint file data. They do not.

Both Microsoft 365 and Google Workspace provide high availability and recovery from failures in their own infrastructure, but they do not protect against accidental deletion by the user, malicious deletion by an employee or a ransomware attack that encrypts or deletes data from within the account. The default retention policy in Microsoft 365's recycle bin is 93 days; after that period, data is permanently gone.

To cover this blind spot there are specific SaaS backup solutions: Veeam Backup for Microsoft 365, Acronis Cyber Cloud for M365 and Backupify for Google Workspace, among others. Their cost is around €2-5 per user per month depending on the provider and volume — a very small expense compared to the risk they cover.

Frequently asked questions

How often should I back up my business data?

It depends on your data loss tolerance (RPO). For transactional systems — ERP, CRM, customer databases — the standard for SMEs is a daily full backup with incremental backups every 1-4 hours during business hours. For shared working files (SharePoint, file servers), a nightly backup is usually sufficient. The key criterion is not frequency in the abstract, but how many hours of work you are willing to lose if an incident occurs at 17:59.

How long should I keep backups?

The minimum recommended in 2026 is 30 days, although 90 days is the de facto standard in environments with ransomware risk. Reference cybersecurity reports (Mandiant M-Trends 2024, Sophos Active Adversary Report 2024) indicate that the median ransomware dwell time before activation was between 5 and 16 days in 2024, with a trend toward shorter times in targeted attacks. With a 7-day retention, many companies would restore already compromised data. For legal obligations (GDPR, accounting), also consider regulatory timeframes: in Spain, accounting records must be kept for at least 6 years (Commercial Code, Art. 30).

Is it safe to store backups with the same cloud provider I use for my infrastructure?

It is not recommended if the accounts are linked or the credentials are the same. If an attacker compromises your Azure or AWS account and also has access to the backup storage, they can delete both. Best practice is to use separate storage accounts, with write-only users for the backup process and no possibility of deletion using the same production credentials. Many modern BCDR services offer isolated object-lock (WORM) storage precisely to cover this scenario.

What is the difference between a cloud backup and a cloud disaster recovery service?

A cloud backup stores copies of your data and systems; to restore, you need time (hours or days) to rebuild the environment. A cloud disaster recovery (DR) service maintains a functional replica of your systems ready to boot within minutes if the main environment fails. DR is more expensive because it involves keeping active or warm compute in the cloud, but RTO can drop from hours to minutes. For most SMEs, a well-managed cloud backup with a 4-8 hour RTO is sufficient; full DR is justified when downtime has a measurable hourly economic impact (hospitality, e-commerce, financial services).