93% of businesses that lose access to their data for more than ten days close within a year. The figure comes from business continuity studies compiled by INCIBE and the European agency ENISA, and it recurs in every industry report because it remains true. Yet the majority of Spanish SMEs confuse having a cloud backup with being able to restore that backup when they need it. These are very different things.
This article explains, without sugarcoating, what makes a cloud backup genuinely useful, how to test it before disaster strikes, how much a properly configured service costs and which warning signs should alert you that your current solution is a security placebo.
The most common mistake: confusing a copy with a recovery
A backup is a two-phase process. The first — copying the data — is what everyone sees and contracts. The second — restoring it within a reasonable time and with guaranteed integrity — is what almost nobody tests until they need it. That gap is the root cause of most serious incidents we handle at Summum Sistemas, where we have been supporting technology projects since 2007.
The most frequent failures we find when auditing cloud backups in SMEs are:
- Incomplete copies: the backup job excludes active databases or files locked by the operating system, and nobody detects it until restoration.
- Corrupt copies: a network error, a storage quota reached halfway through or a misconfigured encryption generates files that cannot be read.
- Unverified RPO and RTO: the company contracted a service with "4-hour recovery", but nobody has checked whether that timeframe is realistic for their data volume.
- Insufficient retention: ransomware has been active for weeks before encrypting, and the retention window only covers the last seven days, which are already compromised.
- Absence of immutability: the ransomware itself or a malicious administrator can delete copies stored in an account accessible with the same credentials as the production systems.
What a cloud backup that actually works needs to include
Before comparing prices, it is worth establishing the minimum technical requirements for an enterprise cloud backup. The table below summarises the most relevant ones and links them to the problem they solve:
| Feature | What it solves | Without it... |
|---|---|---|
| Encryption in transit and at rest (AES-256) | Protects data against unauthorised access in the cloud | GDPR non-compliance and risk of data breach |
| Immutable storage (WORM) | Prevents ransomware or an insider from deleting copies | The backup disappears along with the attack |
| Periodically verified restoration | Confirms that data is readable and intact | You discover the failure when there is no turning back |
| Minimum 30-day retention (90 days recommended) | Covers the average incubation time of modern ransomware | You restore already infected data |
| Defined and tested RPO (<24 h for critical data) | Limits the maximum information loss in the event of an incident | You may lose days or weeks of transactions |
| Defined and tested RTO (<4 h for critical systems) | Guarantees the business returns to operation within an acceptable timeframe | The outage can last days even if the copy exists |
| Separate accounts (3-2-1-1 rule) | Isolates the backup from the production environment | A single attack vector compromises everything |
| Automatic job failure alerts | Detects failed copies before the silence becomes permanent | Weeks without a backup and nobody knows |
The 3-2-1-1 rule in 2025: why the original is no longer enough
The classic backup rule — three copies, on two different media, one off-site — remains a valid starting point. However, the proliferation of targeted ransomware has forced the addition of a fourth element: an immutable, isolated (air-gapped or WORM) copy that cannot be modified or deleted even if the company's credentials are compromised.
Providers such as Veeam, Acronis and Commvault offer S3-compatible object-lock storage (AWS, Azure Blob, Backblaze B2) that guarantees this immutability. The cost of cloud storage for the immutable copy is relatively low — between €0.005 and €0.023 per GB/month depending on the provider and region — but the value it delivers is disproportionate to that cost.
How to verify that your backup truly restores: the restoration test
The only way to know whether a backup works is to restore it. Not in production, but in an isolated test environment. The minimum recommended procedure for an SME is:
- Schedule the quarterly test: set a date and a test environment (a temporary virtual machine, a staging server or a cloud sandbox).
- Select the restore point: choose a backup from 7 to 30 days ago (not the most recent one, which may have just been compromised).
- Restore the system or critical application: not just the files, but the complete service, including the database and configuration.
- Run a functional checklist: verify that the application starts, that the data is consistent with the backup date and that test users can operate normally.
- Measure the actual restoration time: compare it with the contracted RTO. If the RTO was 4 hours and the actual restoration took 11, there is a configuration or bandwidth problem that must be fixed before the real incident.
- Document and archive the result: a written record of the test also serves as evidence of due diligence in cybersecurity audits or with cyber-risk insurers.
Our cloud backup service for SMEs includes these restoration tests on a scheduled basis and delivers a documented report with every test. Not as an add-on, but because without that verification the backup has no real value.
What a verified cloud backup costs for an SME: real 2025-2026 ranges
The cost of a cloud backup depends on several factors: data volume, number of protected systems, backup frequency, retention period and whether the service includes active management and monitoring or is pure self-service. The following are indicative market ranges based on offerings available in Spain in early 2026, excluding our own pricing:
| Scenario | Description | Monthly cost range (market) |
|---|---|---|
| Basic self-service | 1-2 servers, 500 GB, no management, 7-day retention (e.g. Acronis True Image or Veeam Essentials with own storage on Azure/AWS) | €30 – €80/month |
| Managed service — small SME | 3-5 servers/VMs, up to 2 TB, 30-day retention, monitoring and alerts, no restoration test included | €150 – €350/month |
| Managed service — mid-sized SME | 5-15 servers/VMs, 2-10 TB, 90-day retention, quarterly restoration tests, WORM immutability, SLA with documented RTO/RPO | €350 – €900/month |
| Full BDR (Backup + Disaster Recovery) | Replicated cloud environment ready to boot (failover), M365/Google Workspace protection included, monthly tests, ransomware coverage | €900 – €2,500/month |
Reference sources for these ranges: public tariffs from Veeam Cloud & Service Provider (VCSP), Acronis Cloud Partner Program, Datto SIRIS and Gartner Peer Insights sector comparisons (2025). Prices vary based on negotiated volume and data centre region.
Factors that push the price up
- Large or fast-growing databases (PostgreSQL, SQL Server, Oracle): require specific agents and longer backup windows.
- Extended retention (more than 90 days): storage costs grow linearly; cold archives (Glacier, Archive) reduce this impact.
- Geographic replication across two separate regions: roughly doubles storage costs.
- Protection for Microsoft 365 or Google Workspace environments: requires specific licences (Veeam Backup for M365, Acronis Cyber Cloud for SaaS).
- Very demanding RTO (<1 hour): requires maintaining a warm replica ready to boot, which implies permanent compute costs in the cloud.
- Mixed environments (physical servers + VMs + SaaS + user devices): integration complexity increases the initial deployment cost.
Signs that your current backup is a placebo
There are clear symptoms that a backup solution is not delivering the protection it promises. If you recognise any of these in your company, it is worth reviewing the configuration before it is too late:
- Nobody knows when the last successful backup was without logging into the software panel.
- The last restoration test was "when the system was installed" or simply cannot be recalled.
- The copy is stored on a NAS connected to the same network as the production systems, with no credential segregation.
- Retention is 7 days or less.
- Backup alert emails go to an inbox that nobody checks.
- There is no document recording the RTO and RPO agreed internally.
- The cloud backup provider is the same as the main infrastructure provider, with the same user accounts.
Cloud backup and regulatory compliance: GDPR, ENS and NIS2
Beyond operational continuity, cloud backup has regulatory implications that have become more relevant for Spanish SMEs in 2025-2026:
- GDPR: Article 32 of Regulation (EU) 2016/679 requires technical measures to ensure the availability and integrity of personal data, which includes backups. If a company suffers a breach due to data loss and lacked an adequate backup, the AEPD may consider that proportionate security measures were not applied.
- National Security Framework (ENS): private companies providing services to Public Administrations are required to comply with the ENS (Royal Decree 311/2022). Control op.cont.2 of the ENS requires continuity plans that include verified backups.
- NIS2 (EU Directive 2022/2555): currently being transposed in Spain, it includes backup management as one of the basic security controls required of essential and important entities. Its application will expand the scope of obligations beyond traditional critical sectors.
If your company works with Public Administrations or belongs to regulated sectors (health, food, transport, finance), having a verified cloud backup is not optional but an auditable obligation. The Summum Sistemas team can support you in both the technical implementation and the documentation required to pass audits.
Cloud backup for Microsoft 365 and Google Workspace: the most common blind spot
One of the most dangerous misconceptions we encounter in SMEs is the belief that Microsoft or Google back up their email, calendar and Drive or SharePoint file data. They do not.
Both Microsoft 365 and Google Workspace provide high availability and recovery from failures in their own infrastructure, but they do not protect against accidental deletion by the user, malicious deletion by an employee or a ransomware attack that encrypts or deletes data from within the account. The default retention policy in Microsoft 365's recycle bin is 93 days; after that period, data is permanently gone.
To cover this blind spot there are specific SaaS backup solutions: Veeam Backup for Microsoft 365, Acronis Cyber Cloud for M365 and Backupify for Google Workspace, among others. Their cost is around €2-5 per user per month depending on the provider and volume — a very small expense compared to the risk they cover.
Frequently asked questions
How often should I back up my business data?
It depends on your data loss tolerance (RPO). For transactional systems — ERP, CRM, customer databases — the standard for SMEs is a daily full backup with incremental backups every 1-4 hours during business hours. For shared working files (SharePoint, file servers), a nightly backup is usually sufficient. The key criterion is not frequency in the abstract, but how many hours of work you are willing to lose if an incident occurs at 17:59.
How long should I keep backups?
The minimum recommended in 2026 is 30 days, although 90 days is the de facto standard in environments with ransomware risk. Reference cybersecurity reports (Mandiant M-Trends 2024, Sophos Active Adversary Report 2024) indicate that the median ransomware dwell time before activation was between 5 and 16 days in 2024, with a trend toward shorter times in targeted attacks. With a 7-day retention, many companies would restore already compromised data. For legal obligations (GDPR, accounting), also consider regulatory timeframes: in Spain, accounting records must be kept for at least 6 years (Commercial Code, Art. 30).
Is it safe to store backups with the same cloud provider I use for my infrastructure?
It is not recommended if the accounts are linked or the credentials are the same. If an attacker compromises your Azure or AWS account and also has access to the backup storage, they can delete both. Best practice is to use separate storage accounts, with write-only users for the backup process and no possibility of deletion using the same production credentials. Many modern BCDR services offer isolated object-lock (WORM) storage precisely to cover this scenario.
What is the difference between a cloud backup and a cloud disaster recovery service?
A cloud backup stores copies of your data and systems; to restore, you need time (hours or days) to rebuild the environment. A cloud disaster recovery (DR) service maintains a functional replica of your systems ready to boot within minutes if the main environment fails. DR is more expensive because it involves keeping active or warm compute in the cloud, but RTO can drop from hours to minutes. For most SMEs, a well-managed cloud backup with a 4-8 hour RTO is sufficient; full DR is justified when downtime has a measurable hourly economic impact (hospitality, e-commerce, financial services).