Backup & Recovery

Do You Know Your Backups Are Working? A Practical Verification Guide

Having backups isn't the same as being protected. Most businesses discover their backups are broken during an actual recovery event. Here's how to verify your backups actually work — before you need them.

By Facet MSP 7 min read

You’ve set up backups. Maybe they’re running to a cloud provider, to a local NAS, or both. The backup software shows green checkmarks every morning. You’re protected — right?

Not necessarily. The backup industry has a dirty secret: most organizations discover their backups don’t work during an actual recovery event. Hardware failures, software bugs, incremental backup chain corruption, and storage misconfiguration can silently compromise months of backup history — while the dashboard continues to show green.

This guide walks through a practical approach to backup verification that gives you actual confidence in your data protection posture, not just the appearance of it.

Why “Set It and Forget It” Backup Fails

Backups are not a passive process. They require active management because several things can fail silently over time:

Backup job failures that go unnoticed. A backup job can fail due to a locked file, insufficient storage, or a network timeout — and the failure notification goes to an email address nobody checks. Weeks of gaps accumulate while the dashboard still shows the last successful backup date.

Incremental backup chain corruption. Most modern backup systems use incremental backups to save storage. An incremental backup captures only changes since the last backup. If any backup in the chain is corrupted, every subsequent incremental is unrestorable — even if each individual job appeared to succeed.

Restore testing is skipped. Backup software can confirm that data was written to storage. It cannot confirm that the data can be successfully restored. These are not the same thing. A backup is only as good as the last successful restore test.

Storage capacity exhaustion. As data grows, backup storage fills up. When storage runs out, backup jobs fail silently or start overwriting older backups. Without active capacity monitoring, you may discover you have no usable backup history at all.

“Testing backups is the cornerstone of effective data protection.” — Veeam

The 3-2-1 Backup Rule: Still the Gold Standard

Before getting into verification, it’s worth ensuring your backup architecture follows the 3-2-1 rule — the foundational framework for resilient data protection:

  • 3 copies of your data (the original plus two backups)
  • 2 different storage media (e.g., local NAS plus cloud, or local disk plus tape)
  • 1 offsite copy that is geographically separated from your primary site

The 3-2-1 rule protects against the most common failure scenarios: device failure (local backup still exists), site-level disaster like fire or flood (offsite backup exists), and ransomware (if the offsite copy is air-gapped or immutable, it can’t be encrypted). Facet MSP’s backup and disaster recovery services are designed around this framework for every client.

Step-by-Step Backup Verification

Step 1: Document What You’re Protecting

You cannot verify what you haven’t defined. Before testing, build a backup inventory that answers:

  • What data is being backed up? (Specific file servers, databases, virtual machines, Microsoft 365 mailboxes, SharePoint sites)
  • Where is backup data stored? (Cloud provider, local appliance, offsite vault)
  • What is the backup frequency? (Continuous, hourly, daily, weekly)
  • What is the retention period? (How far back can you restore?)
  • What is the RPO (Recovery Point Objective)? The maximum acceptable data loss in time.
  • What is the RTO (Recovery Time Objective)? The maximum acceptable downtime before operations must be restored.

This documentation is the baseline for all verification activities. Without it, testing is impossible to do systematically.

Step 2: Test Restore of Individual Files — Monthly

The simplest and most frequent verification activity: restore a random sample of files from your backup and confirm they open correctly. Do this monthly, at minimum. The sample should include:

  • Files from different departments (finance, operations, sales)
  • Files of different types (documents, spreadsheets, databases)
  • Files from different backup dates (test last night’s backup AND a backup from 30 days ago)

Document the test: what was restored, from which backup, what date, and whether the restore was successful. This log is your audit trail.

Step 3: Full System Recovery Test — Quarterly

At least quarterly, perform a complete system recovery test for your most critical workloads. This means:

  • Provisioning a clean server or virtual machine
  • Restoring the full system backup to that environment
  • Verifying the system boots correctly
  • Verifying applications function normally
  • Verifying data integrity (can you open files, query the database, access email?)

This test reveals problems that file-level restores don’t catch: boot sector issues, driver conflicts, application configuration problems, and database corruption.

Step 4: Monitor Backup Job Success — Daily

Backup monitoring should not be a manual task. Your backup platform (or MSP) should provide:

  • Automated alerts for any backup job failure
  • Daily summary reports showing success/failure status for all protected workloads
  • Storage capacity alerts when thresholds are reached (80%, 90%)
  • Alerts for backup jobs that haven’t run in their expected window

If you’re running your own backup platform, configure alert emails to an actively monitored inbox — not a shared mailbox that nobody reads.

Step 5: Secure Your Backups Against Ransomware

Ransomware operators have evolved their tactics: many strains now target and encrypt backup repositories before detonating the main payload, eliminating your recovery option. Protect your backups with:

Immutable backup storage. Object storage with immutability enabled (Wasabi, Backblaze B2, Azure Immutable Blob) cannot be modified or deleted for a defined period — even by ransomware running with admin credentials.

Air-gapped copies. Maintain at least one backup copy that is completely disconnected from your network. Offline tape, rotated external drives kept offsite, or a cloud vault with no always-on network connectivity.

Restricted backup access. The backup service account should have write access to the backup repository and nothing else. Admin credentials should not be used for backup jobs.

Encryption. All backup data should be encrypted in transit and at rest. If an attacker exfiltrates backup data, encryption prevents them from reading it.

Step 6: Document Your Recovery Plan

A tested backup with no documented recovery process is only half the answer. Your Backup and Disaster Recovery Plan (BDRP) should specify:

  • Prioritization. Which systems get restored first in a major incident? (Usually: domain controllers, file servers, email, then line-of-business applications)
  • Step-by-step procedures. Not “restore the server” — the actual commands, console steps, and validation checks
  • Team roles. Who does what during a recovery? Who approves the decision to invoke DR? Who communicates with the business?
  • Vendor contacts. MSP emergency line, cloud provider support, hardware vendor contacts
  • Escalation path. If the primary recovery engineer is unavailable, who is the backup?

Run a tabletop exercise annually — walk the team through a fictional breach or outage scenario, simulate the decisions and actions, and identify gaps in the plan.

Common Backup Mistakes to Avoid

Backing up to the same system you’re protecting. A local backup on the same server you’re trying to protect is lost when the server fails. This isn’t a backup — it’s a second copy on a single failure domain.

Skipping Microsoft 365 backup. Microsoft 365 data — email, SharePoint, Teams — has limited native retention and no meaningful backup capability. Microsoft is responsible for service availability, not your data. If a user accidentally deletes 3 years of email or a document library, Microsoft cannot restore it after the retention window expires. Use a third-party Microsoft 365 backup solution.

Assuming cloud storage is a backup. Cloud file sync (OneDrive, Dropbox, Google Drive) is not backup. If a user deletes or ransomware encrypts files, the deletion or encryption syncs to the cloud immediately. True backup maintains point-in-time snapshots that can be restored independently of sync state.

The Bottom Line

Backups you haven’t tested are assumptions, not protections. The verification process — monthly file restores, quarterly full system recovery tests, daily monitoring, and a documented recovery plan — transforms your backup from a liability into genuine business resilience.

If you’re not sure whether your backups are actually working, we can tell you. Book a free backup assessment and Facet MSP will review your backup architecture, test restore capability, and give you a clear picture of your recovery posture.

backup disaster recovery 3-2-1 backup data protection business continuity

Free Assessment

Ready to take IT off your plate?

Book a free 45-minute IT assessment. No commitment, no sales pressure — just an honest look at where you stand and how we can help.

No commitment · 45 min · Free · US-based team