If you run a small business in Coastal Georgia in 2026, backups are the single highest-leverage IT investment you can make. Not the most exciting, not the one a salesperson will pitch hardest, but the one that decides whether a bad day becomes a closed-doors event.
Here's what's changed about backup protection over the last few years, and what good looks like now.
Ransomware changed the threat model
Backups used to be primarily about hardware failure: the server dies, you restore from tape. That's still a thing, but it's now a small fraction of why backups get exercised.
The dominant threat today is ransomware. And ransomware operators got smart about backups years ago: the first thing modern ransomware does after gaining a foothold is enumerate, encrypt, and delete every backup it can reach over the network. If your backup target is mounted as a shared drive or accessible with the same domain credentials that got compromised, your backups are gone too.
This means a 2026 backup strategy has to assume the attacker will try to destroy backups, and design accordingly.
What good backups look like in 2026
The current standard, sometimes called the 3-2-1-1-0 rule, expands the classic 3-2-1:
- 3 copies of important data
- 2 different media (e.g., disk and cloud)
- 1 off-site copy
- 1 immutable copy — something the attacker cannot modify or delete even with full admin access
- 0 errors verified by regular restore testing
The two new bits — immutability and tested restores — are where most small-business backup setups still fall short.
Immutability
An immutable backup is a copy of your data that cannot be modified or deleted for a defined retention period, no matter what credentials are presented. Implementations include:
- Object lock on S3-compatible storage (AWS S3, Backblaze B2, Wasabi, MinIO). Once a file is written with object lock, it can't be deleted or overwritten until the retention timer expires.
- Append-only file systems (ZFS snapshots, restic with hardened repository permissions).
- Tape backups stored off-site (genuinely air-gapped, but slow to restore).
Without immutability, a sophisticated attacker who's been in your environment for a few weeks can quietly destroy your backups before triggering the ransomware encryption stage. They do this routinely.
Tested restores
The phrase we keep repeating to clients: untested backups are not backups, they're hopes. The first time you find out a backup doesn't restore should not be the day a ransomware attacker is asking for $80,000.
Real testing means:
- A scheduled drill (we run them quarterly for our managed clients)
- Pick a random folder, mailbox, or VM from a recent backup
- Restore it to a sandbox environment
- Verify the data is intact and current
- Document the restore time
A backup product that can't restore in a documented amount of time is not solving your problem.
What to actually back up
For a typical 10-person Savannah professional-services firm, the priority list:
- File shares (everything in Nextcloud, Dropbox, Drive, OneDrive, or on the file server)
- Email (Microsoft 365 or Google Workspace data — these are not backed up by Microsoft or Google in any meaningful sense; their built-in retention is short and not a substitute)
- Line-of-business application databases (practice management, accounting, CRM)
- Endpoint user data — if employees keep work on their laptops, those laptops need backup too
- Configuration and infrastructure as code — firewall configs, server build scripts, DNS records, certificates
The order matters because of restoration sequencing. Files and email get restored first because they're what people actually need to start working again. Application databases are next. Endpoints are last.
Cloud backup vs on-premises backup
For most small businesses, the right answer is both. A common 2026 setup we deploy:
- Local fast restore — daily backup to a small NAS or backup appliance on the local network for fast recovery (5 minutes to restore an accidentally deleted folder)
- Off-site immutable — encrypted, immutable copy to S3-compatible object storage (Backblaze B2 is excellent for this on cost) with at least 30 days of retention
Total monthly cost for a 10-person firm with 1TB of data: typically $30–$80/month in storage, plus the backup software (open-source options like restic or Borgmatic are free; commercial Veeam and similar run $5–$15/user/month).
Ransomware-specific protections
Beyond immutability, a few backup-specific anti-ransomware practices:
- Separate credentials for the backup system. Backup admin accounts should not be the same accounts that manage day-to-day infrastructure. Compromise of a regular admin account shouldn't grant backup access.
- Network segmentation. The backup target should not be reachable from user workstations except through the backup software itself.
- Alerting on unusual activity. A spike in failed login attempts on the backup system, or unusually large data flowing to a backup target, should page a human.
- Test the ransomware scenario specifically. Not just "can I restore this file" but "can I rebuild this server from bare metal in 4 hours."
What to ask your IT provider
If you have a managed IT contract right now, three questions will tell you whether your backups are 2026-grade:
- "Can you show me the most recent restore drill report?" If they can't, drills aren't happening.
- "Is any of our backup data immutable?" If they don't have a clear answer, they're not protected from sophisticated ransomware.
- "How long would it take to restore our file share, our email, and our line-of-business app if we got hit today?" A real answer should be in hours, with specific numbers.
If your provider gets defensive or vague on any of those, that's the answer.
Where F09 Tech fits
Backups are part of every managed IT and cybersecurity engagement we run. For Savannah and Coastal Georgia clients, we typically deploy a self-hosted Borgmatic or Proxmox Backup Server setup with an immutable Backblaze B2 off-site copy. Total monthly cost for a 10-person firm runs $40–$100 in raw storage, plus our flat per-user fee — far less than the cost of a single bad afternoon without one.
If you want a backup review of your current setup — what's there, what's missing, and what it would cost to fix — we offer a free 30-minute review for any Coastal Georgia small business. We cover Savannah, Pooler, Richmond Hill, Hinesville, Statesboro, Bluffton, and Hilton Head. Book one here.