Backup that's never been restored is hope, not a plan
Most small businesses have backup software. Most of them have never tested a restore. When ransomware hits and the backup product silently failed three weeks ago, the discovery happens at exactly the moment you need it to work. Don't be the person finding out at 9 a.m.
The three layers every business needs
Local backup for fast recovery (file-level mistakes, hardware failures). Cloud or off-site backup for ransomware and physical incidents. Immutable copies the attacker cannot delete even with admin credentials. Two of the three is the minimum; three is the discipline.
Test it the way you'd hate it
Quarterly, schedule a real restore drill — pick a server, pretend it died last night, see how long it takes to bring back. Time the steps. Document the failures. Fix them. The drill is the only way you find out the backup product didn't actually retain that VM, or that the restore needs a license you no longer have.
When ransomware hits, your only friend is yesterday's backup
There is no clever decryption. There is no negotiating that ends well. The only path back to working is a clean restore from a backup the attacker couldn't reach. Build that path now, and test it, so the worst day of the year is the day you discover the playbook actually works.