In 2021, a Sligo hotel faced a nightmare scenario on a busy bank holiday weekend. Ransomware encrypted its booking system — the operational core of the business. Guests could not check in. Reservations were lost. The hotel paid a ransom in Bitcoin, but the decryption key only partially worked. Days of manual operation followed, bookings were lost, and the total cost of the incident was multiples of the original ransom demand. What made the situation worse was that the hotel had backups — they just had not tested whether those backups could actually be restored.
That story is not unusual. Nearly one-third of Irish firms reported paying a cyber ransom in the past year. For small and medium businesses in Donegal, Sligo, and across the North-West, the consequences of a successful ransomware attack can be catastrophic. Unlike large corporations, most Irish SMEs have no dedicated security team, no incident response retainer, and no fallback they have actually verified works. The good news is that a well-implemented, regularly tested backup strategy changes that calculation completely.
WHAT: What the Essential 8 Tells Irish SMEs About Backups
The Essential Eight is a baseline cybersecurity framework developed by the Australian Cyber Security Centre and widely adopted internationally as a practical standard for organisations that want to build genuine resilience against the most common attacks. It includes eight controls, and the one that matters most when all other defences have failed is this: regular, tested, isolated backups.
NCSC Ireland echoes this in its published guidance for organisations.[^1] The emphasis is not just on having backups, but on having backups that are effective — which means daily frequency, isolated storage, and verified restorability. A backup that lives on the same network as your production systems is vulnerable to the same ransomware that encrypts your primary data. A backup you have never tested may fail silently for months before you discover it.
The 3-2-1 rule provides the structural framework: three copies of your data, on two different types of media, with one copy stored off-site or in an isolated cloud location. The extended version — 3-2-1-1-0 — adds one offline copy and zero errors confirmed through testing. For an Irish SME handling client data, financial records, or operational systems, this framework is not aspirational. It is the minimum standard your business continuity requires.
Understanding backup types helps you implement the right combination. A full backup copies everything and is the simplest to restore from, but it is slow and storage-intensive. An incremental backup copies only what has changed since the last backup, running quickly but requiring the last full backup and all subsequent incrementals to restore. A differential backup copies everything changed since the last full backup, making restoration faster than incremental at the cost of more storage. Most SMEs benefit from a weekly full backup combined with daily incrementals — balancing storage cost, backup speed, and recovery time.
When did you last verify that your backups can actually be restored? Book a free 20-minute strategy call — we help Irish SMEs build and test backup strategies that hold up when ransomware hits.
WHAT NOW: Building a Backup Strategy That Actually Works
The first priority is isolation. Your backups must be stored somewhere that ransomware cannot reach — which means not on the same network as your production systems, not in a cloud account accessible with the same credentials, and not on a drive that is permanently connected to your server. Ransomware is increasingly designed to seek out and encrypt backup locations before triggering the visible attack. An isolated backup is the single most important structural protection you can put in place.
The second priority is frequency. Your Recovery Point Objective — how much data you can afford to lose — determines how often you need to back up. For most Irish SMEs handling live customer data, transaction records, or operational systems, daily backups are the minimum. For higher-frequency operations, consider continuous or hourly backups for critical data sets.
The third priority — and the one most often neglected — is testing. The Data Protection Commission receives breach notifications from Irish organisations whose backups existed but could not be restored.[^3] Testing means actually restoring data from your backups to a separate environment and verifying that the restored data is complete and usable. Not checking that the backup job ran. Not confirming the backup file exists. Actually restoring and verifying. Do this monthly for a single-file test, quarterly for a folder restore, and at least annually for a full system restore to a clean environment.
An Garda Síochána's National Cyber Crime Bureau recommends maintaining at least one backup copy that is physically disconnected from your network — an air-gapped copy — specifically because ransomware operators increasingly target connected backup infrastructure.[^2] For many SMEs, a monthly tape or external drive backup stored off-site achieves this at minimal cost.
WHY IT MATTERS: The Recovery Time Question
When a ransomware attack hits, the question that determines whether your business survives is not whether you have backups. It is how long it takes to restore from them — your Recovery Time Objective. A business that can restore operations within four hours faces a very different outcome than one that discovers recovery will take three weeks.
Document your RTO before an incident, not during one. Know which systems are critical, which order they need to be restored in, who is responsible for executing the restoration, and what the manual workaround procedures are for the hours or days before systems come back online. NCSC Ireland recommends rehearsing this process as part of your broader incident response planning.[^1]
A backup that has never been tested is not a backup. It is a hope. Your business continuity plan cannot be built on hope.
WHAT NEXT: Three Actions to Take This Week
Check where your backups are stored. If the answer involves a drive or location that is accessible from your main network using the same credentials, that backup is not isolated. Identify a solution this week — cloud backup with separate credentials, an off-site copy, or an air-gapped drive.
Run a file restore test today. Take a file from your most recent backup and restore it to a separate location. Confirm the file is complete and readable. If it fails, you have discovered a critical gap before an attack forced the discovery. If it succeeds, you have established a baseline to build on.
Set a calendar reminder for a quarterly backup test. Make it a fixed date, not an intention. When it arrives, restore a folder — not just a file — and document the result. That documentation record is evidence of a functioning business continuity programme, which matters to insurers, clients, and regulators alike.
Related Reading
- Backup Test: Run Every Month, Probably Never Have
- 12 Steps to Cyber Security: The Complete Guide for Irish Businesses
- Building a NIS2 Compliance Roadmap: A 12-Month Plan for Irish SMEs
[^1]: NCSC Ireland. Advice for Organisations. https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána. Cyber Crime. https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission. Guidance for Organisations. https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.