How to Test Your Backups and Disaster Recovery Instead of Just Trusting They Work.

Most Irish SMEs trust their backups without testing them. Here is how to verify your backups actually work — before you need them to.

How to Test Your Backups and Disaster Recovery Instead of Just Trusting They Work.

An IT provider for a Letterkenny retail business had been running nightly backups for three years. The backup completion emails arrived every morning. The IT provider checked that the emails were green. Nobody had ever attempted a restore.

When ransomware hit on a Thursday evening, the IT provider began the restore process on Friday morning. The restore failed. The backup catalogues were corrupted. The corruption had begun four months earlier when a software update had changed the backup format — the backup software had continued to report success while writing data that the restore engine could not read.

Three years of backups. None of them restorable. The business lost two years of operational data.

The Gap Between "Backups Are Running" and "Backups Work"

A backup that has never been restored from has an unknown failure rate. This is not a hypothetical concern — it is one of the most consistent findings in Irish SME incident investigations. The backup appeared to be working. The restore did not.

The failure modes are numerous. Backup software can report success while writing corrupted data. Storage media can develop errors that do not affect write operations but prevent read operations. Software version mismatches can make data unrestorable on different hardware. Backup catalogues can corrupt silently. Backup retention policies can delete data before it is needed.

None of these failures is visible without attempting a restore.

What Constitutes a Proper Backup Test

A backup test is not checking that the backup software reported success last night. A backup test is selecting a representative sample of data, restoring it to a test location, opening it, and confirming it is complete, accurate, and usable.

A complete disaster recovery test goes further: starting from a clean system (or a simulated clean system), restoring the full operating environment from backup, and confirming that business-critical applications run correctly and that the restored data is current and intact.

Most Irish SMEs do not need to run a full DR test quarterly. They do need to run a restore test quarterly — a meaningful sample of critical data, confirmed as restorable and usable. A full DR test should be completed at least annually.

When was the last time your IT provider confirmed a successful restore from your backup — not just a successful backup write? If the answer is never, schedule a restore test this month. Book a free 20-minute strategy call — backup testing is one of the first checks we run in every Irish SME security engagement.

The Restore Test Process

Select a test scope. For a quarterly restore test, choose a representative sample: a folder of recent financial documents, a customer database export from a specific date, and a key business application's configuration files. This should represent the data you would most urgently need in an actual incident.

Restore to a test location. Do not restore to the live production location — restore to a separate test folder or test system. This avoids any risk of overwriting current data and confirms that the restore process produces a clean output.

Verify the content. Open the restored files. Confirm they are the correct versions, that the data is complete, and that the files are not corrupted. For a database restore, run a basic query against the restored database to confirm data integrity.

Document the result. Record the date, the data scope tested, the time required to restore, and whether the restore was successful. This documentation serves as evidence of your backup programme's effectiveness for insurance, regulatory, and governance purposes.

Note the recovery time. How long did the restore take for your test scope? Extrapolate this to your full environment. This is your actual recovery time — which may differ significantly from the theoretical RTO your IT provider quoted when they set up the backup.

The Recovery Time Discovery

One of the most consistently surprising findings from backup testing in Irish SMEs is that the actual recovery time is significantly longer than expected. A business that believes it can recover in four hours discovers that restoring the full environment from backup takes three days because the backup storage is slow, the restore process is sequential, or the IT provider's capacity to manage the restore is limited.

This discovery is far less damaging when made during a test than when made during an actual incident. If your test reveals that full recovery would take a week, that gives you the information to either improve your backup infrastructure or to build your business continuity plan around a realistic recovery timeframe.

A business that knows it would take a week to recover can plan for that. A business that discovers it during an incident cannot.

Full Disaster Recovery Test

Once a year — typically coinciding with the annual resilience review — a full disaster recovery test should verify that the complete business-critical environment can be rebuilt from backup. For most Irish SMEs, this means: the core server environment or cloud tenant, the primary business applications, the key datasets, and the communication systems.

This test does not require taking live systems down. It can be run in a parallel environment — a test Azure subscription, a spare server, or a cloud sandbox. The objective is to confirm that if the live environment disappeared tomorrow, the backup environment would produce a functional replacement within your target recovery time.

What Next

  1. Schedule a restore test this month. Contact your IT provider, provide a specific scope (a folder, a database, a configuration set), and ask for a restore to a test location with verification. Document the result.

  2. Ask your IT provider for your actual recovery time based on your current data volume and backup infrastructure. Not the theoretical RTO — the time an actual restore would take for your full environment.

  3. Add quarterly restore tests and an annual DR test to your business calendar. These do not need to be elaborate. A quarterly test takes two to four hours of IT provider time. An annual DR test may take a day. Both are a fraction of the cost of discovering failures during a real incident.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

[^1]: NCSC Ireland — Backup and Disaster Recovery Guidance [^2]: An Garda Síochána — National Cyber Crime Bureau [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.