The backup nobody tested
Most ransomware victims I have met had backups. They just did not have working backups. The Veeam job ran every night. The dashboard showed green. Then on the morning the encrypted files showed up, somebody discovered the restore point lived on a NAS that was on the same domain as everything else, and the attacker had reached it three days before pulling the trigger. The backup was real. The recovery was theater.
This is the part nobody likes to say out loud: a remote workforce changes the threat model in ways your old "we have offsite backup" answer no longer covers. People work from coffee shops. Their kid's tablet is on the same Wi-Fi as the laptop with your QuickBooks file. The endpoint is the perimeter now, and the perimeter is not great.
Backups that survive the bad day
Two rules, in order of importance:
- Immutability is not optional. AWS S3 with Object Lock in compliance mode, Wasabi with object immutability, or Backblaze B2 with object lock. If the credentials your laptop has can also delete your backups, those are not backups. They are an inconvenience to an attacker.
- Test the restore on a calendar, not on vibes. Pick a date. Restore something real to a clean machine. Time how long it takes. If your last documented full restore was "around when we set it up," you do not have a tested backup, you have a hope.
For most SMBs the practical stack is Veeam (or its smaller sibling, Veeam Data Cloud Vault) writing to immutable object storage at Wasabi or S3, with a separate copy of the most critical data, the QuickBooks file, the contract repository, the CAD library, on a different account with different credentials. The 3-2-1 rule is not folklore. It is the only thing that consistently survives a real incident.
About the "AI monitoring" pitch
Every MSP and security vendor in 2026 will sell you "AI-powered" monitoring. Some of it is real. A lot of it is a regex with a marketing budget. Here is what is actually useful for an SMB:
- An MDR or XDR product on every endpoint. CrowdStrike Falcon Go, SentinelOne, or Microsoft Defender for Business plus a managed SOC. The "AI" matters less than the humans on call who get the alert at 2 a.m. and respond.
- Identity anomaly detection. Microsoft Entra ID with Conditional Access (or Okta with similar) flags impossible-travel logins, new-country sign-ins, and MFA fatigue patterns. This is where most account takeovers actually trip a wire, not at the network layer.
- A real log destination. Even a small business can ship endpoint and identity logs somewhere queryable for 30 days. When you need them, you really need them, and "we never set that up" is not a sentence you want to say out loud during an incident response call.
Skip vendors who lead with "AI" and cannot tell you what model, what data, and where the alerts go. Skepticism is healthy. The genuine improvements in this space over the last two years are real but mundane: faster correlation across signals, better noise reduction. They are not magic.
The minimum table stakes
If a remote-friendly SMB does only five things this year, do these:
- Phishing-resistant MFA on email and identity, ideally hardware keys for admins.
- Full-disk encryption enforced through Intune, Jamf, or Kandji on every endpoint.
- Immutable offsite backups, tested quarterly, with a written restore runbook.
- An EDR with a 24x7 response team behind it.
- One person who owns this list and updates it.
If it would help to have a working stack designed around your size and budget rather than your vendor's quota, Syncritech does this for SMBs across our region.
