How much does a ransomware-proof backup setup cost for a small business?

A solid, modern backup setup for a small business with 5-20 employees typically runs $200-500 per month depending on data volume. This covers a cloud backup service with immutability enabled (such as Microsoft Azure Backup, Veeam Cloud, or Acronis Cyber Cloud), automated daily incrementals, and periodic full backups to a local NAS or backup appliance. The cost may seem significant until you compare it to the median ransomware recovery cost for businesses without intact backups, which was $3 million in 2025 according to Sophos.

Are childcare centers a target for ransomware?

Yes. Childcare centers hold a combination of data that makes them attractive targets: parent financial information (payment details, bank accounts), children's personal records, staff employment data, and state licensing documentation. Many childcare centers run lean IT setups with limited security controls, which makes them easier to compromise than larger organizations. A successful ransomware attack on a childcare center can mean days or weeks of downtime, the loss of parent contact information, and potential regulatory liability for exposure of children's records.

What is an immutable backup and how does it work?

An immutable backup is a copy of your data stored with a time-locked retention policy that prevents anyone — including administrators with full credentials — from modifying or deleting it during the retention window. Most cloud backup providers implement this using object lock technology (originally developed for regulatory compliance). When ransomware gains admin access and attempts to delete your backups, it hits a hard technical wall: the storage layer itself refuses the delete request regardless of the account making it. The immutability window is typically set to 30-90 days, long enough to recover from an attack that may have begun weeks before being detected.

🔒 Cybersecurity

Your Backup Won't Save You From Ransomware in 2026 — Unless You Do This

Q: What is the 3-2-1-1-0 backup rule?

The 3-2-1-1-0 backup rule is an evolution of the classic 3-2-1 rule designed for the ransomware era. It means: 3 copies of your data, on 2 different types of media, with 1 copy offsite, 1 copy immutable (can't be modified or deleted, even by admins), and 0 errors — meaning you test restores regularly to verify backups actually work. The extra '1' (immutable copy) and '0' (verified testing) are the two additions that make modern ransomware attacks ineffective against a well-designed backup strategy.

Q: Why are my existing backups at risk from ransomware?

Ransomware operators specifically target backup repositories because they know businesses with intact backups won't pay the ransom. In 2026, attackers commonly sit inside a network for weeks before triggering encryption, silently corrupting or deleting backups first. According to Sophos research, 96% of ransomware attacks attempt to compromise backup repositories, and 76% of those attempts succeed. Standard backups stored on the same network or with admin-level access credentials are particularly vulnerable because ransomware that gains admin privileges can delete or encrypt backup files just like any other data.

96% of ransomware attacks now target your backups specifically. Here's why the classic 3-2-1 rule fails in 2026 and what small businesses need instead.

By EDCON Team · June 7, 2026 · 10 min read

Most small business owners feel good about their backup situation. They have a cloud backup running. Files get copied somewhere every night. If ransomware ever hit, they'd just restore from backup and be back in business. That assumption is exactly what ransomware operators count on — and why they now target backups before they trigger the attack.

The numbers that change how you think about backups

Sophos and other researchers have been tracking a shift in ransomware tactics over the past two years. The findings are hard to ignore:

96% of ransomware attacks attempt to compromise backup repositories before triggering encryption. Attackers specifically look for backup servers, cloud backup credentials, and external drives.
76% of those backup attacks succeed. Meaning in roughly three out of four attacks, the victim's backup is compromised, encrypted, or deleted before they even know they've been hit.
Median recovery cost with intact backups: $375,000. Median recovery cost with compromised backups: $3,000,000. That's an eight-fold difference — and it doesn't account for the full cost of downtime, legal exposure, or lost customers.
Ransomware now makes up 88% of cyberattacks on small businesses, and over two-thirds of ransomware attacks between 2024 and 2025 targeted companies with fewer than 500 employees.

The picture these numbers paint isn't that backups are useless — they're essential. The problem is that most small businesses are running backup strategies designed for hardware failures and accidental deletions, not for an adversary that methodically hunts and destroys your recovery options before you even realize you're under attack.

How modern ransomware attacks actually work

The ransomware attacks making news in 2026 don't look like the ones from 2019. Back then, attackers would get in, encrypt everything immediately, and demand a ransom. It was disruptive, but businesses with any kind of backup could often recover without paying.

Today's attacks follow a different playbook. After gaining initial access (usually through a phishing email, stolen credentials, or an unpatched vulnerability), attackers spend days or weeks quietly exploring the network before doing anything visible. During that reconnaissance phase, they're doing three things:

Mapping backup infrastructure. They find your backup servers, your cloud backup credentials in saved browser passwords or configuration files, and any external drives connected to the network.
Escalating privileges. They move from a regular user account to admin-level access, which gives them the power to delete or encrypt backup repositories just like any other files.
Corrupting or exfiltrating data quietly. Some groups steal data for double extortion (pay us or we publish your files) before encrypting anything. Others corrupt backup files silently over weeks, so that when you restore, your "clean" backups turn out to be already damaged.

By the time the ransomware note appears on your screen, the attackers have already done the part that matters most. The encryption itself is often the last step.

Real scenario: A Southern California accounting firm ran nightly backups to a NAS device on their office network. When ransomware hit in 2025, attackers had been inside the network for 19 days. They encrypted both the live data and the NAS backups simultaneously. The firm's cloud backup had lapsed because a credit card expired. Recovery cost: over $280,000 in IT forensics, rebuilt systems, and eight weeks of reduced capacity.

Why the classic 3-2-1 rule isn't enough anymore

The 3-2-1 backup rule has been the gold standard for decades. It means:

3 copies of your data
2 different types of media (e.g., local hard drive + cloud)
1 copy stored offsite

This rule protects against hardware failures, fires, floods, and accidental deletions. It was designed for a world where the threat was physical damage or human error — not an attacker who has your admin password and is deliberately targeting your backup infrastructure.

The problem with 3-2-1 against ransomware is that "offsite" and "cloud" don't equal "safe" if the attacker has your cloud backup credentials. If your cloud backup service is authenticated via a username and password stored on a compromised device, an attacker with admin access can log into that service and delete everything. The backup is offsite. The attacker got there anyway.

The 3-2-1-1-0 rule: what's actually required in 2026

The industry has converged on an updated standard called the 3-2-1-1-0 rule. It adds two critical requirements to the classic rule:

Three copies of your data

Your live data plus two backup copies. Not one backup — two. If you only have one, you have no redundancy when the backup itself fails during a restore attempt.

Two different media types

Local storage (NAS, external drive, backup appliance) plus cloud storage. Using two different media types protects against a single-vendor or single-technology failure.

One copy offsite

At least one copy stored outside your physical location, protected against fire, flood, theft, and physical disaster. Cloud backup qualifies for this.

One immutable copy — this is the new requirement

At least one backup copy stored with object lock or immutability enabled, meaning no one — not even an admin with full credentials — can modify or delete it during the retention window. This is what defeats ransomware that gains admin access. The storage layer itself refuses delete requests regardless of the account making them.

Zero errors — meaning tested and verified backups

Backups that have never been tested are not backups — they're hopes. The zero means you conduct regular restore tests (quarterly at minimum) to verify that your backups are complete and that data can actually be recovered within an acceptable timeframe. Most small businesses have never done a restore test.

What immutable backups actually are

The term "immutable" sounds technical, but the concept is straightforward. An immutable backup is stored with a time-locked write-once policy. Once data is written, it cannot be overwritten, modified, or deleted until the retention window expires — typically 30 to 90 days.

This isn't a software-level restriction. It's enforced at the storage layer itself. Even if an attacker gains full admin credentials to your systems, your Microsoft 365 tenant, or your cloud backup console, the storage provider's object lock system will reject any delete or overwrite request for data within the retention window. There is no admin bypass.

Most major cloud backup providers now support this. Microsoft Azure Backup, Veeam Cloud Connect, Acronis Cyber Cloud, and Druva all offer immutable storage options. The feature is sometimes called "object lock," "WORM storage" (write once, read many), or "ransomware-proof backup" in vendor marketing. The underlying technology is the same.

Important nuance: Immutability protects your backup data. It does not prevent ransomware from encrypting your live data. A business hit by ransomware with immutable backups in place still has to restore from those backups — which takes time. The value is that you have clean data to restore from, and you eliminate the extortion leverage entirely.

Why childcare centers need to take this seriously

Childcare centers don't think of themselves as ransomware targets. That's part of what makes them attractive to attackers. Ransomware groups increasingly work with lists of organizations that hold valuable data but run lean security operations — childcare centers fit that profile well.

Consider what a childcare center actually holds:

Parent financial data — credit card numbers, bank account details, payment history
Children's records — immunization records, allergy information, emergency contacts, photos
Staff employment records — Social Security numbers, payroll information, background check results
State licensing documentation — records that, if lost, can trigger a compliance review

A ransomware attack on a childcare center doesn't just mean downtime. It can mean parents pulling their children, state agencies getting involved, and legal exposure for the loss of children's personal records. The reputational damage alone can be permanent for a small center operating on referrals and trust.

California's CCPA and related regulations add another layer: businesses that lose personal data through inadequate security controls can face penalties and private lawsuits. A ransomware attack that exposes parent and child data is not just an IT problem — it's a legal one.

What a proper backup setup looks like for a 5-25 person business

You don't need an enterprise IT team to implement 3-2-1-1-0. Here's what a practical, affordable implementation looks like for a small business or childcare center with 5-25 employees:

Layer 1: Local backup (daily incrementals)

A NAS device or small backup appliance on your local network performs daily incremental backups of your critical data. This gives you fast local restores for common scenarios — accidental file deletion, a single machine failure. Local backups should be on a dedicated device that is not reachable by regular workstations via network file shares. Many businesses make the mistake of putting backups on a drive that's mapped as a shared network folder — ransomware will encrypt that too.

Layer 2: Cloud backup with immutability enabled (daily)

Your cloud backup runs daily and stores data with a 60-day immutability window enabled. This is your ransomware-proof copy. If attackers compromise your network and attempt to delete your cloud backups, the immutability lock blocks them. Pricing for cloud backup with immutability runs approximately $100-300 per month for 5-20 users depending on data volume.

Layer 3: Weekly verified restore tests

Monthly or quarterly, a restore test pulls a sample of data from your backup and verifies it can be recovered cleanly. This doesn't need to be a full system restore — spot-checking critical files and one or two key databases is enough to verify the backup pipeline is working. Keep a log of these tests. If you ever face a ransomware demand or a regulatory inquiry, documented restore tests demonstrate that your backup program was genuine and not performative.

Layer 4: Air-gapped or physically isolated backup (monthly or quarterly)

For maximum protection, a monthly full backup to an external drive that is disconnected and stored offsite (or in a fireproof safe) gives you a recovery option that no network-connected attacker can touch. This is the "air gap" — physical separation between backup and network. For most small businesses, this means plugging in an external hard drive once a month, running a full backup, and putting the drive in a drawer or taking it home. Low-tech, but genuinely immune to network-based attacks.

Estimated monthly cost for a 10-person business:

Cloud backup with immutability (e.g., Acronis, Veeam, Azure Backup): $120-250/month
Local NAS device (one-time hardware cost, amortized): $30-60/month
Monthly external drive backup: $5-15/month (hardware cost only)
Total: roughly $150-325/month — less than most businesses spend on coffee

The most common backup mistakes small businesses make right now

In the course of supporting small businesses across Southern California, EDCON sees the same backup mistakes repeatedly. These aren't obscure technical failures — they're predictable gaps that leave businesses exposed:

Backup credentials stored on network-connected devices. If your cloud backup password is saved in a browser or a config file on a workstation, an attacker who compromises that workstation can access and delete your cloud backups. Backup credentials should be stored in a password manager that requires separate authentication — not auto-filled from a saved browser session.
Treating Microsoft 365 as a backup. Microsoft 365 provides service availability — it doesn't provide backup and recovery. If an employee accidentally deletes a SharePoint site or a ransomware attack encrypts files synced to OneDrive, Microsoft's retention defaults may not be enough. Microsoft's own documentation recommends third-party backup for M365 data.
Backups on the same network segment as workstations. A NAS device or backup server that's reachable as a mapped drive from any workstation is vulnerable. Ransomware spreads across network shares. Backup infrastructure should be on a separate VLAN or have network access restricted to the backup agent only.
Never testing restores. The backup software says it's running. The dashboard shows green checkmarks. But no one has ever actually tried to restore a file, let alone a full system. Backups that fail during a restore are not backups. Test them.
Only backing up servers and not endpoints. Staff laptops and workstations hold critical data too — local documents, browser-saved passwords, desktop files. When a workstation is hit, the question "do we have a backup of this machine?" often gets an uncomfortable silence.

How EDCON sets up backup for small businesses and childcare centers

When EDCON sets up backup for a small business or childcare center, we start with a data mapping exercise: where does your important data actually live? For most small businesses, the answer involves a combination of Microsoft 365 (SharePoint, OneDrive, Exchange), a local server or NAS, cloud-based apps (QuickBooks Online, practice management software, childcare management platforms), and staff workstations.

Each data location needs its own backup strategy, because they fail in different ways and have different recovery requirements. A SharePoint site going missing is a different problem from a staff laptop getting stolen, and a ransomware attack that encrypts a local file server is different from a cloud service experiencing an outage.

We implement immutable cloud backup using services appropriate to your data volume and recovery time requirements, configure local backup agents on servers and key workstations, establish the network segmentation needed to keep backup infrastructure isolated from regular user traffic, and set up automated monthly restore tests with logged results you can review.

We also provide the incident response piece: if you do get hit by ransomware or experience data loss, you want a team that already knows your backup architecture and can execute recovery efficiently rather than figuring it out under pressure. Response time in a ransomware incident is measured in hours, not days — every hour of downtime has a real cost.

For childcare centers specifically, we pay attention to the compliance angle: documenting what data you hold, where backups live, how long they're retained, and how access is controlled. That documentation is increasingly important for California privacy law compliance and is something state licensing inspectors are beginning to ask about.

Frequently asked questions

What is the 3-2-1-1-0 backup rule?

It's an evolution of the classic 3-2-1 rule designed for the ransomware era. Three copies of your data, on two different media types, with one copy offsite, one copy immutable (storage-layer protected against deletion), and zero unverified backups. The two additions — immutability and regular restore testing — are specifically what defeat modern ransomware tactics.

Why are my existing backups at risk from ransomware?

Ransomware operators target backups because a business with intact backups won't pay the ransom. Modern attacks spend days or weeks inside your network before triggering encryption, using that time to find and delete backup copies. If your backups are accessible via admin credentials that can be stolen — which includes most cloud backup consoles — they're vulnerable. Immutability removes that vulnerability by making deletion impossible at the storage layer, regardless of credentials.

How much does a proper backup setup cost for a small business?

For a 5-20 person business, expect $150-325 per month for a full 3-2-1-1-0 setup including immutable cloud backup, local backup appliance (amortized hardware cost), and managed monitoring. Compare that to the median ransomware recovery cost of $3 million when backups fail — or even $375,000 when backups are intact but recovery still takes weeks of IT work, legal fees, and downtime.

Are childcare centers really targeted by ransomware?

Yes. Childcare centers hold financial data, children's personal records, staff information, and state licensing documentation — a combination that makes them attractive targets. They also tend to run lean IT setups, which makes them easier to compromise. A successful attack doesn't just mean downtime; it can mean parent trust destroyed, state regulatory involvement, and legal exposure under California privacy law for exposure of children's records.

Does Microsoft 365 back up my business data automatically?

No. Microsoft 365 provides service availability — it ensures the apps stay online — but it is not a backup solution. If data is deleted or encrypted in SharePoint, OneDrive, or Exchange, Microsoft's default retention settings may not cover your recovery window. Microsoft explicitly recommends using a third-party backup solution for M365 data. EDCON configures dedicated M365 backup as part of any complete backup implementation.

Is your backup strategy actually ransomware-proof?

Most aren't. EDCON provides a free backup assessment for small businesses and childcare centers in Southern California. We'll review your current setup, identify gaps, and give you a plain-English report on what's working and what would leave you exposed in a real attack. No obligation, no jargon.

Get a Free Backup Assessment