Backups are not enough: Why you must test them to protect your business

THOUGHT LEADERSHIP
Written By John Harris

Since we moved away from the hit-and-miss era of physical tapes and caddies, backups have become a bit of a "magical" background process. They live in the cloud, they happen automatically, and we assume our data can be restored on demand. 

But can it really?

Back when we used tapes, the process was tangible. If a drive failed, it happened right in front of you. Because that risk was so visible, test restores were a non-negotiable part of the routine. Today, that visibility is gone. You might trust your IT provider to "take care of all that stuff," but the real question is: Does your insurance company trust them? And if they don't, where does that leave your liability?

The Insurance Shift 

In 2026, cyber insurance underwriters have moved past "yes/no" checkboxes. They don't just want to know if you have backups; they want proof of how often you validate them and the documentation to show those tests were successful. 

Consider this scenario:  

  • Systems are compromised.

  • You attempt a restore, only to find the backups are also corrupted or encrypted. 

  • You fall back on insurance, but they deny the claim because you failed to meet your obligations under the policy. 

  • Result: Your business is severely compromised, and you're footing the bill alone. 

This is where many otherwise well-run New Zealand organisations are exposed. My goal here isn't to cause alarm, but to highlight simple practices that ensure you are confident in both your recovery capability and your insurance standing. 

What a "Test Restore" actually looks like 

A test restore is essentially a dry run. Instead of just trusting the "green tick" on last night’s dashboard, you pull specific data into a safe, isolated environment to prove it’s readable and that your team actually knows how to perform the recovery under pressure. 

Common pitfalls to avoid:

  • The "Cloud is Magic" Myth: Assuming that "backing up to the cloud" automatically equals a fast recovery. 

  • The Dashboard Trap: Treating a successful backup notification as the end of the story. 

  • Outdated Confidence: Relying on a file restore you did three years ago as proof that a full system recovery will work today. 

A better approach:

  • Schedule regular drills: At least annually, or quarterly for mission-critical systems. 

  • Mix up the scenarios: Test a single file, a core application (like your ERP or CRM), and a full server failover. 

  • Validate the data: Don't just check if the file exists—open it. Is the database mounting? Are the images clear? 

  • Document everything: Record when it happened, what was restored, how long it took, and—crucially—what didn't work and how you fixed it. 

Why the sudden scrutiny? 

If you look at a modern cyber insurance questionnaire, the backup section is now a deep dive. Underwriters are asking about frequency, immutability (backups that can't be changed or deleted), and offline storage. They’re asking because they’ve seen too many claims where a business discovers, far too late, that their "backups" were never going to support a timely recovery. 

Pro tip: Don't let the insurance form sit solely with your Finance team or Broker. Sit down with your IT team or MSP and answer those technical questions together. Ensure what you attest to on the policy matches what you are actually doing on the ground. 

The Real Risk: Encrypted Backups 

Modern ransomware doesn't just lock your live data; it often sits quietly and encrypts your backups over time. If your backups aren't isolated or "immutable," you might find yourself with a beautifully consistent backup of useless, encrypted data. A robust strategy requires at least one copy that is completely "air-gapped" or immutable.

What "Good" looks like for NZ Mid-Market Businesses 

You don't have to be perfect, but you do have to be deliberate. A sensible baseline includes:

  1. Automated backups plus one immutable/offline copy separate from your main network. 

  2. MFA (Multi-Factor Authentication) for any admin access to your backup platform. 

  3. Agreed Recovery Times: Knowing exactly how long it takes to get back online and testing against that target. 

  4. A written Incident Response Plan: A simple "who does what" guide for when the lights go out. 

How Swerve handles the "Insurance Gap" 

At Swerve, we see cyber insurance as a "forcing function"—a way to drive better habits rather than just another bill to pay. We don't just sell backup storage by the gigabyte. Instead, we map your current setup against the specific risks your insurer is looking for. 

We provide plain-English recommendations: what to fix now, what to plan for, and how to ensure your technical reality matches your insurance story. 

Your next step 

Don’t wait for an incident or a policy renewal to find out if your safety net holds. 

Pick one critical system this week. Ask your IT provider to run a supervised test restore and explain the process to you in plain English. Ask for a one-page report on the result that you can share with your board or your broker. 

If you’d like a second pair of eyes, we run focused "Backup and Health Checks" for New Zealand businesses. Let’s make sure your "green ticks" actually mean what you think they do. 

Connect with us to book a Health Check

Book a Call
John Harris

Managing Director & Customer Lead

Next

How Swerve's IT partnership powers Viranda's commercial property success story