Service deep-dive
Backup that actually restores. BCDR that survives ransomware.
Cove Data Protection by N-able for managed backup. Datto SIRIS appliance for Tier 3 business continuity. Immutable off-site copies, automated restore testing, and quarterly documented evidence — built for businesses that intend to be operating the day after a ransomware event.
The problem with most SMB backup
When we ask a new client to describe their backup, the answer is almost always one of three things. “We're on OneDrive.” “Our last IT guy set up a tape and we think it's still running.” Or “There's a Synology in the back room that copies things at night.”
All three describe storage. None of them describe a backup that would survive a real ransomware event. OneDrive sync propagates the encryption. The tape was last verified in 2022. The Synology is reachable from the same network that just got compromised, with the same domain credentials the attacker now holds.
A real backup, in 2026, must satisfy three properties at once. It must be immutable — meaning no credential available on your network can delete or modify it. It must be off-site — meaning a fire, flood, or full-site ransomware does not take it with the production data. And it must be tested — meaning somebody has actually pulled data back out of it on a regular schedule and confirmed the restore worked.
Most SMB “backup” satisfies zero of those three. The result is that when something goes badly wrong, the recovery story is “we paid the ransom and hoped” or “we rebuilt from scratch and lost a quarter.” Both happen in this region every year and neither has to.
The architecture we deploy
Standard build on every managed tier. The same architecture protects a five-seat trucking office and a forty-seat sawmill — only the appliance sizing and retention windows change.
Three copies, two media, one off-site
Production data, a local backup on different media, and an off-site immutable copy in Canadian data centres. The 3-2-1 rule is forty years old and still the only model that survives the realistic failure scenarios.
Immutable cloud copy
The off-site copy cannot be deleted, encrypted, or modified by any credential — including domain administrator, including the backup service account itself, including us. Ransomware with full admin can do many things. Reaching the immutable copy is not one of them.
M365 SaaS backup, separate from Microsoft
Microsoft retains your mail and SharePoint data for 30–93 days depending on the SKU. That is retention, not backup. We deploy Cove M365 protection that snapshots Exchange, OneDrive, SharePoint, and Teams independently — so a malicious or accidental delete can be restored months later, item-level.
Endpoint protection for laptops
File servers are the obvious target. Laptops are the unobvious one. Optional endpoint backup snapshots user profile data — Documents, Desktop, OneDrive cache — so a stolen, ransomed, or simply broken laptop is recoverable to the last sync.
What we actually back up
The default protection set, not a maximum. Most clients add or remove items as the business changes — we adjust quarterly during the business review.
Microsoft 365
Exchange Online mailboxes, SharePoint site collections, OneDrive accounts, Teams chats and files. Independent retention, point-in-time restore, item-level granularity for anything from a single email to an entire site.
File servers
On-premise Windows file servers and Linux NAS appliances. Full VM-level backup plus file-level restore. Application-consistent snapshots where applicable (SQL, Exchange on-prem, Hyper-V hosts).
Line-of-business applications
Sage, QuickBooks Desktop, ServiceTitan local data, agriculture and trucking management systems, custom databases. Backed up with their dependencies — credentials, configuration, encryption keys — so a restore brings the application back, not just the data.
Configuration and infrastructure
Firewall configurations, switch configs, Group Policy, DNS zones, Conditional Access policies. The metadata that makes a restored environment actually work, not just sit there.
Endpoint snapshots (optional)
Per-laptop backup for organizations with road-warrior staff or significant local-only files. Add-on per endpoint, sized to actual usage.
Restore testing — the part most providers skip
A backup that has never been restored is a guess. Carriers know this. The 2025–2026 cyber-insurance questionnaires now ask, explicitly: do you test restores, how often, and can you produce evidence. This is what we do, on every managed tier, by default.
Automated weekly
Cove runs scripted restore tests against a sample of backups every week and writes a pass/fail to the monthly report. Failed restores are tickets — they get worked the same day, not the next quarter.
Manual quarterly
Once per quarter we pick a real workload — a SharePoint site, a critical mailbox, a file server VM — and do a full end-to-end restore to isolated infrastructure. Documented with screenshots, restore time, restored data integrity check, and a written sign-off. This is the artifact most cyber-insurance carriers now require.
Annual full-environment drill
Tier 3 clients run a full simulated disaster recovery exercise once a year — restore the file server, restore M365 to a test tenant, walk through the recovery runbook. Two-day exercise, written report, lessons fed back into the runbook.
Insurance evidence package
Cyber-insurance applications and renewals increasingly demand evidence of tested backups, not just the existence of backups. We produce a quarterly evidence package — test logs, restore times, RTO/RPO performance — that drops directly into the renewal application.
Cyber Premium upgrade
Tier 3 BCDR — when downtime cost is measured in hours
Standard managed backup protects the data. Tier 3 BCDR protects the operation. A Datto SIRIS or Cove BCDR appliance sits on-site, takes continuous snapshots of your critical servers, and can boot virtual copies of them in minutes if the primary fails. Built for businesses where four hours of downtime costs more than a year of the upgrade.
Local virtualization
When the primary file server dies — disk failure, ransomware, fire, theft — the Datto SIRIS appliance boots a virtual copy of the server within minutes, on its own hardware, on your network. Users keep working while we rebuild the primary.
Hybrid cloud failover
If the entire site is unavailable — burned-down building, extended power loss, internet outage longer than the appliance battery — workloads can fail over to cloud copies running in Canadian data centres. Slower to spin up but available.
Minutes, not hours
Standard cloud-only backup recovery is measured in hours per terabyte. Tier 3 BCDR is measured in minutes for the most critical workloads. The difference matters when payroll runs Friday and the file server died Thursday night.
Documented recovery runbook
A written runbook tailored to your environment — order of operations, who calls whom, what the user-facing comms look like, what gets restored first. We run it annually in the tabletop exercise.
Pricing — bundled, plus honest about the variable part
Backup infrastructure and management is bundled into every managed tier. The seat price you see on the services page already includes the per-endpoint protection, M365 SaaS backup, monitoring, restore testing, and quarterly evidence package.
The honest exception is cloud retention storage. Cloud storage is billed by the gigabyte by the underlying provider, and we pass that through at cost. For most SMB workloads — M365 mailboxes, SharePoint sites, a moderate file server — cloud retention runs $50–$300 per month on top of seat pricing. For data-heavy operations (sawmills with engineering files, accounting firms with decades of client archives, agriculture operations with imagery), it can run higher.
We size cloud retention during the assessment, write the number on the proposal, and you see the actual storage bill on every monthly invoice.No hidden margin, no surprise “data growth” bills.
Frequently asked questions
Is OneDrive enough?
No. OneDrive is sync, not backup. If a file is deleted, corrupted, or encrypted on a synced device, that change propagates to the cloud copy within minutes — and to every other synced device after that. OneDrive Version History helps for accidental edits inside the 30-day window, but it does not protect against ransomware, malicious insider deletion, or anything older than the retention window. A real SaaS backup product is required, separate from Microsoft.
What about ransomware?
Ransomware groups that successfully extort SMBs in 2026 almost always destroy backups first. They reach domain admin, log into your backup console, and delete or encrypt the backup repositories — typically days before they detonate the encryption payload. The defence is immutable, credential-isolated, off-site storage that cannot be deleted by any credential available on your network. That is the architecture we deploy by default, on every tier.
How fast can we recover?
Depends on the tier and the workload. For Cyber Essentials + Managed IT clients, a single mailbox restore is 30–60 minutes, a full file server restore is hours, and a full site-rebuild from cloud is one to two business days. For Cyber Premium with the BCDR appliance, the critical workloads fail over in minutes — we have stood up a virtualized file server inside 15 minutes of confirmed failure in test scenarios.
What if Starlink is down?
This is a real northern Alberta question and we plan for it. Local backups continue to run on the on-premise repository — they do not depend on internet. Local restores from the on-premise copy work without internet. The off-site cloud copy resumes uploading once connectivity returns. For Tier 3 BCDR, local virtualization keeps working entirely offline; only the cloud failover path requires internet, and that is the fallback to the fallback.
Do you test restores?
Yes — automated weekly, manual quarterly, and an annual full-environment drill for Tier 3 clients. Restore evidence is documented and delivered to you with the monthly report. An untested backup is a hope, not a backup. Carriers know this and so do we.
Want to know if your current backup would actually restore?
The free Risk Report covers backup posture in its first three questions. The paid assessment digs into the actual configuration and produces a written verdict your broker can use.