In early 2024, Change Healthcare, the company that processes roughly one-third of all U.S. healthcare claims, got hit with ransomware. The attack disrupted pharmacies, hospitals, and medical billing across the country for weeks. UnitedHealth Group, their parent company, eventually admitted to paying a $22 million ransom because restoring from backups would’ve taken too long given the scale of the disruption.
They had backups. The backups weren’t the problem. The problem was that the backups couldn’t restore operations fast enough to prevent the entire U.S. healthcare claims system from collapsing.
That’s a Fortune 10 company. Now picture a five-person CPA practice in tax season with a USB drive backup that nobody’s tested since last August.
The backup that isn’t really a backup
Most small firms have something they call a backup. Usually it’s one of these: a USB hard drive that someone plugs in periodically, a NAS device sitting on the same network as everything else, or a cloud sync tool like OneDrive or Dropbox.
None of these are real backup strategies. They’re copies of your data that happen to exist somewhere else. The distinction matters when something goes wrong.
The USB drive only has data from the last time someone remembered to plug it in. If that was three weeks ago, you’re losing three weeks of work. In tax season, that’s not an inconvenience. That’s a firm-ending event.
The NAS on your network is accessible from every device on that same network. When ransomware encrypts your workstations, it encrypts the NAS too. The attacker doesn’t have to find it. The ransomware just follows the mapped drives. The FBI’s IC3 2023 report notes that attackers increasingly target backup systems specifically because they know that’s what stands between a victim paying the ransom and recovering on their own.
OneDrive and Dropbox sync files in both directions. If ransomware encrypts a file on your desktop, the encrypted version syncs to the cloud and overwrites the good copy. Both services have version history that can sometimes save you, but it’s not designed as a disaster recovery tool and it doesn’t cover databases, application configs, or anything outside the sync folder.
What a real backup strategy looks like
The standard is 3-2-1. Three copies of your data, on two different types of media, with one copy offsite. That framework has been around for decades because it works. But there’s an update that matters now more than it ever has: the offsite copy needs to be immutable.
Immutable means it can’t be changed or deleted for a defined retention period, not by you, not by your IT person, and not by an attacker who has compromised your admin credentials. CISA recommends immutable backups as a core defense against ransomware specifically because attackers have gotten very good at finding and destroying backup systems before they deploy the encryption.
The right setup looks something like this. Local backups for fast recovery from everyday problems, a deleted file or a crashed hard drive. Cloud or offsite backups with immutable retention for disaster recovery. And regular, scheduled test restores to verify the backups actually work.
That last part is the one everyone skips. A backup you’ve never tested is a backup you’re hoping works. Hope is not a recovery strategy.
The math nobody wants to do
Think about how much billable work your firm produces in a single day. Now multiply that by the number of days it would take to rebuild everything from scratch if your files, your case management database, your email archive, and your accounting system all disappeared at once.
For most small professional services firms, that number is somewhere between catastrophic and permanent. Not because they don’t have the clients to rebuild the revenue, but because the clients can’t wait. They’ll go somewhere else. They have to. They have deadlines, and your disaster is not their problem.
A proper backup system with offsite immutable storage, monitoring, and tested restores costs a fraction of what a single day of downtime costs. It’s not even close. The firms that don’t invest in backups aren’t saving money. They’re borrowing against a disaster they haven’t had yet.