If you are shopping for a backup solution, you’re probably not doing it for fun. You’re doing it because you have felt the pain of a close call, a scary security headline, a compliance requirement, or a real outage that stopped work.
As an MSP, we see the same pattern over and over. Businesses think backup is a product you buy, install, and forget. In reality, backup is a business capability you design, test, monitor, and continuously improve.
This guide will help you evaluate backup solutions like a buyer who knows what actually matters at restore time.
Start with outcomes, not features
Before you compare vendors, answer two questions for each system you care about.
How much data can you afford to lose
This is your recovery point objective, or RPO. If you back up once per day, your RPO is roughly one day. If you back up every hour, it is closer to an hour.
How long can you afford to be down
This is your recovery time objective, or RTO. It is the time to restore service and get users working again.
These two metrics determine almost everything else: architecture, storage, bandwidth, licensing, and cost. They also force a reality check. If leadership says downtime costs ten thousand dollars per hour, but the plan is “we back up nightly to a USB drive,” those two statements cannot both be true.
NIST’s contingency planning guidance emphasizes building practical recovery capability as part of resiliency planning, not as an afterthought. (NIST Computer Security Resource Center)
Inventory your data, because not all data backs up the same
A backup tool that works great for one data type can be the wrong fit for another. Build a simple inventory with these categories:
On premises servers and virtual machines
Think file servers, application servers, domain controllers, and virtual infrastructure.
Cloud infrastructure and workloads
Virtual machines, databases, storage accounts, and cloud native services.
Microsoft 365 and other SaaS data
Email, OneDrive, SharePoint, Teams, plus platforms like Salesforce, QuickBooks Online, or industry specific systems.
Endpoints and laptops
Especially important for remote teams and executives who store critical files locally.
Databases and line of business applications
SQL, ERP, EHR, and anything that requires application consistent backups.
This inventory also helps you define scope. Many organizations assume “our cloud provider backs up everything.” Some services have resilience features, but that is not the same as having a business controlled backup and restore plan.
Assume ransomware will target your backups
A modern backup strategy is not only about hardware failure. It is also about adversaries.
CISA guidance for ransomware resilience includes maintaining offline backups of critical data and regularly testing availability and integrity, because attackers often try to delete or encrypt accessible backups. (CISA)
Microsoft’s security guidance makes the same point and explicitly recommends protecting backups from deliberate erasure or encryption, including keeping an offline or offsite copy and using immutable storage. (Microsoft Learn)
So when you evaluate solutions, do not just ask “can it back up.” Ask “can it survive an attacker who already has admin privileges.”
Use the backup rule as a baseline, then modernize it
You have probably heard of the 3 2 1 rule. In plain language, keep three copies of your data, on two different types of storage, with one copy offsite or offline.
Microsoft recommends applying the 3 2 1 rule for maximum protection and availability in its ransomware backup planning guidance. (Microsoft Learn)
Many vendors and practitioners now extend that baseline to include immutability and verification. Veeam, for example, discusses expanding the classic approach with an immutable copy and validation to reduce ransomware risk and increase restore confidence. (Veeam Software)
You do not have to adopt any specific vendor’s label for it. The buyer takeaway is simple: your design should include both an isolated copy that attackers cannot change, and a repeatable way to confirm you can actually restore.
Decide what “restore” needs to look like
Backup products love to advertise backup speed. Buyers should care more about restore options.
Here are the common restore modes you should validate in demos and proof of concept testing:
File and folder restore
Fast recovery for accidental deletion, user mistakes, and small scale incidents.
Full system recovery
Bring back a server or workstation after hardware failure or corruption.
Image based recovery for virtual machines
Often the fastest path to bring services back online.
Granular restores for Microsoft 365
Restoring a mailbox, a SharePoint site, or a Teams file without overwriting everything else.
Application consistent recovery
For databases and transactional apps, you want backups that preserve integrity, not just copies of files.
Point in time recovery
Especially for ransomware, you may need to roll back to a clean point before encryption started.
When you compare solutions, ask the vendor to show how each restore works, how long it typically takes, and what prerequisites are required.
Ask these architecture questions before you buy
A backup platform is a combination of software, storage, identity, security controls, and monitoring. As you shortlist options, use questions like these to separate strong designs from “good enough on paper.”
Where do backups live
Onsite, cloud, or both. Hybrid designs are common, but clarity matters.
Is there immutable storage
If yes, how is it enforced, and who can override it.
Is there an offline or isolated copy
Air gapped can mean physically disconnected, logically separated, or controlled by separate credentials. The key is that your production environment cannot easily reach it.
How are credentials protected
Do you support separate backup admin accounts, multifactor authentication, and role based access control. If an attacker compromises your domain admin, do they automatically own your backups too.
How do you detect backup tampering
Look for alerting on mass deletion, encryption patterns, unusual retention changes, and failed jobs.
How do you handle encryption
Data should be encrypted in transit and at rest. Understand where keys live and who controls them.
How do you handle retention and legal hold
Retention is not just a checkbox. It has cost implications and compliance implications.
CISA’s ransomware guidance is a useful benchmark here because it reinforces the operational practices that make backups usable in a crisis, including offline storage and testing. (CISA)
Do not skip testing, because untested backups are a risk
The hardest conversation we have with new clients is when backups exist, but restores fail. It is more common than most teams realize.
Testing should include:
Restore testing on a schedule
At minimum, quarterly for critical systems. Many organizations do it monthly.
Different restore scenarios
A file restore is not the same as a full environment recovery.
Documented runbooks
Who does what, in what order, with what credentials, and how long it should take.
Evidence and reporting
If you have cyber insurance requirements or compliance needs, you often need proof.
Microsoft’s ransomware backup guidance emphasizes backups as part of resilience after a breach, and the implication is clear: you need restores that are fast and dependable, not theoretical. (Microsoft Learn)
Evaluate operational fit, not just price
A backup solution can be affordable and still expensive if it creates operational drag.
As an MSP, here is what we look for when judging operational fit:
Centralized management and reporting
A single dashboard for job health, storage growth, failures, and restore activity.
Alerting that is actionable
If you get fifty alerts that do not matter, your team will miss the one that does.
Scalability
Can it grow with new sites, new workloads, and more data without redesigning everything.
Support for your environment
VMware, Hyper V, Azure, AWS, NAS, databases, endpoints, Microsoft 365. Make sure it is real support, not “best effort.”
Clear licensing
Per workload, per user, per terabyte, or per socket. Licensing surprises are common in backup projects.
Integration with security operations
If you have a SOC or security monitoring, can backup events feed into your alerting and incident response process.
NIST’s contingency planning guidance frames recovery as an organizational capability tied to resiliency planning, which translates directly to day to day operations. Your backup tool must be maintainable, not just technically impressive. (NIST Computer Security Resource Center)
Common buyer mistakes we help clients avoid
Buying storage without designing recovery
Storage is only one part. RTO and restore workflows matter more.
Treating Microsoft 365 like it is automatically covered
Many organizations assume retention equals backup. They are different problems.
Using the same credentials everywhere
If production admin equals backup admin, ransomware has a straight line to your backups.
Not budgeting for bandwidth and egress
Cloud storage is not the whole cost. Restores can involve network limits and provider charges.
No ownership for testing
If nobody owns restore testing, it will not happen.
A practical shortlist process
If you want a simple buyer process, here is what we recommend:
- Define RPO and RTO targets for your top systems
- Inventory data types and locations
- Choose a baseline design that includes offsite and immutability
- Require a proof of concept that demonstrates restores, not just backups
- Validate security controls for backup admin separation and MFA
- Confirm reporting, alerting, and testing workflows
- Build a budget that includes storage, licensing, and ongoing operations
This approach keeps you focused on outcomes and reduces the risk of buying a tool that looks good until the day you need it.
Where Helixstorm fits in
At Helixstorm, we help organizations design backup and recovery around business requirements, security realities, and operational constraints. That includes selecting the right platform, implementing secure architecture, and building a testing and reporting rhythm that keeps you confident quarter after quarter.
If you want a second set of eyes on your current backup approach, or you are evaluating solutions and want help pressure testing the restore side, we can help you turn “we have backups” into “we can recover.”
