Published: 14 July 2026 | By AOLC
You have a backup system in place. The software runs nightly. The logs show green. You feel reasonably confident that if something went wrong, you could get your data back.
But when did you last actually test whether those backups can be restored? For most South African businesses, the honest answer is "never" — or "a long time ago." And that is a serious problem. Because a backup you cannot restore is not a backup at all. It is false confidence, and it will fail you at exactly the moment you can least afford it.
Industry data consistently shows that between 30% and 50% of restore attempts from untested backups fail. The data exists — but when a crisis hits, it cannot be recovered.
Why Testing Your Backups Matters.
A backup that has never been tested is an assumption. And in IT, untested assumptions have a way of failing at the worst possible moment — during a ransomware attack, a hardware failure, or a natural disaster. Here is what actually goes wrong when businesses skip testing:
- Silent corruption — Backup files can become corrupted over time without anyone noticing. A failed write, a virus, or gradual storage degradation can damage backup data invisibly. Regular testing catches this before disaster strikes.
- Software version mismatches — A database backed up with version X may not restore cleanly on version Y. If your software has been updated since the last backup test, your restore procedure may need updating too.
- Configuration drift — Your recovery environment may no longer match your production environment. Differences in settings, permissions, or dependencies can cause a restore to fail even when the data itself is intact.
- Missing documentation — The person who built your backup system may have moved on. The person who needs to restore has never done it before. Regular testing creates a practised, documented procedure that anyone can follow under pressure.
58%
of South African businesses that experienced significant data loss had backups in place — they simply could not restore from them when it counted.
How Often Should You Test?
Not all businesses have the same risk profile or the same backup environment. Use this framework as a practical starting point based on your organisation size:
| Business Size |
File Restore Test |
Full System Restore |
DR Simulation |
| Small (< 20 users) |
Monthly |
Quarterly |
Annually |
| Medium (20–100 users) |
Bi-weekly |
Monthly |
Bi-annually |
| Large (100+ users) |
Weekly |
Monthly |
Quarterly |
Beyond size, two South African factors should push your testing frequency up — not down:
- Load shedding — Every power interruption creates a potential corruption event for servers without proper UPS or generator protection. If your area has experienced extended outages, test more often.
- POPIA compliance — Under the Protection of Personal Information Act, you have a legal obligation to protect personal data. Untested backups that fail to restore constitute a data protection failure. If your backups contain personal information, quarterly testing at minimum is a defensible compliance position.
Three Levels of Backup Testing.
There is not just one type of backup test. A robust programme combines three levels, each on a different schedule:
Level 1: File Restore Test (Monthly)
Restore a random sample of individual files — a document, a spreadsheet, a database record — from the most recent backup. Confirm the files open correctly and match the last-known-good version. This takes 15–30 minutes and catches the most common failure mode: corrupted or incomplete backup files. It is the minimum any business should be doing.
Level 2: Full System Restore (Quarterly)
Restore an entire system — a server, virtual machine, or critical application — to a test environment. Confirm it boots correctly, that services start, that data is accessible, and that integrations such as email or database connections function as expected. This takes several hours and should be documented step by step so the process is repeatable by anyone on your team.
Level 3: Disaster Recovery Simulation (Annually)
A full DR exercise. Take a non-critical system or department completely offline and execute your disaster recovery plan from scratch as though the crisis were real. Time it. Document the gaps. Update the plan based on what you find. Many businesses are surprised to discover their actual recovery time is two or three times longer than their plan assumed.
Tip
The 3-2-1 rule still applies — 3 copies, on 2 different storage types, with 1 offsite. Your testing programme should cover all three copies, not just the primary backup. An offsite copy that has never been tested is the most dangerous false assurance of all.
What to Document During Each Test.
Testing without documentation is barely better than not testing at all. Every backup test should produce a written record covering:
- Test date and who ran it — For accountability and to identify gaps in your testing schedule.
- What was restored — Specific files, systems, or databases, and the backup date they were restored from.
- Restore start and completion time — This gives you your actual RTO (Recovery Time Objective), which may be very different from your theoretical one.
- RPO confirmed — How old was the most recent backup that could be successfully restored? This is your actual Recovery Point Objective.
- Errors or warnings — Any anomalies observed during the restore, even if the overall result was successful.
- Corrective actions — What needs to be fixed before the next test or before a real disaster occurs.
This documentation matters for two reasons. It gives you a baseline to measure improvement against, and it provides evidence of due diligence if you ever face a POPIA investigation or an insurance claim following data loss. Insurers and regulators increasingly expect businesses to demonstrate active backup management — not just passive backup operation.
R1.5M
average cost of a significant data loss event for a South African SME — including downtime, recovery, staff time, and reputational damage. An untested backup can make a bad situation catastrophic.
South African Considerations You Cannot Ignore.
South African businesses face specific challenges that make backup testing more critical than in stable environments elsewhere in the world:
- Load shedding and hardware degradation — Extended power outages accelerate storage hardware wear and create more write-corruption events. Businesses running on-premise servers without adequate UPS protection should test their backups more frequently — and should seriously consider cloud backup as a resilient alternative that is not subject to the same physical risks.
- Ransomware exposure — South Africa has one of the highest ransomware incident rates on the continent. Immutable backups — snapshots that cannot be encrypted or deleted by ransomware — are essential. But they must be tested to confirm they are genuinely unaffected by an encryption event, not just that they exist.
- POPIA and the Information Regulator — If your backups contain personal information about employees, customers, or suppliers, the Information Regulator expects you to demonstrate that data can be recovered and that you are actively managing it. Untested backups undermine that claim. Document every test as though a regulator might ask to see it — because one day they might.
- ISP connectivity for cloud backups — If your backup solution relies on cloud replication over a local broadband connection, test what happens during periods of congestion or ISP instability. A backup that normally uploads in two hours may take six during peak periods, silently extending your RPO without anyone noticing.
If your IT provider has never mentioned backup testing, or cannot show you a restore test report from the last 90 days, that is a gap in your service — not a minor oversight.
Where to Start.
If you have never tested your backups — or if it has been more than three months — start here this week:
- Step 1: Identify your backup system — Whether it is Veeam, Acronis, Azure Backup, BackupAssist, or another solution, know what you have and where the restore function lives.
- Step 2: Run a file restore test today — Pick five random files from last week's backup. Restore them to a test location. Confirm they open correctly. Document the result.
- Step 3: Set recurring calendar reminders — Monthly file restore, quarterly full-system restore. Put them in the calendar now before this slips.
- Step 4: Establish your RTO and RPO targets — How long can your business afford to be down? How much data can you afford to lose? If these targets do not exist in writing, create them. They anchor every subsequent decision about your backup strategy.
- Step 5: Brief your team — At least two people in your organisation should know how to initiate a restore. Knowledge that lives in one person's head is a single point of failure.
If this list feels overwhelming, that is a signal that your backup strategy needs professional attention — not a reason to delay. The best time to discover a problem with your backups is during a scheduled test. The worst time is during an actual outage, with revenue on the line and customers waiting.
Get a Free Backup Health Check.
Not sure whether your backups can actually be restored? AOLC will assess your backup environment and tell you exactly where the gaps are — no obligation.
Book a Free Assessment
← Back to Blog