Backup and Recovery Questions to Ask Any IT Firm Before You Sign

Most business owners ask their IT vendor one question about backups: “Do you do them?” The vendor says yes, the box gets checked, and everyone moves on. Then a ransomware attack hits or a server fails — and it turns out the backups were running but nobody ever tested a restore. Or the recovery takes four days when the business needed four hours. The backup and recovery questions that actually protect your company are the ones almost nobody asks until it is too late. Here are all six of them, along with the answers that should send you looking elsewhere.

Why Backup and Recovery Questions Matter — and Why Vendors Avoid Them

Every IT firm worth its contract runs some form of backup. That is not the problem. The problem is that backup is easy to start and easy to neglect. Jobs run silently in the background. Nobody looks at them unless something breaks. And when something breaks, the silence turns into a very expensive crisis.

The CISA Ransomware Guide explicitly calls out tested, offline backups as one of the most critical defenses against ransomware — not just backups, but tested ones and offline ones. That distinction matters enormously, and most vendors gloss right over it.

The six backup and recovery questions below are designed to cut through that gloss. They are not designed to trip up honest vendors. A firm that has built a real recovery program will answer every one of them confidently and specifically. Vague or defensive answers are data points.

Backup and Recovery Question 1: What Is Our Recovery Time Objective, and Can You Hit It?

A recovery time objective is the maximum amount of time your business can be offline before the damage becomes unacceptable. For a law firm, that might be 24 hours. For a healthcare practice processing patient appointments, it might be two hours. For a business with automated line controls, it might be 30 minutes.

Most business owners have never been asked to define this number. Most IT vendors have never asked. That is a serious problem, because backup configurations, storage choices, and recovery procedures all need to be built around a specific target. Without one, the vendor is building around whatever is cheapest and easiest to manage — not around what your business actually requires.

The answer you want to hear is a vendor who asks you the question before they answer it. They should want to know your recovery time target, validate whether it is realistic given your infrastructure, and then tell you exactly how they will hit it. A vendor who immediately says “we can get you back up in a few hours” without knowing anything about your environment is guessing.

The answer that should make you walk away: any version of “don’t worry, we’ll get you back up fast.” That is not an answer. That is reassurance engineered to close the deal.

Backup and Recovery Question 2: How Often Do You Actually Test a Restore?

This is the question that separates firms that run backups from firms that run recovery programs. A backup that has never been tested is not a backup. It is a backup-shaped object you are paying for and hoping works when your business depends on it.

Restore testing means taking a backup and actually recovering data or systems to a test environment, then verifying the data is complete, uncorrupted, and usable. This should happen on a defined schedule — quarterly at minimum, monthly for higher-risk environments. The results should be documented, and you should be able to see them.

The answer you want to hear: a specific testing schedule, a description of what gets tested, a format for the report you receive, and clarity on whether testing is included in your contract or billed separately.

The answer that should make you walk away: “We monitor the backup jobs and get alerts if something fails.” Monitoring job completion is not the same as testing recovery. A backup can complete successfully and still be unrestorable. If a vendor conflates these two things, they either do not understand the difference — or they are counting on you not knowing it.

Backup and Recovery Question 3: Do We Have an Air-Gapped or Immutable Copy?

Modern ransomware does not just encrypt your files. It is built to find and destroy your backups before it touches your primary data. If every backup copy is reachable from the same network that got hit, an attacker can wipe them all out. At that point, you pay the ransom or you lose your data. Neither is an acceptable outcome.

An air-gapped copy is a backup that is physically or logically disconnected from your live environment — a storage volume that is only connected during scheduled backup windows, or a cloud-based backup with immutability controls that block deletion or modification for a defined period. Properly configured immutable cloud storage can serve the same purpose as a physical air gap when set up correctly.

The answer you want to hear: a clear description of at least one backup copy that cannot be reached, encrypted, or deleted by ransomware that has already compromised your primary environment. The vendor should name the technology, explain the separation, and tell you how long that copy is retained.

The answer that should make you walk away: “All of our backups are in the cloud.” Cloud storage is not inherently protected. If the cloud backup account is accessible with credentials that could be compromised along with your other systems, it is not air-gapped. Cloud is a location, not a security posture.

Backup and Recovery Question 4: Who Is Accountable When a Restore Fails?

This is the uncomfortable question — and it is the one most business owners never think to ask. When a restore fails because of a corrupted backup, a misconfigured job, or a gap in coverage, who owns the outcome? What does your contract say the vendor owes you?

Many IT contracts limit vendor liability to the cost of service fees paid. That means if a failed restore costs your business $200,000 in lost revenue and recovery work, and you were paying $3,000 a month, the vendor may owe you very little in writing. You need to understand this before you sign, not after.

Accountability also extends to process. A strong backup program includes documented procedures that specify who does what, in what order, during a recovery event. It includes a single point of contact during a crisis and a post-incident review. If the vendor cannot describe that process, accountability is theoretical.

The answer you want to hear: a clear explanation of the recovery process, the escalation path during an incident, and an honest conversation about contractual liability. A firm that has thought this through will not be surprised by the question.

The answer that should make you walk away: “We stand behind our work.” That is a statement of character, not a contractual obligation. Ask what it means in writing.

Backup and Recovery Question 5: How Many Copies Do We Have, and Where Are They Stored?

The standard most backup professionals reference is the 3-2-1 rule: three copies of your data, on two different types of media, with one copy stored offsite. Many now advocate for a fourth requirement — one copy that is air-gapped or immutable. This is not jargon for its own sake. It reflects real-world recovery failures where single-copy or single-location strategies fell apart.

What this question is really asking: has your vendor thought about backup geography and redundancy as a deliberate strategy, or did they set up one job that goes to one place and call it done?

The answer you want to hear: a clear description of how many copies exist, where each one lives (on-premises, cloud, offsite physical media), what media type each uses, and how those locations relate to each other in a failure scenario. Bonus points if they explain how their approach handles a situation where both your office and your primary cloud target are affected at the same time.

The answer that should make you walk away: “Everything goes to the cloud.” One copy. One location. Likely no air gap. That is not a backup strategy — it is a backup habit.

Backup and Recovery Question 6: What Does Recovery Actually Look Like on Day One?

Abstract answers about retention windows and recovery capabilities do not help you on the morning after an attack when your entire team is sitting idle and your clients are calling. Ask the vendor to walk you through what actually happens — hour by hour — on day one of a recovery event.

Who calls whom? How quickly does your dedicated contact engage? Is there a pre-built procedure for your specific environment, or are they working it out in real time? What do your employees do while systems are being restored? Is a temporary working environment available? What gets restored first, and how is that sequence decided?

Our managed IT services approach starts with exactly these backup and recovery questions before any backup configuration is set. The recovery plan comes before the backup tool, because the tool exists to serve the plan — not the other way around. Learn more about how we approach cybersecurity and data protection for businesses of all sizes.

The answer you want to hear: a vendor who can describe a specific, rehearsed recovery sequence for your type of environment. They may not have every detail on a first call, but they should be able to describe the framework and tell you where the client-specific procedure gets built during onboarding.

The answer that should make you walk away: “We’ll cross that bridge when we come to it.” A recovery event is the worst possible time to improvise. If there is no documented process, they are planning to figure it out while your business bleeds.

Answers to Backup and Recovery Questions That Should Make You Walk Away

Here are the patterns that signal a vendor is not ready to be responsible for your recovery:

• They cannot define your recovery time objective — or have never asked you to think about it.
• They describe monitoring backup job completion as equivalent to testing restores.
• They claim cloud storage is inherently protected without explaining immutability or access controls.
• They offer reassurance instead of contractual specifics when you ask about accountability.
• They describe a single-copy or single-location backup approach with no redundancy strategy.
• They have no documented recovery sequence and no plan for what day one looks like.

None of these are trick questions. A firm that has built a real recovery program will answer all six backup and recovery questions without hesitation. A firm that has not will deflect, generalize, or reassure.

What Good Looks Like When You Ask the Right Backup and Recovery Questions

A mature backup and recovery program is not defined by the tool that runs the backup job. It is defined by the outcome it can reliably produce — measured in hours of downtime, data loss windows, documented test results, and a clear chain of accountability when something goes wrong.

Good vendors treat backup as a recovery program, not a checkbox. They build the configuration around your specific recovery time target and data sensitivity. They test restores on a schedule and share the results. They maintain at least one copy that ransomware cannot reach. They have a documented procedure for your environment and a clear escalation path during a crisis. They can tell you exactly who is accountable and what that means in practice.

For additional guidance on organizational resilience, the NIST Cybersecurity Framework provides a widely adopted standard for recovery planning — one that maps directly to the expectations you should hold any IT vendor to.

The gap between “we do backups” and “we will get your business back” is wider than most people realize. These six backup and recovery questions are how you measure that gap before you sign — when you still have options, not after an incident when you are out of them.

If you want a second opinion on whether your current backup setup would actually hold up, Book a Free Strategy Call with our team. Twenty minutes. No obligation. Just a straight answer.