Arnold Consult

Practical IT solutions for you and your business

The Green Check Mark of Death

By

CheckMark of Death

Primmer:

Before we go any further, it helps to clarify something important. In the IT world, the word backup has a very specific meaning.

Too many people outside of IT, backup means copying files somewhere else — maybe onto an external hard drive or another server. That’s a really good start, but it isn’t what professionals consider a complete backup strategy.

A backup has two critical characteristics:

  • Your data must exist in more than one location:

If the only copy of your data lives on the same server, in the same building, or even on the same network, then a single event — hardware failure, ransomware, fire, or theft — can destroy everything at once – Say good bye to all that hard work!

  • Second, a proper backup strategy preserves multiple points in time:

This means you don’t just have one copy of the data. You have historical versions that allow you to roll back to an earlier moment if something goes wrong, and why does all of this matter?

Disasters rarely announce themselves in advance, and that is why they call them disasters. Because if you knew about them ahead of time, they would not be called disasters would they.

What can happen with data:

  • Data can be corrupted.
  • Ransomware encrypts files slowly in the background before anyone realizes it’s happening.
  • Mistakes get copied into the backup itself.

Without multiple recovery points, your backup may simply contain the same damaged data you’re trying to recover from.

This is why professional backup systems typically combine local backups for fast recovery with off-site backups for protection against larger disasters, and in some cases air-gapped backups as an extra precaution.

It’s not just about copying files. It’s about making sure there is always a good clean version of your data somewhere safe.

The Proverbial Green Check Mark:

Now that we understand what a proper backup strategy looks like, let’s talk about something that can be surprisingly misleading.

Many backup systems report their status using simple success indicators. Often that indicator is the Green proverbial check mark next to the backup job.

When business owners see that green check mark, they believe and think everything is working.

  • The backup ran – Good
  • The system reported success – Good
  • Everything must be fine – Awesome I am protected

Unfortunately, that green check mark only tells you one thing, the backup job completed.

It does not guarantee that the data being backed up is healthy, usable, or recoverable in the event of a disaster, and this is where things can go very – very wrong.

Arnold Consulting DR Experience:

Arnold Consulting has been designing and managing backup systems for businesses for more than 20 years. During that time, we’ve seen firsthand how many different ways data can be lost.

That’s why our approach goes beyond simply running backup software. We regularly test backups to ensure they are actually recoverable, and for organizations that cannot afford downtime, we deploy on-site BDR’s, Backup and Disaster Recovery, systems.

These systems allow a business to continue operating even if the primary server fails. In many cases, staff can keep working while the failed hardware is repaired or replaced — ensuring critical operations like payroll, accounting, and customer service are not interrupted.

A Lesson from the Field – When Backup Strategy Changes:

In this particular situation, this company originally had a fairly robust backup strategy in place designed and implemented by Arnold Consulting.

The goal of the system was simple: create multiple layers of protection so that no single event could destroy the company’s data.

The System Included Several Safeguards:

  • On-site backups for fast recovery if the server experienced hardware failure, or accidental data deletion
  • Off-site backups to protect against building-level disasters such as fire, theft, or flooding.
  • And an additional layer of air-gapped backups that were physically rotated every week.

Each Monday morning the external backup drives were swapped. One copy was retained by Arnold Consulting, and another copy was placed in the company safe.

Because these drives were not continuously connected to the network, they were effectively air-gapped most of the time.

The backup dock was connected to a timed power switch that automatically powered the drive on at a scheduled time on Sunday night so the backup could run. Once the backup completed, the switch would cut power to the dock again.

In other words, the drive was only connected to the system for a short window of time during the backup process.

This greatly reduced the likelihood that ransomware or other malicious software could reach it.

Each week the drives were rotated. One copy was retained by Arnold Consulting, and another copy was placed in the company safe.

Because that drive in the safe had been physically removed from the network, it remained untouched by any ransomware event.

The only remaining question would be how recent the clean backup was.

In this case, the safe contained a full backup taken the previous Sunday. If the ransomware attack happened later in the week, the business would still have a clean copy of its data from that Sunday.

Depending on when the infection occurred, the amount of lost data could vary. In the worst case, the company might lose several days of work. In the best case — if the attack happened early in the week — the data loss could be very small.

But the critical point is this: the business would still have a reliable path to recovery.

And when ransomware is involved, having a known clean copy of your data — even if it’s a few days old — is often the difference between recovering your systems and losing everything.

This type of layered approach ensured that even if something unexpected happened to the production server, there would always be a clean version of the company’s data available somewhere else.

The Company Made the Decision:

At some point, the company made the decision to move away from the backup system previously managed by Arnold Consulting. Like many businesses looking to control costs, they chose to move to a different and less expensive backup approach.

Backup systems often feel like insurance. You pay for them month after month and rarely think about them again. When budgets get tight, it can be tempting to simplify things or look for a cheaper solution.

Unfortunately, the true value of a backup system is usually discovered on the day it is actually needed, eventually, that day arrives for every company – you just don’t know when.

The Morning of Disaster:

One morning the employees came into the office and immediately realized something was wrong. Documents wouldn’t open, and shared folders were inaccessible. Critical files that had worked perfectly the day before were suddenly unreadable. The server had been hit with ransomware, and large portions of the company’s data had been encrypted.

Naturally, the first question everyone asked was the same question that gets asked in almost every situation like this:

“We have backups?”, and the answer appeared to be yes. The backup software was still reporting that the backup jobs had run successfully. The dashboard showed the familiar reassuring message. Backup completed successfully, and right next to it was the comforting green check mark.

At first glance, everything looked fine, however, that green check mark was about to become something very different.

The Green Check Mark of Death:

When the company checked their backup system after the ransomware attack, the dashboard still showed something reassuring. The backups had run. The system reported successful backup jobs, complete with the familiar green check mark.

At first glance, it appeared the company might still be protected; however, the green check mark was only confirming one thing, the backup job completed.

It said nothing about whether the data inside those backups was still usable.

In this case, the ransomware didn’t just encrypt the company’s production files.

Because the backup infrastructure remained fully accessible on the network, the ransomware was also able to reach and encrypt the backup repository itself. The storage holding the backup data — along with parts of the backup infrastructure supporting it — became encrypted as well.

That meant the system lost both the working data and the environment designed to restore it. However, the situation was actually worse than that. Even if the backup repository had not been encrypted, the most recent backup jobs had already captured the encrypted files from the server. In other words, the system had faithfully backed up the problem.

The company was facing a triple failure:

  • The production files were encrypted.
  • The backup repository had been encrypted.
  • And the most recent backups contained copies of already-encrypted data.

Even if the backup storage had been fully accessible, restoring those backups would simply have restored encrypted files. The green check mark was still there, but the backups themselves were no longer usable.

We are fine – We are in the Cloud!

One of the most common things I hear from business owners today is this:“We’re fine — everything is in Microsoft 365.”

Services like Microsoft 365 provide excellent availability and collaboration tools, but they are not designed to function as a full backup strategy.

In fact, Microsoft’s own documentation makes this point clear. Their platform operates on what’s known as a shared responsibility model. Microsoft is responsible for keeping the service running, but customers remain responsible for protecting and backing up their own data.

That means if data is accidentally deleted, corrupted, or encrypted by ransomware, Microsoft’s built-in retention features may not always provide the recovery options businesses expect.

In other words, storing data in the cloud does not automatically mean that the data is fully protected.

Cloud services are an important part of modern business infrastructure, but they still require proper backup and recovery planning — just like any other system.

Because whether your data lives on a server in your office or in a cloud platform somewhere else, the question during a disaster is always the same:

When disaster strikes, the real question is simple: do you still have a clean copy of your data somewhere safe, somewhere other than the cloud?

Microsoft Certified Solutions Associate