Skip to main content
Backup & Recovery

Your data, always recoverable, always protected.

Automated backups, immutable storage, and tested recovery plans so a ransomware hit or accidental deletion never becomes a business-ending event.

RPO < 1hr
Recovery point objective
RTO < 4hr
Recovery time objective
3-2-1
Backup rule enforced
What's included

A complete service, run by people.

Automated backups

Scheduled backups with configurable frequency hourly, daily, or continuous across endpoints, servers, and SaaS.

Immutable storage

Air-gapped and immutable backup copies that ransomware cannot encrypt, modify, or delete.

Rapid recovery

Restore individual files, full systems, or entire environments with guided recovery playbooks.

Multi-environment coverage

On-premises servers, cloud workloads, Microsoft 365, Google Workspace, and endpoints all in one platform.

Retention management

Configurable retention policies to meet legal, compliance, and insurance requirements.

Recovery testing

Quarterly recovery drills with documented results so you know it works before you need it.

Ransomware Defense

What makes a backup ransomware-proof

Not all backups survive a ransomware attack. Operators know that standard cloud sync and snapshot-based backups are reachable from the same compromised credentials used to encrypt your production data. A ransomware-proof backup architecture requires layered controls that remove attacker access to your recovery path entirely.

  • 3-2-1-1-0 rule — Keep at least three copies of data, on two different media types, with one copy offsite, one copy offline or air-gapped, and zero unverified backups. The original 3-2-1 rule predates ransomware; the extra "1" (offline) and "0" (verified) are what close the gaps attackers exploit against standard cloud-synced backups.
  • Immutable storage — Object-lock or WORM (write-once, read-many) storage prevents any process — including malware running as a domain admin — from deleting or overwriting backup data before the retention period expires. Azure Immutable Blob Storage, AWS S3 Object Lock, and purpose-built backup appliances all support this. Immutability must be set before an attack occurs; it cannot be applied retroactively.
  • Air-gapped copy — An air-gapped backup has no live network path from your production environment. Tape rotated offsite, a physically disconnected appliance, or a cloud vault with no API credentials stored in your network all qualify. Air gaps stop credential-based attacks cold: even if an attacker dumps every password on your domain, they cannot reach the recovery copy.
  • Backup account isolation — Backup service accounts and management consoles must not share credentials with Active Directory or your primary cloud tenant. Attackers routinely pivot from a compromised endpoint to backup infrastructure within hours of initial access. Separate identity providers, separate MFA enrollment, and no password reuse are non-negotiable.
  • Tested recovery, not assumed recovery — A backup that has never been restored is not a backup — it is a hope. Monthly restore tests of a rotating sample of systems, documented with actual RTO measurements, are the only way to know whether your recovery window is achievable. Many SMBs discover backup software misconfigurations only during a live incident.
  • Encryption in transit and at rest — Backup data must be encrypted before it leaves your environment. Vendor-managed encryption is insufficient if the vendor is also compromised. Customer-managed keys (CMK) stored outside the backup environment ensure that a breach of the backup platform does not expose plaintext data.
  • Ransomware-specific recovery testing — Standard DR tests restore a system from a clean failure. Ransomware recovery is different: you must determine the point of initial compromise, ensure the restore target is clean, validate that malware is not present in the backup image itself, and confirm that all restored systems are patched before reconnecting them to the network. These steps must be documented and rehearsed annually at minimum.
Canadian Compliance

Data retention and backup obligations for Canadian SMBs

Canada's federal private-sector privacy law, PIPEDA (the Personal Information Protection and Electronic Documents Act), does not prescribe specific backup retention periods, but it creates an indirect obligation that directly shapes how SMBs must approach data management. PIPEDA's breach notification regulations — in force since November 2018 — require organizations to report a breach to the Office of the Privacy Commissioner of Canada when there is a real risk of significant harm to individuals. Demonstrating that a ransomware event did not result in unauthorized access to personal information requires evidence: audit logs, access records, and ideally the ability to point auditors to a clean restore point that predates the compromise. Without a properly retained and tested backup, a ransomware event almost always triggers mandatory OPC notification, even when data exposure is uncertain.

Industry-specific regulations layer additional requirements on top of PIPEDA. Ontario's Personal Health Information Protection Act (PHIPA) governs health information custodians — clinics, physiotherapy practices, dental offices, and any business handling patient data — and requires that records be retained for a minimum of ten years from the last entry, or until a minor patient reaches age eighteen. Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25 / Bill 64), fully in force as of September 2023, introduces explicit risk assessment obligations and a 72-hour notification window to the Commission d'accès à l'information that is considerably tighter than the federal standard. Payment processors operating under PCI DSS must retain cardholder transaction logs for twelve months and must be able to produce them on demand during a forensic investigation. These obligations cannot be met if backup retention policies are set to thirty or sixty days.

Cyber insurers in Canada have significantly tightened their underwriting requirements following the 2020–2022 ransomware surge. Major carriers including Intact, Aviva, and Northbridge now require documented evidence of backup controls as a condition of coverage. Specifically, most current policies require: immutable or air-gapped backups, backup accounts not accessible via standard Active Directory credentials, and documented restore test results dated within the past twelve months. Policies with incomplete backup documentation are either declined, rated up significantly, or issued with ransomware sub-limits that cap recovery payments at a fraction of actual costs. A managed backup program that generates monthly test reports and stores them outside the production environment serves both your recovery needs and your insurability.

The practical retention minimum for a Canadian SMB that wants to be defensible on all three fronts — PIPEDA, sector regulation, and cyber insurance — is ninety days of daily backups, twelve months of weekly backups, and seven years of monthly archives for any data touching personal health or financial records. These retention tiers map to the restore scenarios most commonly required: the ninety-day daily tier covers ransomware recovery (most ransomware dwell times are under sixty days); the twelve-month weekly tier covers regulatory audit requests and contract disputes; and the seven-year monthly archive covers PHIPA and PCI retention minimums. Storage costs for a typical SMB at these retention levels are a fraction of the premium increase that results from inadequate backup documentation.

Recovery Playbook

How a Quantm-managed ransomware recovery works

Ransomware recovery is not a single action — it is a sequenced set of decisions made under time pressure. The steps below reflect the order of operations Quantm follows on every engagement. Deviating from this sequence — particularly by rushing to restore before containment is confirmed — is how organizations get re-encrypted within 48 hours of paying a ransom.

  1. 1
    Detection and scope assessment

    The first priority is understanding what was hit. Quantm's monitoring stack correlates endpoint telemetry, backup job failures, and file-system change-rate anomalies to identify the scope of encryption within minutes of the first alert. We identify Patient Zero (the initially compromised device), the blast radius (all encrypted or potentially compromised systems), and whether the attacker still has an active foothold. Scope assessment takes 30–90 minutes and drives every subsequent decision.

  2. 2
    Network isolation and credential reset

    Affected systems are isolated at the network layer — not just shut down — to prevent continued exfiltration while preserving memory artifacts for forensics. All privileged account passwords are rotated immediately, including service accounts, backup accounts, and any credentials found in password managers or browser stores on compromised endpoints. If Active Directory shows signs of compromise (new admin accounts, modified GPOs, DCSync activity), we treat the entire domain as untrusted and begin parallel domain recovery procedures.

  3. 3
    Clean recovery environment preparation

    Before any data is restored, the recovery destination must be verified clean. This means deploying restore targets from known-good OS images — not snapshots of the compromised environment — and confirming that the network segment used for recovery has no path back to the infected environment. This step is often skipped by organizations attempting self-recovery, which explains why re-infection during restoration is one of the most common ransomware recovery failures.

  4. 4
    Backup integrity validation and restore point selection

    Quantm validates backup integrity before beginning the restore. For each system in scope, we test-mount the candidate backup image, run malware scanning against the mounted volume, and verify that the backup predates the earliest evidence of attacker activity. If the selected restore point tests positive for malware (which occurs in roughly 15–20% of incidents where dwell time exceeded 30 days), we step back to an earlier restore point and repeat validation. This process adds hours but prevents restoring a pre-encrypted but already-compromised image.

  5. 5
    Phased restoration and validation

    Restoration proceeds in priority order: identity infrastructure and core networking first, then business-critical applications, then endpoints. Each restored system is validated for functionality and malware-free status before being reconnected to the network. Business owners are briefed at each phase boundary on RTO progress versus the baseline estimate established during scope assessment. For most SMBs on Quantm-managed backup infrastructure, critical systems are operational within 4 hours of beginning the restore phase.

  6. 6
    Root cause remediation and OPC reporting assessment

    Once operations are restored, we conduct root cause analysis to identify and close the initial access vector. Common findings include unpatched VPN appliances, compromised MFA bypass configurations, and phishing-derived credentials. We also prepare the PIPEDA breach notification assessment: documenting what personal information was in scope, the likelihood that it was accessed or exfiltrated, and whether mandatory OPC reporting applies. This documentation is produced within 72 hours of incident containment and is suitable for submission to the OPC, your insurer, and affected individuals if required.

Outcomes

What changes after week one.

You'll feel the difference fast fewer alerts, faster response, and a clearer picture of where your real risk lives.

  • Recover from ransomware in hours, not weeks
  • Eliminate single points of failure with geographically distributed copies
  • Prove recoverability to insurers, auditors, and your board
  • Meet HIPAA, PCI, and SOC 2 data retention requirements automatically
  • End the guesswork monthly reports show every backup job's status
How it works

From kickoff to coverage in days.

Step 01
Inventory

We catalogue every data source that needs protection.

Step 02
Configure

Backup schedules, retention rules, and recovery objectives set to your needs.

Step 03
Protect

Automated jobs run and are verified daily alerts fire on any failure.

Step 04
Test

Quarterly recovery drills with documented RTOs to prove the plan works.

FAQ

Common questions, answered.

The things buyers ask us most about scope, onboarding, and what you'll see in your monthly report.

Ask us anything

Know your data is recoverable before you need it.

We'll map your current backup gaps and show you exactly what a ransomware event would cost you today.