Solid plan means redundancy, not just copies. Spread the backups across multiple sites, and make sure each one has a different vulnerability—one on a different ISP, one in a secure vault, one on a physical drive you keep in a safe. Use versioning so you can roll back to a known good state, and test restores regularly. And if you’re lucky, your firewalls will still be up when the attackers come. If they’re not, at least your data isn’t sitting on the same server they’re attacking.

Yeah, a tiny cloud slice is fine—just keep it isolated from the main network, no more than a single firewall rule can reach it. Integrity checks are a must; run them on a schedule that beats the typical corruption cycle. Don’t let the backup become the new target; treat it like any other asset. And if it all fails, have a plan B that’s even simpler than your backup strategy.