I need to tell you about a conversation I had last year with a property management firm that thought they had off-site backup. Their office manager was taking home an external hard drive every Friday night and bringing it back Monday morning. When I asked them what would happen if there was a fire in the office on a Tuesday, they suddenly realized their “off-site” backup was sitting in a drawer ten feet from the server it was supposed to be protecting.
This is more common than you’d think. Lots of businesses believe they have off-site backup when what they actually have is backup that occasionally leaves the building but spends most of its time in the same disaster zone as their primary data.
What Off-Site Actually Means
Off-site backup means your data is stored in a location that is geographically separate from your primary location and would not be affected by any disaster that could reasonably hit your main office. The point is to protect you from localized disasters: fires, floods, theft, ransomware, power surges, angry former employees, and all the other ways that everything in one physical location can be destroyed or compromised simultaneously.
According to FEMA’s disaster statistics, 40% of businesses never reopen after a disaster, and another 25% fail within one year. Off-site backup is your insurance policy against being in those statistics.
Cloud backup is genuinely off-site. When your data is stored in a data center in another state, a fire in your office doesn’t touch it. A flood in your building doesn’t reach it. Ransomware that encrypts every computer on your network can’t encrypt data that’s not connected to your network at that moment.
The Problems with ‘Portable’ Off-Site Backup
The external hard drive that goes home with an employee seems like a reasonable approach, and it’s better than nothing, but it has some serious problems that most businesses don’t think about until it’s too late.
First, it’s only off-site part of the time. If your disaster recovery planning assumes you always have an off-site backup available, but that backup is actually in the building 70% of the time, your plan has a 70% chance of failing when you need it.
Second, portable drives get lost, damaged, or stolen. They get left in cars that get broken into. They get knocked off desks. They get erased accidentally. They get run over in parking lots. I’ve seen all of these happen. Kroll Ontrack’s data recovery statistics show that portable drives have a 25% higher failure rate than stationary drives, primarily due to physical damage from transport and handling.
Third, and this is the big one that nobody thinks about, portable drives that get plugged into your network regularly can be compromised by ransomware just like everything else on your network. If your backup drive is connected to an infected computer when the ransomware decides to encrypt everything it can reach, congratulations, your backup just got encrypted too.
The Ransomware Problem with Connected Backups
Modern ransomware is sophisticated. According to Sophos’s State of Ransomware 2024 report, 94% of ransomware attacks attempt to compromise backups. They specifically look for backup drives, backup software, and cloud backup credentials. The entire point is to make sure you can’t recover your data without paying the ransom.
This is why business continuity planning requires truly isolated off-site backup. If your backup can be accessed from your network, it can potentially be compromised from your network. Cloud backup services that use immutable storage or versioning can protect against this. A backup drive that never connects to your network can protect against this. A backup drive that plugs in every Friday is vulnerable.
What Actually Counts as Off-Site
Cloud backup with a reputable provider absolutely counts. Services like Backblaze, Carbonite, Datto, or Veeam’s cloud offerings store your data in professional data centers that are geographically distant from your location. They use redundant storage across multiple facilities, so even if one data center has a problem, your data still exists somewhere else.
Tape backups that are physically stored off-site count. Some firms still use tape drives and rotate tapes to a safe deposit box or storage facility. This is old school, but it works. The tapes are genuinely off-site, genuinely disconnected from any network, and genuinely protected from local disasters.
Replication to a second office location can count, if you actually have a second office location that’s far enough away to not be affected by the same disaster as your primary location. A second office across town works for fire or theft. A second office in the same building does not work for anything.
The Hybrid Approach That Actually Works
For most professional services firms I work with, the answer is a hybrid approach. You keep local backup for fast recovery from common problems like accidental deletions or hard drive failures. You keep true off-site backup in the cloud for disaster recovery. And you test both regularly to make sure they actually work.
The local backup gets you back up and running in hours when someone accidentally deletes an important folder. The off-site backup gets you back up and running in days when your office floods and destroys all your hardware. Different tools for different scenarios, both important.
This is what professional disaster recovery planning looks like. Not just having backup, but having the right kinds of backup in the right locations for the right purposes. It’s not exciting. It’s not sexy. But it’s what keeps your business alive when everything goes wrong.
Quick and Easy
True off-site backup must be geographically separated from your primary location and protected from the same disasters. Cloud backup meets this requirement while portable drives that regularly connect to your network don’t, as modern ransomware specifically targets connected backup devices during attacks.
A client forwarded me a message from her internet provider a few weeks back. It warned that certain router brands might have security issues and suggested she consider upgrading to a managed service. She wanted to know if she should be worried.
I looked at the message and told her two things. First, the warning is real and the underlying concern is legitimate. Second, the way this particular company wrote it was deliberately vague, designed to create just enough unease to push her toward paying for something she may or may not need. The two facts are not mutually exclusive, and that combination is worth unpacking.
What Started the Questions
On March 23, 2026, the FCC added all foreign-manufactured consumer-grade routers to its Covered List, which effectively bans new models from being imported or sold in the United States. The ruling cited documented cyberattack campaigns, most notably the Salt, Flax, and Volt Typhoon operations, where foreign-produced routers in homes and small offices were used as entry points to attack critical US infrastructure.
The brands affected read like a shopping list at Best Buy: TP-Link, Netgear, Asus, Linksys, Eero, Google Nest WiFi. All of them. Because virtually every consumer router on the market is manufactured outside the United States, the ban essentially covers the entire category of new product introductions until manufacturers either establish US-based production or receive individual conditional approval from the Department of Homeland Security.
Netgear has already received an exemption. Eero received conditional approval through October 2027. TP-Link, which holds roughly 65 percent of the US home router market, is still working through the process.
What This Does Not Mean
Before anyone calls me to ask if they need to throw their router in the trash, let me be direct: if you already own one of these devices and it is running fine, you are not required to do anything immediately. The FCC ruling grandfathers existing equipment. You can keep using your current router legally and indefinitely.
The ban prevents new foreign-made models from receiving FCC authorization going forward. What it does not do is criminalize the router sitting on your credenza right now.
There is, however, one real deadline buried in this that most of the coverage has glossed over. Manufacturers on the covered list have until March 1, 2027 to issue firmware updates to existing devices. After that date, unless they have secured a conditional approval, they cannot push software patches to devices already in the field. Which means a router that is fine today may gradually become a security liability as vulnerabilities emerge and fixes are no longer permitted.
Why This Matters for Your Business
What most business owners are not thinking about is the part I find most relevant for the professional services firms I work with.
The router sitting in your office is probably not the one that concerns me most right now. Business-grade networking equipment used in professional environments is generally managed differently and held to a higher standard than what you find in a consumer retail package.
What I am thinking about is the router in your employee’s home office.
You have probably had people working remotely for years now. They are accessing your systems, your client files, and your email through whatever networking equipment they set up in their living room. A lot of it is exactly the kind of foreign-manufactured consumer hardware that is now at the center of this national security discussion. Much of it has not been updated, assessed, or evaluated by anyone with any technical accountability for your business’s security.
I tell clients all the time: your security perimeter is not the four walls of your office anymore. It extends into every home where someone logs into your network. If that connection is running through a device with documented vulnerabilities and no path to a security patch after March 2027, that is a gap worth addressing.
My Honest Take
I have been watching the concerns around foreign-manufactured networking equipment for a long time. The documented attacks and vulnerabilities are real. Whether the current political moment is driving the timing of this particular ruling is a separate conversation I will spare you.
What I will say is that this is a good time to have someone take an honest look at your network, including your remote workers’ home setups, and give you a realistic assessment of where you actually stand. Not a sales pitch dressed up as a security warning. Just a straight answer about what you have, what the risks are, and what, if anything, you should actually do about it.
That is the conversation I am always happy to have.
Quick and Easy
The FCC banned new foreign-manufactured consumer routers in March 2026, citing documented national security threats. Existing devices are legally protected for now, but a March 2027 deadline for firmware updates means routers from affected manufacturers could become security liabilities. For professional services firms, the immediate priority is evaluating remote employee home networks, not just office infrastructure.



