Re: 'For instance, keep offline backups of your files'
Strange that you mention this, I left IT a few years ago to move into infosec but my old employer had two teams who worked in different areas but with the same equipment. Interestingly the only difference was the team leaders were permitted to decide upon backup strategy, I was one of those team leaders.
1. My old team:
Full weekly backup + diffs in between, every month one of these tapes is rotated to an off-site storage fire proof safe. Every 3 months a full bare metal restore takes place. We had 60 sites doing this, sounds like a lot of work but the restores were scripted and fairly minimal manual intervention required except to double check the restoration worked correctly (about an hours work in total x 20 per month in a team of 5).
2. Other team
Monthly full backup plus differentials, all held in the cloud. Local backups taken every 3 months or so and held in fireproof safe (same one as I used). 6 sites (similar number of users to my rural sites).
You'll notice team 2 never tested backups, guess what happened? Yup I ended up bailing them out 3 times in 5 years because my team were confident at carrying out restores during shit-hits-the-fan moments. We might have relied upon scripts but those were scripts my team wrote and updated between them over the course of a couple of years and they knew how to do it manually anyway.
Cloud backups are vulnerable but typically not testings backups is the bigger issues IMHO particularly if you have staff turn over higher than normal. You need staff to be confident in making those restores so that when things do go wrong they aren't worried about that process.