Backup conversations in small businesses tend to go one of two ways. Either someone has a NAS drive in the corner that runs nightly backups and they feel covered, or they've moved everything to Microsoft 365 and assume Microsoft is backing it up. Both positions carry significant risk.
A proper backup strategy isn't complicated, but it does require understanding what you're protecting against.
What You're Actually Protecting Against
Backup isn't one scenario — it's several quite different scenarios that require different solutions:
Hardware failure — a server or workstation fails. You need a recent copy of the data on different hardware.
Ransomware — malicious software encrypts your data and demands payment. You need a backup that the ransomware couldn't reach and encrypt along with everything else.
Accidental deletion — someone deletes or overwrites a file. You need a backup recent enough to contain the correct version, and a restore capability that can target a specific file.
Site disaster — fire, flood, or theft destroys your on-site IT. You need a copy of the data held off-site.
Corruption — data is corrupted gradually, often without anyone noticing until they try to use it. You need backup history going back long enough to find an uncorrupted version.
No single backup approach protects against all of these adequately.
The Limits of Local Backup
A local backup — NAS, external drive, second server — addresses hardware failure and accidental deletion well. It's fast to restore from, which matters. It does not address ransomware (a ransomware infection that gets to your NAS encrypts both your live data and the backup), and it doesn't address site disaster.
The Limits of Cloud-Only
Microsoft 365 retains deleted items for 30-93 days depending on the version and what recycle bins the user has managed. This helps with accidental deletion but not with ransomware (which will encrypt files that then sync to the cloud), and OneDrive/SharePoint version history can be disabled or tampered with.
A separate cloud backup — not just relying on Microsoft's native retention — is necessary to protect against ransomware scenarios. Backup providers like Veeam, Dropsuite, or Acronis offer Microsoft 365 backup that maintains a separate, immutable copy.
Pure cloud backup without any local copy is slow to restore at scale. Recovering 500GB of data from cloud backup over a business internet connection takes days. That's often acceptable for a disaster recovery scenario, but not for recovering from a hardware failure where you need to be operational the same day.
What a Good Backup Strategy Looks Like
The 3-2-1 rule: three copies of your data, on two different media, with one off-site. In practice for a small business:
- Local backup to a NAS or backup server, running nightly or more frequently for critical data
- Cloud backup of the same data to a separate cloud provider, with immutable retention settings
- Test restores monthly — not just checking that the backup ran, but actually restoring files and verifying they work
The last point is where most backup strategies fail. A backup that has been running for two years without a test restore is an assumption, not a safety net.