Most small businesses think they have backup figured out. They don't. Either the backup runs but nobody's tested a restore, or it's running to the same machine that holds the original data, or it stopped working three months ago and nobody noticed. Here's a practical framework that fits real small-business budgets and actually saves you when something goes wrong.
The 3-2-1 rule, in plain English
3 copies of your data. 2 different storage types. 1 copy off-site. That's it.
For a typical small business it looks like:
- Copy 1: The original — files on your work laptops, server, or cloud workspace
- Copy 2: A local backup on a different device (NAS, external drive, second computer)
- Copy 3: An off-site copy in cloud backup (Backblaze, Microsoft 365 backup, Google Workspace backup, or a dedicated SMB backup service)
The 3-2-1 rule isn't fancy. It's the minimum viable defense. Anything less and a single event — fire, flood, ransomware, theft — wipes you out.
Cloud apps are not backup.
Microsoft 365 and Google Workspace both have a "we keep your data safe" pitch on their marketing pages. That's true for hardware failure, mostly true for accidental file deletion, and absolutely not true for ransomware, malicious deletion by a former employee, or your account getting compromised and someone purging your inbox.
Microsoft and Google explicitly tell you: third-party backup is your responsibility. Tools like Datto SaaS Backup, Spanning, or Afi.ai cost a few dollars per user per month and back up your entire Microsoft 365 or Google Workspace tenant — including email, calendars, OneDrive/Drive, SharePoint sites, and Teams. That's the off-site copy you actually want.
Ransomware-resistant backups
The single most important property of modern small business backup is immutability — backups that can't be modified or deleted, even by an administrator, for a defined retention period. This is what stops ransomware from encrypting your backups along with your data.
You want your backup tool to support either:
- Air-gapped offline copies — backups physically disconnected from the network when not actively running
- Immutable cloud storage — backups written to storage that's read-only for a fixed retention period
Most reputable SMB backup tools (Datto, Veeam, Acronis, Backblaze Business) support immutability now. If your current backup solution doesn't, that's a real risk worth fixing this quarter.
Test: Ask your IT person — or yourself — "if my server got encrypted by ransomware tonight, can the attacker also delete or encrypt the backup?" If you don't know, the answer is probably yes.
What to back up (and what not to)
Yes, definitely back up:
- Email, calendars, contacts
- OneDrive, Drive, SharePoint, shared file storage
- QuickBooks files (Online + Desktop)
- Customer/client databases (CRM, EHR, case management)
- Anything regulatory — patient records, legal files, financial documents
- Configuration of critical systems — POS settings, network config, server snapshots
Probably skip:
- Operating system installs (you can reinstall)
- Software you can re-download
- Local Downloads folders (usually transient)
- Generic stock photos / vendor product images
Backing up everything sounds safe but balloons cost and slows restores when you need them most. Be deliberate.
The retention question
How far back do you need to be able to restore? For most small businesses:
- Email: 7 years if you're in a regulated industry, 3 years otherwise
- Files: 90 days of versions for active editing recovery, 1 year for archive
- Financial / accounting: 7 years (IRS standard)
- Email and files for departed employees: 1–3 years per HR/legal counsel
Restore testing — the part everyone skips
Backups that don't restore are theatre. The cheapest, highest-ROI thing you can do is once a quarter pick a random file from a random month, restore it, verify it opens. Document who did it and when. Ten minutes a quarter. That's the difference between "we have backup" and "backup that works."
Once a year, do a bigger drill: simulate losing access to a primary system and walk through the restore process end-to-end. You'll find gaps you didn't know existed.
What we typically deploy
For most of our small business clients in the DFW area, the backup stack is:
- Microsoft 365 or Google Workspace native + a third-party SaaS backup tool
- Local NAS (Synology) for shared file storage with versioning enabled
- Cloud backup (Backblaze B2 or similar) for the NAS — with object-lock immutability
- Documented quarterly restore-test calendar
Total cost: typically $50–200/month for a 10–30 person business. Not nothing, but not a real cost compared to the average ransomware ransom or the lost revenue from a multi-day outage.