Three months ago, a Melbourne accounting firm lost two weeks of client work because their backup system didn’t work the way they thought it did.

They had cloud backup. They’d been paying for it for 18 months. The files were supposedly syncing automatically. But when they needed to restore data after a ransomware incident, they discovered their backup was 6 weeks out of date and missing critical folders entirely.

The firm survived, but they spent $15,000 on data recovery specialists and countless hours reconstructing work. All because they assumed “cloud backup” meant they were protected.

I’ve spent the past few months talking to small businesses about their actual backup practices—not what they think they have, but what’s actually configured and tested. The gap between perception and reality is scary.

The “It’s in the Cloud” Myth

Here’s the most dangerous misconception: “Our data’s in the cloud, so we don’t need backup.”

If you’re using Microsoft 365, Google Workspace, or similar cloud services, your data is stored on their servers. That protects you from local hardware failure, but it doesn’t protect you from:

• Accidental deletion (user clicks delete, it’s gone)
• Ransomware encryption (if your account gets compromised)
• Malicious data corruption by a rogue employee
• Service provider data loss (rare but not impossible)

Cloud storage isn’t backup. Backup means having a separate, recoverable copy that’s protected from these scenarios.

Microsoft 365 keeps deleted files for 30-90 days depending on your license. After that, they’re permanently gone. If you discover a problem three months later, you’re out of luck unless you have separate backup.

What Small Businesses Actually Need

A working backup strategy for a small business needs three things:

1. Automated, scheduled backups that happen without human intervention. If your backup depends on someone remembering to do it, it won’t happen consistently.

2. Version history so you can restore files from specific points in time. This protects against ransomware that encrypts files gradually over days or weeks.

3. Regular testing to confirm backups actually work. The time to discover your backup is broken is not when you desperately need to restore data.

Everything else—specific tools, storage locations, retention periods—should support these three core requirements.

The 3-2-1 Rule Still Applies

The classic backup guidance is 3-2-1:

• 3 copies of your data (original + 2 backups)
• 2 different storage media types
• 1 copy stored off-site

For small business in 2026, this might look like:

• Original data: Microsoft 365 / Google Workspace
• Backup 1: Cloud-to-cloud backup service (Veeam, Datto, Backupify)
• Backup 2: Local NAS device or external drive

The off-site component is satisfied if one backup is cloud-based. The different media requirement is satisfied by having both cloud and local storage.

You don’t need enterprise-grade infrastructure. You just need intentional redundancy.

Cloud-to-Cloud Backup Services

For businesses using Microsoft 365 or Google Workspace, dedicated backup services fill a critical gap.

These services connect to your cloud accounts and create separate backup copies with extended retention (typically 1-7 years) and granular recovery options.

Popular options for Australian SMBs:

• Veeam Backup for Microsoft 365 - $15-25/user/year, comprehensive recovery options
• Datto SaaS Protection - $3-5/user/month, integrated with Datto’s broader platform
• Backupify - Budget option, basic functionality but decent for small teams

These aren’t free, but we’re talking $300-$1,000/year for a 15-person business. Compare that to the cost of losing critical data.

One firm I spoke with uses Veeam for their Microsoft 365 environment. They’re managing business AI solutions for clients, meaning data loss would be catastrophic. The backup service gives them point-in-time recovery going back 5 years. When a staff member accidentally deleted an entire shared folder last month, they restored it in 10 minutes with no data loss.

That’s $400/year well spent.

Local Backup for Critical Files

Cloud-to-cloud backup protects against cloud service issues, but local backup gives you fast recovery for hardware failures or accidental deletions.

A simple NAS device (Network Attached Storage) can provide automated backup for critical local files and serve as secondary backup for cloud data.

Entry-level NAS suitable for small business:

• Synology DS220+ - ~$400, 2-bay NAS, excellent software
• QNAP TS-253D - ~$450, similar capabilities, different interface
• WD My Cloud EX2 Ultra - ~$300, budget option, less features

Add two 4TB drives in RAID 1 (mirroring), and you’re looking at $600-$800 total for a local backup solution that’ll last 4-5 years.

Configure nightly backups of critical folders to the NAS. Most modern NAS devices can also pull cloud data (Microsoft 365, Google Drive) locally for redundancy.

What About USB Drives?

External USB drives are better than nothing, but they’re not a reliable primary backup strategy.

Problems with USB backup:

• Requires manual connection and remembering to run backup
• Drives fail, often without warning
• Single drive provides no redundancy
• Easy to accidentally delete or format

If you’re going to use USB drives, do it right:

• Use two drives alternating weekly
• Store one off-site (take home, safe deposit box)
• Use automated backup software (not manual file copying)
• Replace drives every 2-3 years

This works for very small operations (1-3 people), but cloud or NAS backup is more reliable as you grow.

Backup Frequency and Retention

How often should you back up? How long should you keep backups?

Daily backup is the baseline for business data. If you can only afford to lose one day of work, back up daily.

Continuous backup (real-time syncing) is ideal for critical files but generates huge volumes of data and costs more.

Retention period depends on your industry and risk profile:

• Minimum: 30 days (protects against recent deletions)
• Standard: 90 days-1 year (catches most problems)
• Extended: 3-7 years (compliance, legal, or comprehensive protection)

Longer retention costs more storage but provides better protection against slowly-developing problems (ransomware that sits dormant, gradual data corruption, disputes over historical documents).

Testing Your Backup

Here’s the uncomfortable truth: most small businesses have never tested their backup recovery process.

They assume it works. They’re paying for it, after all. But until you’ve actually restored data from backup, you don’t know if it works.

I recommend quarterly restore tests:

1. Pick a non-critical folder or file set
2. Delete it from production
3. Restore from backup following the actual recovery process
4. Confirm everything restored correctly
5. Document how long it took and any problems encountered

This takes 30 minutes per quarter and provides huge peace of mind. You’ll also discover issues (missing folders, configuration problems, unclear recovery procedures) when there’s time to fix them, not during an emergency.

The Ransomware Consideration

Modern ransomware specifically targets backups. If attackers can encrypt your backup along with your production data, you’ve got no recovery option.

Protection strategies:

Immutable backups - Once written, backup data can’t be modified or deleted for a set period. Many cloud backup services offer this as an option.

Air-gapped backups - Physical disconnect between production systems and backup. For small business, this might be the USB drive you take home weekly.

Multi-factor authentication on backup systems. Attackers can’t delete cloud backups if they can’t log in.

Separate credentials for backup services. Don’t use the same admin account for everything.

These aren’t paranoid measures. I’ve personally seen three small businesses hit by ransomware in the past year. The ones with properly isolated backups recovered in days. The ones without lost weeks of work or paid ransom.

Cloud Backup Doesn’t Mean Automatic

Biggest lesson from talking to dozens of small businesses: setting up cloud backup doesn’t mean it’s working.

You need to:

• Verify which files/folders are actually included in backup scope
• Check that backup jobs are running successfully (not silently failing)
• Confirm backup data is actually readable and restorable
• Monitor backup storage usage (growing as expected, or static suggesting problems)
• Update backup configuration when you add new systems or data sources

One business I spoke with had Dropbox Business and assumed all their files were backed up. Turns out they’d hit their storage limit 8 months earlier, and new files weren’t syncing. Nobody noticed because there was no alert.

Set calendar reminders to review backup status monthly. It takes 10 minutes and catches problems before they matter.

What I’d Recommend

For a typical Australian small business (5-25 people, using Microsoft 365 or Google Workspace):

Minimum viable backup:

• Cloud-to-cloud backup service ($300-$1,000/year)
• Monthly restore testing
• Quarterly full backup review

Better backup:

• Cloud-to-cloud backup service
• Local NAS with nightly backups of critical files ($600-$1,200 upfront)
• Weekly offline backup (USB drive taken off-site)
• Quarterly restore testing

Comprehensive backup:

• Cloud-to-cloud backup with extended retention
• Local NAS with automated cloud pull
• Weekly offline backup
• Monthly restore testing + annual disaster recovery drill

The right level depends on your risk tolerance and what data loss would cost your business.

Final Thoughts

Data backup is one of those things that feels like unnecessary expense until you need it. Then it’s priceless.

The good news: small business backup doesn’t require enterprise budgets. A few hundred dollars per year and some intentional planning gets you solid protection.

The bad news: it won’t happen automatically. Someone needs to own this, configure it properly, and verify it’s working.

Don’t learn about backup gaps the hard way. Test your backups now, while you don’t urgently need them.

Because the time you discover your backup doesn’t work shouldn’t be the moment you need it most.