Small business backup: if it isn't backed up, it doesn't exist

Here's the whole thing in one line: a small business backup that lives in one place, or that just syncs to the cloud, will not save you. You need three copies, two kinds of storage, one of them offsite and out of reach of the machine that gets infected. That's the 3-2-1 rule, and it's the difference between a bad Tuesday and the end of the business. Most owners think they're covered because "a backup's running." Then a drive dies, or ransomware locks the lot, and they find out the backup was the same disk, or a synced folder that got encrypted too, or a job that quietly stopped working in March. This is the plain-English version: what a real backup is, why the obvious setups don't count, and how I'd build one that survives the day your PC gets owned.

One copy is not a backup

The file on your laptop is the original. A backup is a second, separate copy you can go back to. If your only copy of the quotes, the invoices and the photos of every job is on the one drive in the one machine, you don't have a backup. You have a single point of failure with a folder structure. Drives fail without warning, laptops get stolen out of utes, and a power surge after a storm can take the PC and the external drive plugged into it in the same instant. Treat anything that lives in exactly one place as already lost, because the day it goes, that's how it'll feel.

The 3-2-1 rule, in plain English

You don't need a server room to be safe. You need three numbers:

  • 3 copies. The live one you work on, plus two backups. More copies, more chances to recover.
  • 2 different types of storage. Don't trust one basket. An internal drive plus a NAS, or a NAS plus cloud: two different technologies that won't fail the same way at the same time.
  • 1 copy offsite. Out of the building. This is the one that survives the fire, the flood, the break-in, and the ransomware that crawls across your office network.

That's it. It's not a product, it's a shape. A small shop can hit 3-2-1 with the PC, a cheap network drive and a cloud bucket, and be better protected than a business paying a fortune for one fancy appliance that's still sitting in the same room as everything else.

The trap everyone falls into: sync is not backup

This is the one I'd put over every desk in the country. OneDrive, Dropbox, Google Drive: they sync. Your files are mirrored, near-instantly, everywhere. That's brilliant for working across a laptop and a phone, and it is not a backup, because it mirrors your mistakes just as faithfully as your work.

Delete the wrong folder and it vanishes from the cloud within seconds. Let ransomware encrypt your documents and the encrypted versions sync straight up, overwriting the good ones. The cloud did its job perfectly: it kept everything in sync, including the disaster. A backup is a separate, point-in-time copy you can roll back to. If your "backup plan" is a synced folder, you have a sync plan and no backup. Some of these services keep a short version history or recycle bin, but it's capped and brief, and not something to bet a business on. Use sync for convenience; keep a real backup underneath it.

Design for the day the PC gets owned

Here's the test I'd hold every backup to: assume the main PC is already compromised, ransomware running with full admin. Can it reach your backup and destroy it? If yes, you don't have a backup, you have a bigger target.

Modern ransomware is not dumb. It doesn't just encrypt the C: drive and stop. It enumerates every mapped drive, every network share, every NAS the machine can write to, and it goes for the backups first, because the crooks know an unreachable backup is the one thing that lets you tell them to get stuffed. A USB drive left permanently plugged in gets encrypted with everything else. A NAS share the PC can write to gets encrypted too. So the copy that actually saves you is one the infected machine cannot touch. A few honest ways to get there:

  • Air-gapped: a drive that's only connected while the backup runs, then physically unplugged. Crude, cheap, and it works, because malware can't encrypt a disk that isn't plugged in.
  • Immutable / write-once cloud: object storage with an object-lock setting, where a copy, once written, literally cannot be altered or deleted until a retention window passes, not even by an admin with stolen credentials.
  • Versioned, pull-based: backup storage that keeps previous versions and is pulled by the backup system rather than written to by the PC, so an infected workstation has no path to reach in and wipe history.

Build for the bad day on purpose. The whole point of a backup is the worst day, so design it for the worst day, not the day everything's fine. The deeper how-to on this exact problem is its own piece: a backup that ransomware can't touch.

The Australian reality: the NBN upload problem

Most backup advice is written as if everyone has fat symmetrical fibre. We don't. On a typical NBN plan your upload speed is a fraction of your download, often single-digit megabits, and a backup is almost entirely upload. That changes the maths.

The honest implication: the first full backup of years of files to the cloud can take days, grinding away in the background and choking your connection. After that, a good backup only sends what changed, which is small and fine on any link. So the practical pattern for an Aussie small business is a fast local backup for everyday speed, where restoring a deleted file from a drive in the office is instant, plus a cold cloud copy that does the slow offsite job quietly. If your upload is genuinely painful, seed the first cloud backup by posting a drive, or just accept the initial run takes a week and let it. Don't let the upload problem talk you out of an offsite copy: it's the one that matters most.

How I'd actually set it up, in order

Start at the top and stop when you're covered. You can do most of this for the price of a drive.

  1. Work out what you can't lose. Accounting file, customer records, quotes, the photos, email. You probably don't need the whole machine, you need the data that is the business. That keeps the backup small, fast and cheap.
  2. Decide how much you can afford to redo. If losing a day's work is survivable, nightly is fine. If it isn't, go hourly. Set that gap deliberately, not by accident.
  3. Get a fast local copy. A NAS or a dedicated external drive in the office, running automatically. This is your everyday safety net for the daily "I deleted the wrong thing."
  4. Add the offsite copy. A cold cloud backup, or a drive you rotate home each week. This is the one that survives the building. Don't skip it because the first upload is slow.
  5. Make at least one copy untouchable. Immutable cloud storage, or a drive that's only plugged in during the backup. This is your answer to ransomware. Without it, a clever infection can take all your copies at once.
  6. Automate it, then test the restore. A backup that needs a human to remember will be weeks stale on the day it matters. Automate the job, then actually restore a file from it on a schedule, because an untested backup is a guess.

If you'd rather own the whole thing than rent it, this runs beautifully on cheap hardware you control, and the plain household version of the rule is the same shape scaled down. When the business depends on the systems staying up, not just the data surviving, that's a step further, into hosting designed to fail over instead of falling over.

Test the restore, or you don't have a backup

The cruellest failure in this game is the silent one. The backup light is green for two years. The job "ran." Then the day comes, you go to restore, and the archive is corrupt, or the drive died quietly last winter, or the job stopped working months ago and nobody noticed because nobody ever looked. A backup you have never restored from is not a backup. It's a hope with a schedule. So test it: pick a real file and a whole folder, restore them to a fresh location, and open them. Do it once a quarter at least. It takes ten minutes, and it's the only thing that turns "we have backups" into "we can actually recover."

What "covered" actually looks like

A protected small business isn't an expensive one, it's a designed one. Three copies of the stuff that matters. Two kinds of storage so one failure can't get both. One copy offsite, and one copy the infected machine can never reach. Automated so it doesn't depend on anyone's memory, and tested so it isn't depending on luck. Set up like that, a dead drive or a ransomware note stops being a catastrophe and becomes an afternoon: wipe, restore, back to work. That's the entire point. This piece is the foundation of our backup and resilience guides: start here, then go as deep as your business needs. The next steps in the same series cover two-factor authentication setup and securing a lost or stolen device remotely.

Small business backup: common questions

What is the 3-2-1 backup rule for a small business?
Three copies of your data, on two different types of storage, with one copy kept offsite. The live file on your PC is one; a second copy on a separate drive or NAS in the office is two; a third copy off the premises is the one that survives a fire, a theft or a flood. It's the floor for a small business backup, not the ceiling, and most businesses don't even hit the floor.
Is a synced cloud folder like OneDrive or Dropbox a backup?
No. Sync mirrors your files in close to real time, so it faithfully mirrors a mistake or an infection too. Delete a folder, or let ransomware encrypt your documents, and within minutes the cloud copy is deleted or encrypted as well. Sync is for working across devices. A backup is a separate, point-in-time copy you can roll back to. They're different jobs and a small business needs both.
How does a small business backup protect against ransomware?
Only if the backup is out of reach of the infected machine. Ransomware encrypts everything the PC can write to, including mapped drives and a NAS share, and modern strains wipe backups first. The protection comes from a copy the PC can't touch: air-gapped, an immutable cloud bucket, or versioned storage the malware can't delete. Design it for the day the PC gets owned, because that's the day you'll need it.
How often should a small business back up?
Ask how much work you can afford to redo. If losing a day is survivable, back up nightly; if it isn't, run it hourly. That gap is your recovery point, and most owners set it by feel and get it wrong in the optimistic direction. Whatever you pick, automate it: a backup that relies on someone remembering will be weeks stale on the day you need it.
Does a small business need offsite backup if it already has a NAS?
Yes. A NAS in the office is a great second copy, but it sits in the same building as everything it protects. A fire, a break-in, a surge or ransomware crossing the network takes the NAS with the PCs. The offsite copy exists for the event that destroys the premises. One location is one event away from nothing.
How do I know my small business backup actually works?
Restore from it. A backup you've never tested is a hope, not a backup, and the failure modes are quiet: a job that silently errored months ago, an unreadable archive, a dead drive. Pick a real file and a whole folder, restore them somewhere fresh, and confirm they open. Do it on a schedule. The worst time to find out your backup is broken is the morning you need it.

Not sure your current backup would actually come back? That's worth ten minutes before you find out the hard way. Tell us what you're protecting and we'll help you sanity-check it: no jargon, no scare tactics, no selling you storage you don't need.