Backup and Disaster Recovery for Small Businesses: What You Actually Need

Why "We Have a Backup" Is Often Not True

The most common backup failure we see isn't a failed backup job — it's a backup that technically ran but can't actually be restored. A backup file that can't be restored isn't a backup. It's a false sense of security that costs you more than having no backup at all, because you don't feel the urgency to fix it.

Common scenarios that feel like backups but aren't:

• An external drive plugged in permanently — if ransomware hits, it encrypts the drive too
• Cloud sync (OneDrive, Dropbox, Google Drive) — syncing works both ways, so corrupted or encrypted files sync to the cloud within minutes
• A backup job that's been failing silently for months — no one checked the logs
• A backup that runs but has never been tested by actually restoring from it

If you can't answer the question "how long would it take us to be fully operational again after a complete server failure?" — you don't have a real disaster recovery plan.

What Actually Needs to Be Backed Up

Small businesses typically have several distinct categories of data, each with different requirements:

Business Files and Databases

Shared drives, accounting software databases (QuickBooks, Sage, etc.), CRM data, and any line-of-business application data. This is the core operational data your business runs on. It should back up continuously or multiple times per day — not just nightly.

Server System Images

A file-level backup of your data doesn't help if your server operating system is gone. System image backups capture the full environment — OS, applications, configurations, and data — so you can restore a complete working server rather than spending a day reinstalling Windows Server and reconfiguring everything from scratch.

Microsoft 365 and Cloud Data

This catches most businesses off guard: Microsoft 365 does not back up your email long-term. If an email or file in SharePoint is deleted — accidentally or by a disgruntled employee — Microsoft's native retention window is limited. Third-party M365 backup (Veeam, Acronis, Datto SaaS, or similar) is a separate service that most businesses should have and most don't.

Workstation Data

If employees store important files locally rather than on a file server or SharePoint, those need to be captured too. A server backup doesn't help if a key employee's laptop with two years of project files fails without warning.

The 3-2-1 Rule — Still the Right Baseline

The 3-2-1 backup rule is the standard minimum for any defensible strategy:

• 3 copies of your data
• 2 different storage media or locations
• 1 copy offsite

In practice for a small business: primary data on the server, a local backup to a NAS or backup appliance on-site for fast recovery, and an encrypted cloud backup offsite for disaster scenarios. All three copies need to be independently monitored — a backup that silently replicates corrupted data three times is still a corrupted backup.

Backup Frequency and Retention

How often you back up determines how much work you lose if you need to restore. How long you retain backups determines whether you can recover from a slow-developing incident like ransomware that sits dormant before triggering.

Practical minimums for small business:

• Critical business data: Hourly or continuous backup; 90-day retention minimum
• Server system images: Nightly; 30-day retention with monthly archives
• Workstation images: Weekly; keep last 4 versions
• M365 data: Daily backup via third-party tool; 1-year retention

If your current backup retains only 7 days of history and ransomware sits dormant for 10 days before encrypting your files, you have no clean restore point. Retention depth is not a luxury — it's what determines whether recovery is possible.

Ransomware Changes the Threat Model

Traditional backup was designed around hardware failure: a drive dies, you restore from backup. Ransomware is a fundamentally different threat, and it breaks traditional backup architectures in specific ways:

• Ransomware operators actively look for and destroy backup copies before triggering encryption
• Network-connected backup drives are encrypted along with everything else
• Cloud sync services propagate encrypted files before you notice anything is wrong
• Backup software running on an infected machine can be compromised before the backup runs

A ransomware-resilient backup strategy requires immutable backups — backup copies that can't be modified or deleted once written, even by an attacker with admin credentials. This means offsite cloud backup with object lock enabled, or air-gapped media that's physically disconnected between backup jobs. Without immutability somewhere in your backup chain, your backup strategy has a ransomware-shaped hole in it.

Testing Is the Part Everyone Skips

A backup that has never been restored from is untested, and untested backups fail when you need them. We routinely see businesses come to us after an incident where the backup had been "running for years" — but no one had ever verified a restore, and the backups had been failing silently for months.

At minimum, your backup strategy should include quarterly restore tests: actually pulling data from backup and verifying it opens correctly in the relevant application. For server image backups, this means spinning up a test restore in an isolated environment and confirming the OS boots and applications run. It takes time, but it's the only way to know your backup is real rather than theoretical.

How TechniWorX Manages Small Business Backups

TechniWorX deploys and manages backup solutions for small businesses across Chicagoland, Southern Wisconsin, and Northwest Indiana. We configure image-based server backup with immutable offsite storage, monitor backup job completion daily, and perform documented quarterly recovery tests. When a backup job fails, we know before you do — and we fix it before it matters.

If you're not confident your current backup would survive a ransomware event or a full server failure, get in touch. We'll review your current setup, tell you honestly what's covered and what isn't, and give you a clear picture of what your actual recovery time would look like today.