A Backup Strategy for SMBs That You Actually Test

A backup you've never tested isn't really a backup. The 3-2-1 principle, regular restore tests, and knowing which data matters most — the recipe for a plan that actually works.

The truth every IT veteran knows: "we have backups" means nothing. "We have backups that we test every month" is a completely different story.

The 3-2-1 Principle

• 3 copies of important data.
• 2 different media types.
• 1 copy off-site (a different physical location, or cloud storage in a different region).

Data Prioritisation

• Tier 1 (must survive, critical): accounting records, CRM data, client documents. Daily backup, off-site copy, restore within 4 hours.
• Tier 2 (important): email archive, project documents. Daily backup, restore within 24 hours.
• Tier 3 (nice to have): old archives, marketing materials. Weekly backup.

Sources to Back Up

• M365 / Google Workspace: use a dedicated M365 backup tool (Veeam, Backupify). Microsoft does not back up everything for you.
• Accounting software: use the export function or enable automatic cloud backup.
• On-premises server drives: Acronis, Veeam.
• Laptops: OneDrive sync plus an additional backup of user folders.

Monthly Restore Test

Pick a random file from a backup taken 2 days ago. Can you restore it successfully? Do this every month. Document the test in your log.

Ransomware Scenario

Backups connected to your network can be encrypted along with everything else during a ransomware attack. Air-gapped backups (offline or in a separate account/tenant) are your insurance policy. At least 1 off-site copy must not be reachable online by an attacker.

See also: incident response, security pillar.