If you find yourself wondering that, you’ve probably already had that tiny frisson of fear: What if
we lose everything? The short answer: back up more than you think you might need because
the day you’ll need it is always the day after you should’ve had it.

The truth is for most small U.S. businesses, you mainly need to track:

Think your IT is in good shape?

Take the free 3-minute readiness quiz

Critical systems (accounting, POS, critical databases) with hourly snapshots, daily incrementals,
weekly full, and a monthly archive stored from 12–84 months (regulatory-dependent).

Email & collaboration (Microsoft 365/Google Workspace) with daily backup with versioning, with
point-in-time restore if possible.

User laptops/desktops with daily backup, with at least 90 days of versions.

Immutable off-site copy with one or more copies that cannot be altered (object lock/WORM),
stored off-site or in another cloud account.

Test restores with each quarter (light ones each month), and following any major system
change.

That’s the pragmatist solution. Here is how to apply it in your firm in a few easy steps, with an
example and gotchas to watch out for.

First, decide what “often enough” is (RPO & RTO)

Two little numbers control your schedule:

RPO (Recovery Point Objective): How much data you can risk losing if you need to recover.
Your RPO is one hour and your backups need to run no less than hourly for that system if your
POS losing 60 minutes of data is not acceptable to your business.

RTO (Recovery Time Objective): How quickly you need to be recovered. If payroll just has to be
recovered in two hours, your process and equipment need to be able to recover in that
timeframe.

Put these numbers down on every system. This gets you out of sloppy “regular backups” talk
and into hard targets.

5-step cadence builder

1. Organize your systems

Accounting, POS, CRM, file server/SharePoint/Drive, email, website, any databases, line-of-business applications, and endpoints (laptops/desktops).

2. Group by criticality

Tier 1 (can’t run the business without it).

Tier 2 (important but survivable for a day).

Tier 3 (reference/archive).

3. Assign RPO/RTO per tier

Tier 1: RPO 1 hour, RTO same day.

Tier 2: RPO 24 hours, RTO 1–2 days.

Tier 3: RPO 1 week, RTO flexible.

4. Select methods that satisfy the numbers

Local+cloud for speed and safety.

Snapshots/versioning for quick rollbacks.

Image-level server backups; file-level and cloud syncing for users.

Immutable storage for ransomware resilience.

5. Set retention that accommodates regs and reality

Real World Schedule

If a 25-employee company has QuickBooks, Microsoft 365, a cloud CRM, inventory small SQL database, and a NAS on-premises.

Servers & databases (QuickBooks, SQL, NAS shares)

• Nightly incremental backups to local storage.
• Weekly full backups to local + cloud.
• Monthly archive to cloud with object lock for a minimum of 12 months.
• Retention: 90-day versions, 12 monthly, 7 annuals.

Microsoft 365 (Exchange/SharePoint/OneDrive/Teams)

• Daily SaaS backups with item-level restore (emails, files, sites).
• Retention: 365 days versions, 12 monthly.

User devices (laptops/desktops)

• Daily file backups to cloud.
• Default key folders (Desktop/Documents/Pictures); exclude temp/downloads for disk space.

Retention: 90 days versions.

Website/WordPress

• Nightly db + weekly file backups, off-site (not on same server).
• Store 30 days rolling + monthly for one year.

Immutable copy (ransomware insurance)

• WORM/object lock on the cloud bucket for weekly fulls + monthly archives.
• Use separate credentials for backup storage (no permanent admin).

Testing

• Monthly: restore one file and one mailbox.
• Quarterly: do QuickBooks and small SQL database restore to another machine.

Keep all test results.

This is 90% of SMB scenarios without spending an arm and a leg.

Cloud vs. local

Local restores the fastest (minutes), great for “I accidentally deleted a folder” or a dead drive.

Cloud/off-site saves you when the building catches fire, the NAS blows up, or ransomware rips through your network shares.

Real-life rule that succeeds: 3-2-1

Keep 3 copies of your data on 2 media with 1 off-site copy.

Don’t forget your SaaS data

Yes, you must back up Microsoft 365 and Google Workspace. They have great uptime; their retention policies are not backups. Users delete content, malware auto-deletes mail based on purge rules, and ransomware encrypts synced files. A third-party SaaS backup provides you with point-in-time recovery outside of recycle bin restrictions.

Pitfalls (and easy fixes)

Single backup site. One USB key is not a backup plan. Add cloud/off-site.

Encrypted-backups. If ransomware encounters the backups, they can be removed. Use immutable storage and isolated credentials.

Never restored restores. Never-restored restore is a desire, not a strategy. Put test restores on the calendar.

Relying on sync as backup. OneDrive/Google Drive syncing changes—horrendous changes. Use a different backup with versioning.

Single admin risk. One account to rule them all means a single point of failure. Make a break-glass backup admin with MFA stored securely.

Forgetting endpoints. Laptops get lost, dropped, or scratched. Daily cloud backups rescue you.

No retention policy. Keeping everything forever is expensive and insecure. Decide what to keep and for how long.

If I were going to choose one lever that most small companies under-leverage, it is immutability. Local daily  backup is fantastic, but they won’t save you in the event of ransomware overwriting your shares and overwriting your backup store. Turning on object lock/WORM on monthly and weekly sets is cheap insurance and moves the math your way. If you can only do one new thing this quarter, do that and test-restore to show it.

Frequently Asked Questions