Small Business Backup Checklist

The backup false sense of security

Veeam's 2023 Data Protection Trends Report found that 44% of production data is either unprotected or backed up infrequently — meaning a significant share of business data isn't covered even in organizations that believe they have backups. The most common failure modes: backups that run but never get verified, cloud data that isn't backed up because businesses assume the cloud provider handles it, and backup jobs that silently fail for weeks or months without triggering an alert.

A critical distinction: Microsoft 365 and Google Workspace do not provide comprehensive backup services for your data. Microsoft retains deleted items for limited periods, but this is not a substitute for independent backup of Exchange, SharePoint, Teams, and OneDrive data. A ransomware attack, accidental deletion, or malicious insider can cause data loss that Microsoft's retention policies cannot restore.

What attackers do to your backups

Veeam's 2023 research found that ransomware actors specifically targeted backup repositories in 75% of attacks. The typical playbook: gain access, move laterally to find backup systems, delete or encrypt backup files, wait for the retention window to expire, then deploy the ransomware payload against production systems. By the time encryption occurs, there's nothing to restore from.

Effective backup strategy must assume that an attacker with domain admin access will attempt to destroy backups. Immutable backups — copies that cannot be modified or deleted regardless of credentials — and air-gapped copies that have no network path from the production environment are the defenses that make this attack chain fail.

What you're backing up

• All file servers and shared drives — local NAS, Windows Server shares, mapped drives
• All workstations and laptops — especially for staff who store files locally rather than on shared drives
• Microsoft 365 data — Exchange email, SharePoint, OneDrive, and Teams data (Microsoft does not provide comprehensive backup)
• All business-critical applications and databases — accounting software, CRM, EHR, practice management
• On-premises servers and virtual machines
• Network device configurations (firewall, switches)
• Cloud infrastructure configurations (if applicable)

Frequency & Retention

• Daily backups minimum for all production data; hourly backups preferred for critical systems
• Weekly full backups in addition to daily incrementals
• Minimum 30-day retention — 90 days recommended; 1 year for regulated industries
• Defined Recovery Point Objective (RPO): how much data loss is acceptable?
• Defined Recovery Time Objective (RTO): how long can you be down?
• Retention policy accounts for end-of-quarter and end-of-year snapshots for financial records

The 3-2-1 Rule

The 3-2-1 rule is a CISA and NIST-endorsed framework: keep 3 copies of your data, on 2 different media types, with 1 stored offsite.

• Copy 1: Production data on primary systems
• Copy 2: Local backup on NAS, backup appliance, or separate storage — for fast recovery
• Copy 3: Offsite cloud backup — geographically separate, not accessible from your local network

Ransomware Resistance

• Immutable backups enabled — object lock or WORM storage that prevents modification or deletion for a defined period
• Backup credentials stored separately from domain admin credentials — if an attacker compromises your AD, they cannot reach your backups
• Air-gapped or offline copy that has no persistent network connection to production systems
• Backup software agent accounts not in Domain Admins group
• Backup management console protected by MFA

Testing & Verification

• Automated backup job verification — alerts on any failed job, not just weekly review
• Quarterly restore tests — actually restore files and verify integrity; don't just check that jobs completed
• Annual full recovery test — simulate complete system failure and measure actual RTO
• Document restore procedures so recovery doesn't depend on one person's memory
• Store recovery documentation offline or in a location inaccessible to ransomware
• Named owner for backup monitoring — someone is responsible for checking that backups ran

Know your RTO before you need it

Recovery Time Objective (RTO) — how long before your systems are back online — matters more than most businesses realize until they're in a crisis. A business that has never performed a test restore typically discovers their actual recovery time is 3–5× longer than estimated. Run a timed restore test annually. The result tells you whether your backup strategy is adequate for your actual business continuity requirements.

Document it offline

Recovery documentation — where backups are stored, credentials needed to access them, the step-by-step restore procedure — must exist somewhere that ransomware cannot encrypt. A PDF in a SharePoint library doesn't count if SharePoint is encrypted. Keep physical copies of critical recovery documentation, or in a completely separate cloud tenant or password manager that isn't accessible from your primary systems.