15 Best Practices for Small Business Backup

September 30, 2021

9 min read

Tracy Rock

Director of Marketing @ Invenio IT
Best Practices for Small Business Backup

15 Best Practices for Small Business Backup

by Sep 30, 2021Business Continuity

Deploying a small business backup solution is the most important step to preventing data loss from ransomware, cyberattacks, accidental file deletion and other threats. But if you’re not backing up your data properly, recovering it can be a lot more challenging and costly.

Small businesses need to consider:

  • How often do we back up our data?
  • Where and how are the backups stored?
  • Which recovery methods should we use?
  • How long should we retain old backups?

While the answers to these questions will depend partly on the unique needs of the business, there are some general guidelines that every company should follow.

Use the following best practices for small business backup to ensure that your data is adequately protected and quickly recoverable during a disaster.

1) Start with a backup strategy

The single best practice for data backup is creating a detailed plan that outlines your company’s specific objectives. This is often included within a business continuity plan (BCP) or disaster recovery plan (DRP).

Statistics show that businesses without a disaster recovery plan are far more likely to shutter after a disaster. Despite this, FEMA says that 1 in 5 companies spend zero time on a DRP.

Before you’re even able to answer the questions listed above, such as backup frequency and infrastructure needs, you need to consider:

  • Risks of various data-loss events (ransomware, etc.)
  • Impact of those events on various operations (productivity, financial losses, etc.)
  • Objectives for restoring data quickly enough to lessen the brunt of that impact (recovery point objectives, recovery time objectives, etc.)

Remember, the recommended practices below are just a framework. Only you can determine the appropriate backup strategy for your business, which is why it’s so important to develop a detailed plan, prior to deployment.

2) Aim for business continuity

Be wary of lightweight backup solutions that merely replicate your data to an external drive or a cloud folder. Similarly, cloud-based file-sharing applications like Google Backup & Sync should not be used for small business backup (and they’re not intended to be).

As you compare your options, stick to solutions that provide business continuity – meaning they help to keep your business running after a disaster.

What’s the difference?

A mere backup of your files will be useless if all your applications, and the operating systems they run on, are infected by ransomware. Or, if it takes days to restore data from a backup, then it could be too late.

Business continuity and disaster recovery solutions (BC/DR) are designed to provide more robust recovery options, so that critical operations can continue with minimal interruption.

3) Back up data frequently

The more often you back up your data, the less you’ll lose in between recovery points. But just how frequent do your backups need to be?

Today’s BC/DR solutions from providers like Datto can make backups as often as every 5 minutes. That’s a far cry from the old days of overnight and weekend backups – though it doesn’t necessarily mean you actually need to back up every 5 minutes.

If your business uses different kinds of servers, for example, then some will require a higher priority than others. Datto provides the following examples as good practices for a small business backup schedule:

  • Exchange servers: hourly backups
  • Terminal servers: daily backups
  • Auxiliary domain controllers: several backups per week

Specific industries, such as healthcare and finance, may need to back up data more frequently to stay in compliance with regulatory requirements. Similarly, if your business is constantly producing or modifying large amounts of critical data, then you probably don’t want your backups to be more than a few minutes old.

4) Use remote storage

On-site backups are still the go-to for speed. But what if your on-premise infrastructure is destroyed in a fire? If you don’t have another backup off-site, then it’s game over.

Remote backup storage is critical for business continuity. When disasters occur on-site, you cannot afford to lose access to your data. Businesses should keep copies of their backups at a secondary location to ensure they can be retrieved when the worst disasters strike.


  • Backups stored in a private cloud / datacenter
  • Backups stored in a public cloud, i.e. Microsoft Azure or Amazon Web Services
  • Backups stored at a secondary business location

Remote storage should not be used as an alternative for on-site storage. Today’s best small business backup solutions offer hybrid backup protection, which keeps backups on site and in the cloud for the greatest assurance against all disaster scenarios.

5)  Retain backups for the long term

This, too, depends on your company’s specific needs. But every company needs to consider how long it should retain its backups before they can be permanently discarded.

Obviously, not every backup needs to be kept forever – however, you’ll want to retain certain backups for months or even years. Banks and healthcare organizations, for example, must comply with strict data retention policies that require them to keep backups for years.

A good BC/DR solution will let you customize the retention of all your backups, so that you have multiple copies of recent backups, but also compressed versions of older backups as well.

Just for illustrative purposes, here is what an example data retention configuration might look like for a small business using BC/DR solutions from Datto:

  • Local backups: retained for 3 months
  • Intra-daily backups: retained for 7 days
  • Daily backups: retained for 2 weeks
  • Weekly backups: retained for 1 month
  • Monthly backups: retained until local backups are deleted

As a rule of thumb, retain backups for the long term, as long as it remains reasonable to do so. Providers like Datto have begun offering “infinite cloud retention,” which allows companies to store unlimited backups in the cloud with no time restriction.

6) Backups should not allow inbound Internet access

When a backup device is improperly connected to the Internet, it becomes far more susceptible to cyberattack. If your backups are infected with malware or encrypted by ransomware, then what good are they?

While a backup device will need to be able to transmit data to the cloud, it should not allow any inbound communication. The device should be deployed in a secure LAN environment and even the outbound communications should be limited to only those that are needed for the device to perform the cloud backups. All other communications should be denied.

7) Separate backups from the network

Backups must be secured against the risk of ransomware and other malware, which will try to infect every machine it can find, including your backup devices if left unprotected. This is why it is critical to maintain separation between your backups and the computers or networks being protected.

In “Ransomware Prevention and Response for CISOs,” the FBI writes:

“Ensure backups are not connected permanently to the computers and networks they are backing up. Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization.”

In a widespread ransomware attack, your backups will usually be the only remaining tool to get your data back (aside from paying the ransom, which is strongly discouraged by federal law enforcement agencies). So it’s crucial that your backups cannot be infected with the malware.

8) Encrypt backups

In the event that your backups somehow end up in the wrong hands, you want to be sure that the data is inaccessible. This is important for every industry, but it’s an especially critical priority for sectors like healthcare, where HIPAA guidelines require added security measures to protect sensitive patient data.

When possible, backups should be encrypted while both in transit and at rest. This means the data remains encrypted as it’s uploaded to the cloud, as well as when it’s stored on the backup device and/or datacenter.

AES 256 and SSL key-based encryption are recommended, as they are generally considered to be unbreakable.

9) Protect your end points

In an ideal small business backup deployment, users save data on a server, which is routinely backed up. But in a real-world setting, that’s not always how it works. Often, large volumes of data reside on users’ local computers, rather than on the network drives. So if something happens to that local data, it could be gone for good, because it was never included in the backup.

This is why it’s a good idea to protect each end point on a network – or rather, each computer where critical data may live.

BC/DR providers like Datto make this endpoint backup simple with solutions like Cloud Continuity for PCS. It provides an extra layer of protection against the risk of local data loss, without the use of a separate backup appliance. For greater protection, many businesses will opt to deploy both an onsite backup device to protect the machines that matter most, while also using Cloud Continuity to ensure individual PCs are also backed up.

10) Back up SaaS data

80% of businesses now use at least one SaaS (software-as-a-service) application. But only a fraction of those organizations is independently backing up their SaaS data.

Using SaaS applications creates the false assurance that data is safe because it’s in the cloud. (After all, if something happens to the PC, then the cloud data should still be there, right?) But in reality, your SaaS data is vulnerable to a lot of the same threats as local data. And that data is not included with your regular backup process, which means it could be wiped out permanently in a disaster.

Using an independent SaaS backup tool is essential for protecting this crucial data. With Backupify from Datto, for example, your data within Microsoft 365 and G Suite is automatically backed up and stored in a separate cloud. So if your SaaS data is accidentally deleted, or a user license expires, or files are encrypted by ransomware, you can still recover that data from a backup.

11) Move away from backup chain dependency

Traditional incremental backups are notorious for data corruption, due to the way errors occur in the backup chain as each new incremental is added. Each incremental is dependent on the chain, so if there’s an issue anywhere in the chain, then the whole backup can sometimes be made unrecoverable during the rebuild.

BC/DR providers have developed new backup processes that minimize these risks, such as Datto’s Inverse Chain Technology. With Inverse Chain, each new recovery point is stored in a fully constructed state, which can be booted as a virtual machine. Unlike traditional incrementals, there is no rebuild process.

This doesn’t mean that each backup is massive either. In fact, Inverse Chain Technology allows for an extremely efficient backup process that enables a 5-minute backup frequency and also creates more resilient backups. As Datto explains:

“Inverse Chain Technology uses ZFS’s “copy on write” capability, so each unique block of data is saved only once and is referenced by all of the restore points that use it. Also, since each point is completely independent you can delete older recovery points that are no longer necessary—further reducing capacity demands.”

12) Test backups regularly

Just because you have a backup doesn’t mean it can be restored. You need to be sure your backup will be viable when you need it.

Backups should be tested regularly to ensure they can be restored, including both on-site and off-site backups. Ideally, your backup system should have an automated process that validates each new backup automatically and alerts you if there are any issues.

Datto’s BC/DR systems feature Advanced Screenshot Verification, which test-boots each backup (as often as the backups are created – up to every 5 minutes). Even if large quantities of servers are protected, SIRIS can rapidly detect any backup concerns “using a combination of screen recognition and patented CPU register algorithms.” Admins can even customize the verification process with their own scripts to ensure that protected machines can boot in any state they need.

13) Integrate with caution

Several leading BC/DR systems allow (or in some cases require) you to integrate a patchwork of different backup components to achieve the continuity objectives you want. For example, the core BC/DR platform may be software, requiring you to “bring your own device” (BYOD) for the actual local backup storage. Additionally, you may need additional hardware to enable virtualization, as well as your own private or public cloud (“bring your own cloud”) to maintain offsite backups.

Integrating those disparate components may indeed work fine for some organizations, but it needs to be done with care. Any errors in the deployment or management could result in problems in the backup or recovery process. So it’s essential that the overall BC/DR infrastructure is woven as tightly as possible.

For a more unified approach (and peace of mind), consider an all-in-one system like Datto’s. The Datto SIRIS and ALTO fully integrate the backup software, hardware and cloud into a single package built by Datto. Backups are stored locally on the Datto backup device and replicated to the Datto Cloud. This ensures a completely seamless deployment, while also making it easier and less costly to manage.

14) Restore data according to the disaster

A good backup solution will offer numerous ways to restore data, based on the situation. You should not need to do a full backup restore just because a single critical folder has gone missing.

For individual files and folders, a file-level recovery will be the fastest and most efficient way to restore the lost data.

For more extensive data loss, you’ll probably want to roll back to the most recent recovery point, or use more precise restore options like Datto’s Rapid Rollback, which restores only the files that have changed since the last backup.

In cases where a protected machine is no longer bootable, a bare metal restore may be in order.

Choosing the appropriate recovery option is key to minimizing the impact of the disruption and getting lost data back as quickly and efficiently as possible.

15) Use backup virtualization while the recovery is underway

On leading BC/DR systems, virtualizing a backup typically takes just seconds, giving you near instant access to your protected machines, including the data, applications and operating systems.

In a catastrophic disaster, in which the data recovery will take some time, backup virtualization is an essential tool. It allows your teams to continue using the critical systems that your business runs on. It provides continuity through the disruption, ensuring that essential operations are minimally disrupted.


Simply having a small business backup solution is not enough. Organizations must be sure that they implement a sound backup strategy that ensures all data is protected and can be effectively restored when needed. Whether a single spreadsheet has gone missing, or ransomware has locked up a global network of servers, a robust data backup system can help businesses recover quickly and maintain operational continuity.

Get expert advice

Learn more about the best strategies and solutions for small business backup. Request a free demo of leading disaster recovery systems or contact our business continuity experts at Invenio IT. Call (646) 395-1170 or email success@invenioIT.com.

New call-to-action