Invenio IT

15 Best Practices for Small Business Backup

Tracy Rock

Tracy Rock

Director of Marketing @ Invenio IT

Published

Best Practices for Small Business Backup

Data protection and recovery is just one of the many things you have to juggle as a business leader. To keep things simple, you might deploy a small business backup solution and call it a day. It’s important to recognize that doing so might leave you vulnerable to costly data loss and a difficult recovery from ransomware, cyberattacks, accidental file deletion, and other threats.

Small businesses need to consider when, where, and how often they’ll back up their data. They also have to decide what recovery methods to use and how long they want to retain their old backups.

There’s no cookie-cutter plan for data backups because you have to tailor your approach to the unique needs of your business. However, there are some general guidelines to follow. These best practices for small business backups will help ensure your data is adequately protected and quickly recoverable if a disaster strikes.

1) Start with a backup strategy

Data protection begins with creating a detailed plan that outlines your company’s specific objectives. Many organizations include this information in their business continuity plan (BCP) or disaster recovery plan (DRP).

History has shown that businesses without a disaster recovery plan in place are far more likely to struggle or close after a disaster. Despite this, a 2021 study revealed that only half of organizations have DRPs in place.

Before you can tackle issues like backup frequency and infrastructure needs, you’ll first need to evaluate these factors:

  • Your risk level for different data-loss events, such as ransomware
  • How those events would affect various aspects of your operations, including productivity and revenue
  • Your recovery point and recovery time objectives, which indicate how quickly you need to restore data to prevent lasting harm to your company

You’re the only one who knows the ins and outs of your business well enough to develop an appropriate backup strategy. However, no matter how your organization operates, creating a detailed plan prior to deployment helps ensure you have all the pieces in place.

2) Aim for business continuity

Be wary when you select a small business backup solution. Some lightweight options merely replicate your data to an external drive or a cloud folder. Likewise, cloud-based file-sharing applications like Google Backup and Sync aren’t designed to serve as your data backup solution. Instead, stick to solutions that provide business continuity and keep your business running after a disaster.

A mere backup of your files is useless if ransomware infects all your applications and operating systems. Not only that, but if it takes days to restore data from a backup, your business could suffer irreparable damage. Business continuity and disaster recovery (BC/DR) solutions, on the other hand, are designed to provide more robust recovery options so that critical operations can continue with minimal interruption.

3) Back up data frequently

When you perform regular backups, you lose less data in between recovery points. In other words, the more often you back up data, the better.

In the old days, overnight and weekend backups were the norm. Modern solutions have significantly stepped up the game by backing up data as often as every five minutes.

That doesn’t mean you should constantly back up everything, but it’s a good idea for certain situations. If your business uses different kinds of servers, some will require a higher priority than others, such as:

  • Exchange servers: hourly backups
  • Terminal servers: daily backups
  • Auxiliary domain controllers: several backups per week

Specific industries, such as healthcare and finance, back up data more frequently to comply with regulatory requirements. If your business constantly produces or modifies large amounts of data, then you probably don’t want your backups to be more than a few minutes old.

4) Use remote storage

On-site backups are still the go-to for speed, but relying on them exclusively is dangerous. A fire or flood could wipe out your on-premises infrastructure, leaving you helpless if you don’t have another backup off-site.

Businesses should keep copies of their backups at a secondary location, such as:

  • Private clouds or data centers
  • Public cloud services, such as Microsoft Azure or Amazon Web Services
  • Secondary business locations

With that said, remote storage shouldn’t replace your on-site backups. Today’s best small business backup solutions offer hybrid backup protection, which stores data both on-site and in the cloud.

5) Retain backups for the long term

Not every backup is significant enough to keep forever – and it would be impractical and expensive to try. However, it’s wise to retain certain backups for extended periods. For instance, banks and healthcare organizations must comply with strict data retention policies that require them to keep backups for several years.

A good BC/DR solution lets you customize your retention options to keep multiple copies of recent backups and compressed versions of older ones. Here’s an example of how long you might retain different backup types:

  • Local backups for three months
  • Intra-daily backups for seven days
  • Daily backups for two weeks
  • Weekly backups for one month
  • Monthly backups until local backups are deleted

As a rule of thumb, retain backups for as long as you reasonably can. Some data backup providers have made this easier by offering infinite cloud retention, allowing you to store unlimited backups in the cloud with no time restriction.

6) Backups shouldn’t allow inbound Internet access

Backup devices that are improperly connected to the Internet are far more susceptible to cyberattacks, including ransomware and malware infections that can render them useless. A backup device has to transmit data to the cloud, but it shouldn’t allow any inbound communication. For the best security, deploy the device in a secure LAN environment and limit even the outbound communications to those that are absolutely necessary. All other communications should be denied.

7) Separate backups from the network

It’s also vital to maintain distance between your backups and your computers and networks.

The FBI explains that some ransomware can “lock cloud-based backups when systems continuously back up in real time.” In a widespread ransomware attack, your backups are usually the only way to safely get your data back. Without them, you’re under pressure to pay the ransom, which law enforcement strongly discourages. To keep that from happening, it’s of the utmost importance that you protect your backups from malware infections.

8) Encrypt backups

If hackers manage to get their hands on your data, encryption could be the one thing that stops them from reading and distributing it. This is especially important for sectors like healthcare, where HIPAA guidelines require added security measures to protect sensitive patient data.

When possible, encrypt backups in transit and at rest. This means the data is encrypted as it’s uploaded to the cloud and when it’s stored on the backup device or data center. Using AES 256 and SSL key-based encryption offers the strongest level of protection because they’re usually unbreakable.

9) Protect your end points

In an ideal small business backup deployment, users save data on a server that’s routinely backed up. In the real world, that’s not always how it works. In too many cases, large volumes of data reside on users’ local computers rather than on network drives. If something happens to that local data, it could be gone for good.

That’s why it’s sound practice to protect each end point or computer where critical data may live.

BC/DR providers have addressed this issue by offering solutions with endpoint recovery. Businesses can opt to deploy an onsite backup device to protect the machines that matter most, while also using cloud services to back up individual PCs.

10) Back up SaaS data

A 2021 study found that 45% of small and medium-sized businesses have all or most of their business software based in the cloud. Unfortunately, many of those businesses don’t independently back up their software-as-a-service (SaaS) data.

Using SaaS applications creates a false sense of security. People assume that their data is safe because it’s in the cloud. However, SaaS data is vulnerable to a lot of the same threats as local data. IBM’s 2023 “Cost of a Data Breach Report” found that more than 80% of data breaches involved data stored in the cloud. Even worse, this data isn’t included with your regular backup processes, so a disaster could permanently wipe it out.

Using an independent SaaS backup solution is essential for protecting this crucial data. These tools store data from applications like M365 and QuickBooks Online to separate clouds. You can still recover the data, even if it’s deleted or encrypted in the original SaaS application.

11) Move away from backup chain dependency

Traditional incremental backups are notorious for data corruption because of the way errors occur in the backup chain. Each incremental is dependent on the chain, so if there’s an issue at any one point, the whole backup might be unrecoverable during the rebuild.

BC/DR providers have developed new backup processes that reduce these risks. Each new recovery point is stored in a fully constructed state, which can be booted as a virtual machine. Unlike traditional incrementals, there is no rebuild process. This doesn’t have to mean that each backup is massive. The best solutions are extremely efficient with high backup frequencies.

12) Test backups regularly

Don’t assume you can restore your data just because you have a backup. Regularly testing on-site and off-site backups is the only way to know if they’ll work if and when you need them.

Ideally, your small business backup system will have an automated process that validates each new backup without your prompting and alerts you if there are any issues. For example, some solutions automatically test-boot each backup using technology such as screen recognition. You can also customize the verification process with specific scripts to ensure that you can boot protected machines in the state that you need.

13) Integrate with caution

Several leading BC/DR systems allow — or in some cases require — you to integrate a patchwork of different backup components to achieve the continuity objectives you want.

For example, the core BC/DR platform might be software. You have to bring your own device for local backup storage, additional hardware to enable virtualization, and private or public cloud service to maintain off-site backups.

Integrating those disparate components is a workable option for some organizations, but it requires extensive knowledge and care. A single deployment or management error could create problems in the backup or recovery process. It’s imperative to weave the overall BC/DR infrastructure as tightly as possible, and cobbling together components might not be the best way to do it.

For a more unified approach and greater peace of mind, consider an all-in-one system. These solutions fully integrate the backup software, hardware, and cloud into a single package. They store backups locally on provider-issued devices and replicate them to dedicated cloud services. This makes the deployment completely seamless, easier to manage, and less expensive, with much less opportunity for error.

14) Restore data according to the disaster

A good backup solution will offer numerous ways to restore data based on the wide range of crisis situations you might encounter.

Imagine that a single critical folder goes missing from your system. You need to recover that data, but performing a full backup restore is a waste of time and energy. For individual files and folders, a file-level recovery option is the fastest option.

By the same token, recovering a few files isn’t going to cut it when you’ve experienced extensive data loss. You’ll get better results by rolling back to the most recent recovery point or using more precise restore options that only restore the files that have changed since the last backup.

In worst-case scenarios, a protected machine might become completely un-bootable. Those types of failures often require a bare metal restore.

Regardless of the degree or severity of the event, choosing the appropriate recovery method is central to keeping costs low, limiting the effects of a disruption, and getting lost data back as quickly and efficiently as possible.

15) Use backup virtualization while the recovery is underway

Time is of the essence when you lose data, and you don’t have to sit by and wait for your recovery process to finish. Leading BC/DR systems can virtualize a backup in a matter of seconds. This gives you near instant access to your protected machines, including their data, applications, and operating systems.

In catastrophic disasters, it’s not unusual for data recovery to take hours, days, or weeks. Backup virtualization allows your teams to continue using the critical systems that keep your business running. It provides continuity through the disruption, so your essential operations don’t stay down for too long.

Expert advice for small business backups

Small business backup is the foundation of your disaster recovery, but simply deploying a solution isn’t enough. To protect your data and ensure you can restore it, you need a sound backup strategy. Whether a single spreadsheet has gone missing or ransomware has locked up a global network of servers, a robust data backup system can help you recover quickly and maintain operational continuity.

Sometimes it’s difficult to know exactly what your deployment should look like. The team at Invenio IT can provide insights into a variety of small business backup solutions and offer general advice about data protection. Reach out to a data protection specialist to learn more.

Get the Ultimate Employee Cybersecurity Handbook
invenio logo

Join 23,000+ readers in the Data Protection Forum