I had a conversation last week with a small accounting firm that lost three weeks of client data. Their “backup” was an external hard drive plugged into the office server. The drive failed at the same time as the server — because both were plugged into the same power board that got hit by a surge.

They had a backup. It just wasn’t a useful one.

This isn’t unusual. Most small businesses we work with have some form of backup in place. The problem is that their backup strategy has gaps they don’t know about until something goes wrong.

Here are the five mistakes we see over and over.

1. Backing Up to the Same Location

The accounting firm example above is the most common version of this. An external drive sitting next to the computer it’s backing up protects you from a hard drive failure. It doesn’t protect you from a fire, a flood, a theft, a power surge, or ransomware that encrypts everything on the network including attached drives.

The 3-2-1 rule exists for a reason: three copies of your data, on two different types of media, with one copy offsite. In 2026, “offsite” usually means cloud storage, which is fine — but you need to make sure the cloud backup isn’t just syncing. More on that in a moment.

If your only backup is a device in the same room as your primary data, you don’t really have a backup. You have a slightly delayed copy that will be destroyed by the same event that destroys the original.

2. Confusing Sync with Backup

This one catches people constantly. “We use OneDrive” or “Everything’s on Google Drive” isn’t a backup strategy. It’s a sync strategy.

Cloud sync services mirror your files to the cloud in near-real-time. If you delete a file locally, it’s deleted from the cloud. If ransomware encrypts your files, the encrypted versions sync to the cloud. If someone accidentally overwrites a critical spreadsheet, the overwritten version syncs up.

Some sync services have version history that lets you recover previous versions, which helps. But version history has limits — typically 30-90 days, and not all file types are fully supported. It’s better than nothing but it’s not a proper backup.

A proper backup creates point-in-time snapshots that are separate from your live data. If your live data gets corrupted or destroyed, you can restore from a specific backup point. The backup isn’t connected to the sync process.

Services like Backblaze, Acronis, or Veeam provide actual backup functionality. They’re different tools than OneDrive or Dropbox, and they serve a different purpose.

3. Never Testing Restores

Having backup software running doesn’t mean your backups work. Backup jobs can fail silently — a drive fills up, a permission changes, the software crashes, the backup target becomes unreachable. If nobody’s checking, you won’t know until you need the backup and discover it stopped working three months ago.

Testing restores is the only way to verify your backups are working. At minimum, do a test restore quarterly. Pick a random file or folder, restore it from backup, and confirm it’s intact and current. If your business depends on a specific application (accounting software, CRM, practice management system), test restoring the application data and verify it works.

I know this sounds tedious. It takes maybe 30 minutes every three months. Compare that to the cost of discovering your backups don’t work when you actually need them.

4. Ignoring SaaS Data

Here’s one that’s become more common as businesses move to cloud-based tools. Your data in Xero, MYOB, HubSpot, Salesforce, or any other SaaS platform is not automatically backed up in a way you control.

Most SaaS providers protect against their own infrastructure failures. If the Xero servers go down, Xero has their own backups to restore service. But if your Xero data gets corrupted — someone imports a bad file, an integration goes wrong, or your account gets compromised — Xero’s infrastructure backups won’t help you. They protect against Xero’s failures, not yours.

Some SaaS platforms offer data export features. Use them. Export your critical data periodically and store the exports securely. Third-party backup services for SaaS data (like Rewind for Shopify or OwnBackup for Salesforce) exist for the most popular platforms.

Your SaaS data is your data. Don’t assume the vendor is protecting it on your behalf.

5. No Backup Documentation

The person who set up the backup system is often the only person who knows how it works. If they leave the company, get hit by a bus, or are simply unavailable during an emergency, nobody else knows how to initiate a restore.

Document your backup system. Write down:

• What’s being backed up
• Where backups are stored
• How often backups run
• How to check that backups are completing successfully
• How to restore from backup, step by step
• Who has the credentials to access backup systems

Keep this documentation somewhere accessible — and not only on the system being backed up. A printed copy in a fire safe isn’t a bad idea for the most critical information.

Getting It Right Doesn’t Have to Be Expensive

A reasonable small business backup setup in Australia might look like this:

• Local backup: An external NAS device running automated daily backups of all workstations and servers ($500-$1,500 one-time for hardware, depending on capacity)
• Cloud backup: Backblaze B2 or similar for offsite copies ($5-$20/month for most small businesses)
• SaaS exports: Monthly data exports from critical cloud applications (free, but requires someone to actually do it)
• Quarterly restore tests: Scheduled calendar reminder (free)
• Documentation: Written and stored accessibly (free)

Total ongoing cost: under $30/month for most businesses. Compare that to the cost of data loss, which for an Australian SMB averages $150,000-$300,000 according to ACSC data.

The Bottom Line

Data backup is boring. Nobody gets excited about it. But it’s one of those things where a small investment of time and money prevents a catastrophic outcome. The businesses that take it seriously are the ones that survive the inevitable hardware failure, ransomware attack, or human error that eventually hits every organisation.

If you haven’t reviewed your backup strategy in the past year, do it this week. Check that backups are running, test a restore, and fix any gaps. It’s the most valuable hour you’ll spend on IT this quarter.