I recently sat through a cybersecurity webinar aimed at small business owners. The presenter was a federal forensic analyst with impressive credentials. The first half covered the current cybercrime landscape, how threat actors operate, how ransomware-as-a-service has made attacks more accessible than ever. Solid stuff.
Then the conversation shifted to what businesses should actually do about it. And when it came to backups, the recommendation was this: do a weekly offsite backup so that if you get hit with ransomware, you only lose a week of data.
I nearly fell out of my chair.
If you run a business with 10, 20, or 50 employees and someone tells you that a weekly offsite backup is a valid strategy against ransomware, they are giving you advice that could cost you your company. Let me explain why, and more importantly, what you should be doing instead.
The Problem with "Just Do a Weekly Offsite Backup"
On the surface, the logic makes sense. You have a copy of your data, it lives somewhere other than your office, and if something bad happens, you can restore from it. But "only losing a week of data" is being treated like an acceptable outcome here, and it is not. Not even close.
A week of data loss can be fatal. Think about what your business produces in a week. Emails sent, contracts drafted, invoices generated, client work delivered, accounting entries logged. For a 20-person law firm or accounting practice, a week of lost data is not an inconvenience. It is a crisis. Reconstructing a week of billable work, correspondence, and financial transactions is not just expensive. In many cases, it is impossible.
Weekly is not frequent enough. If your last backup was six days ago and you get hit today, you are looking at nearly a full business week of lost work. For many small businesses, that amount of data loss means missed deadlines, broken client commitments, compliance violations, and real financial damage. The recovery point objective (how much data you can afford to lose) for most businesses should be measured in hours, not days.
Offsite backup alone does not get you back up and running. Even if your weekly offsite backup is perfectly intact, restoring from it takes time. You need hardware to restore to. You need to rebuild the environment. You need to verify the data. For many businesses, this process takes days or even weeks. Every hour of downtime costs money, and a weekly offsite backup has no answer for the question, "How do we keep working while we recover?"
Ransomware does not wait for your backup schedule. Many ransomware variants sit dormant for days or weeks before activating, quietly spreading across your environment. By the time the encryption kicks in, your last several weekly backups may already contain the compromised payload. Restoring from any of them just reinfects you.
The bottom line: a weekly offsite backup is better than nothing, but it is nowhere near good enough. It is a 2008 strategy being recommended in 2026, and it gives business owners a dangerous false sense of security.
What Most Small Businesses Get Wrong About Microsoft 365 Backups
Here is something that surprises a lot of business owners: Microsoft does not back up your data for you. When you are paying for Microsoft 365, you are paying for the platform, the applications, and the infrastructure. You are not paying for data protection.
Microsoft is very clear about this. Their Shared Responsibility Model puts the responsibility for protecting your data squarely on you. Their service agreement even recommends using third-party backup solutions. Most people never read that. They assume that because their email is "in the cloud," it is safe.
It is not. Here is what can go wrong:
- Accidental deletion. Someone deletes a critical email, a SharePoint folder, or a OneDrive file. Once it clears the recycle bin (which Microsoft only retains for up to 93 days in most cases), it is gone. Permanently.
- Ransomware and malware. A compromised account can encrypt or delete files across Exchange, OneDrive, SharePoint, and Teams. Microsoft's native tools have limited recovery options for this.
- Departing employees. When someone leaves and their license gets removed, their mailbox and OneDrive data have limited retention windows. If you do not act fast, you lose it.
- Compliance and legal holds. If you are ever involved in litigation or need to produce historical records for a compliance audit, Microsoft's native retention is not built to be your archive. You need a real solution for that.
The reality is that for most small businesses, their entire operation lives inside Microsoft 365. Email, files, calendars, contacts, shared documents, Teams conversations. If any of that disappears and you do not have an independent backup, you are in serious trouble.
What a Real Microsoft 365 Backup Strategy Looks Like
A proper M365 backup solution runs automatically, multiple times per day, and stores your data independently from Microsoft's infrastructure. No USB drives. No human intervention. No hoping someone remembered to run the backup before they left for the weekend.
At Athencia, we use Dropsuite for Microsoft 365 backup across our managed clients. Here is what that actually means for your business:
Automated, incremental backups. Your Exchange mailboxes, OneDrive files, SharePoint sites, Teams data, calendars, and contacts are backed up automatically, multiple times daily. No one has to remember to do anything. It just happens.
Immutable storage. Your backup data is stored in a separate cloud environment with immutable protection. That means even if an attacker compromises your Microsoft 365 tenant, they cannot reach your backups. This is the critical difference between a real backup solution and simply having a copy of your data sitting somewhere offsite.
Granular, point-in-time recovery. Need to restore a single email from three weeks ago? A SharePoint folder from last Tuesday? A departed employee's entire mailbox? You can do all of that without restoring everything. You pick exactly what you need and recover it to the exact point in time you choose.
Unlimited storage. No worrying about storage capacity limits or paying overage fees. Your backup grows with your data.
Built-in compliance and eDiscovery. For professional services firms that deal with client data, legal holds, or regulatory requirements, having a searchable archive of all email and file history is not a nice-to-have. It is a necessity.
The difference between this approach and the weekly offsite recommendation is not incremental. It is the difference between being able to recover from an incident in minutes versus discovering, days later, that your last good backup was from last weekend and half your client files are gone.
But What About On-Premises Servers? That Is Where BCDR Comes In
Cloud backup solves the Microsoft 365 problem, but many small businesses still have on-premises infrastructure. Maybe it is a file server, a line-of-business application, a database, or a domain controller. For these workloads, you need something more than backup. You need business continuity and disaster recovery, or BCDR.
The difference between backup and BCDR is critical. A backup saves your data. BCDR saves your business. With a true BCDR solution, if your server goes down, whether from hardware failure, ransomware, fire, flood, or anything else, you can spin up a virtual copy of that server within minutes, either on the local appliance or in the cloud. Your team keeps working while you deal with the underlying problem.
We deploy Slide BCDR appliances for our clients' on-premises workloads. Slide was founded by the same team that built Datto (one of the most widely deployed BCDR platforms in the MSP space) and designed from scratch with no legacy code. Here is what makes this approach different from a weekly offsite backup:
Frequent, image-level backups. Instead of copying files once a week, a BCDR appliance takes full image snapshots of your servers multiple times per day. If you need to recover, you are restoring the entire system, not just files, to a point in time that is hours old, not days.
Local and cloud virtualization. If a server fails, you can boot a virtual machine directly from the backup appliance. Your team can keep working while the primary server is repaired or replaced. If the entire office goes down, you can spin up in the cloud and operate remotely.
All-flash, high-performance hardware. The Slide Z1 appliance uses NVMe solid-state storage, which means backups and restores happen fast. There are no spinning disks to fail, no mechanical parts to wear out. For a small office, the entry-level appliance is about the size of an Apple Mac Studio and can store up to 16TB of protected data.
End-to-end encryption. Data is encrypted on the appliance, in transit, and in the cloud. This is built in, not an add-on.
Offsite replication to a private cloud. Your backups are automatically replicated to a dedicated private cloud, not a shared public cloud environment. If the worst happens and your office is physically destroyed, your data and your ability to run your systems are still intact.
This is what modern disaster recovery looks like. It is not a weekly backup job and a prayer. It is an automated, tested, always-on system that keeps your business running when everything else goes wrong.
Putting It All Together: The Two-Layer Approach
For most small businesses in 2026, the right backup and recovery strategy has two layers:
Layer 1: Cloud-to-cloud backup for Microsoft 365. This covers your email, files, SharePoint, Teams, and everything else that lives in Microsoft's cloud. A solution like Dropsuite runs automatically, stores your data independently, and gives you granular recovery when you need it.
Layer 2: BCDR for on-premises workloads. This covers your servers, applications, and anything that runs locally. A solution like Slide gives you frequent image-level backups, instant local or cloud virtualization, and offsite replication so you can survive anything from a hardware failure to a total office loss.
Together, these two layers mean that no matter what happens, whether it is ransomware, accidental deletion, hardware failure, a disgruntled employee, a natural disaster, or just plain bad luck, your data is protected and your business can keep running.
Compare that to a weekly offsite backup and hoping for the best.
What to Ask Your IT Provider
If you are a business owner reading this and you are not sure where you stand, here are the questions you should be asking your IT provider or MSP today:
- Do we have a third-party backup for our Microsoft 365 data, or are we relying on Microsoft's native retention?
- How often are our backups running, and how much data would we lose in a worst-case scenario?
- If our server goes down right now, how long until we are back up and running? Is the answer measured in minutes, hours, or days?
- Are our backups stored somewhere completely separate from our production environment?
- Has our backup and recovery process been tested recently? Can you show me a successful restore?
- If our entire office is destroyed, can we still operate?
If your IT provider cannot answer these questions clearly, or if the answers involve the words "weekly" and "offsite" and not much else, it is time to have a different conversation.
Stop Hoping. Start Protecting.
The cybersecurity webinar I sat through was well-intentioned. The presenter was trying to help small businesses understand the threats they face. But good intentions paired with outdated advice can do more harm than good, because it gives business owners a false sense of security.
If you walk away from a webinar thinking your weekly offsite backup has you covered, you are more vulnerable than you were before you attended, because now you think the problem is solved.
It is not.
Real data protection in 2026 means automated cloud backup for your SaaS platforms and BCDR for your on-premises infrastructure. It means your backups run without human intervention, are stored independently from your production systems, and can be recovered quickly when you need them.
It means you stop wondering if your data is safe and start knowing it is.
Athencia helps small businesses nationwide stop guessing about their IT and start seeing what is actually happening. With a local presence in the Greater Seattle area and the ability to support clients anywhere in the country, our managed IT plans include automated M365 backup, BCDR for on-premises workloads, and a single dashboard where you can see the health of your entire environment at a glance.
Want to find out where your backup strategy actually stands? Let's talk. Visit athencia.com or reach out directly to schedule a no-pressure conversation about what is protecting your business today and what should be.
