Cloud Backup vs Local Backup: What Small Businesses Actually Need

The cloud-versus-local debate has a boring answer (you want both), but how you combine them decides whether ransomware is a bad week or the end of your business.

The short answer: it's not either/or

Cloud backup and local backup fail in different ways, which is exactly why you want both. Local backups restore fast but burn in the same fire, flood or burglary as the originals: a real consideration in South East Queensland, where storm and flood seasons are not hypothetical. Cloud backups survive anything that happens to your office but restore slowly and depend on your internet connection. The standard that combines them is the 3-2-1 rule.

The 3-2-1 rule in plain English

3 copies of your data: the live original plus two backups. One backup is none, because the day you need it is the day you discover it stopped working in March.
2 different types of storage: for example, a local backup device plus a cloud service, so one fault type can't take out both.
1 copy off-site: physically elsewhere, so nothing that happens at your premises can touch it.

The modern addendum, driven by ransomware, is that the off-site copy should also be offline or immutable: unreachable or unchangeable even by someone holding your administrator passwords. More on that below.

Local backup: strengths and limits

Local backup means copies on hardware you control, typically a NAS (network storage device) or rotated external drives.

Strengths: very fast restores (a full server over local network beats any internet download), one-off hardware cost, no dependence on your internet connection.
Limits: shares your office's fate in fire, flood and theft; hardware fails silently with age; and, critically, a backup device that's always connected and writable is just another victim when ransomware spreads across the network.

Cloud backup: strengths and limits

Cloud backup sends encrypted copies to a provider's data centres automatically.

Strengths: off-site by definition, automatic (no one has to remember to swap drives), geographically separate from any local disaster, and good services offer versioning and immutability.
Limits: full restores are bound by your internet speed, and downloading terabytes takes days on many connections; ongoing subscription cost; and you must check where data is stored (Australian data residency matters for some industries) and what the provider's own security looks like.

"We use Microsoft 365, so we're backed up": why that's wrong

This is the most common and most dangerous backup misconception in small business. OneDrive and SharePoint synchronise files; they don't independently protect them. Delete or encrypt a file locally and the cloud copy obediently follows. Retention and recycle-bin features soften small accidents, but they have limits, and Microsoft's own shared-responsibility model is explicit: the data is yours to protect. Staff turnover is the sleeper issue. When a departed employee's account is deleted, their files and mailbox follow on a timer unless something else is preserving them. Purpose-built Microsoft 365 backup costs a few dollars per user per month and closes all of this.

Ransomware changes everything

Modern ransomware crews understand backups perfectly. Encrypting or deleting them is step one of the playbook, because victims with working backups don't pay. That's why backups are one of the Essential Eight and why two properties matter more than any brand of software:

Separation: at least one backup copy must be unreachable from your normal network and admin credentials, whether that's offline media or a cloud service with separate authentication.
Immutability: good backup platforms can make snapshots unchangeable for a set period. Not even an administrator (or an attacker holding admin passwords) can alter or delete them until the period expires.

Testing: an untested backup is a hope, not a plan

Almost every backup disaster story includes the phrase "we thought it was backing up". Backup jobs fail quietly: full disks, changed passwords, folders renamed and silently excluded. The fix is a quarterly restore test. Actually restore a file, a folder and (annually) a whole system, time it, and write the result down. The timing matters because it tells you your real recovery window: if a full restore takes three days and your business can survive one, you've learned that before it counted.

What a sensible small-business setup looks like

Local: a NAS taking automatic backups of servers and key machines. This is your fast-restore tier.
Cloud: encrypted, versioned, ideally immutable backups off-site. This is your disaster tier.
Microsoft 365 backup: per-user protection of mail, OneDrive, SharePoint and Teams data.
A schedule and a test calendar: daily backups, retention spanning months, quarterly restore tests with results recorded.

Want certainty instead of hope? Backup design, monitoring and quarterly restore testing are standard inclusions in our managed IT support, or ask us for a one-off backup health check and we'll tell you exactly where you stand.

Frequently Asked Questions

Isn't OneDrive/SharePoint/Google Drive already a backup?

No, it's sync, not backup. If a file is deleted, corrupted or encrypted by ransomware on one device, the cloud copy faithfully updates to match. Retention features help with small accidents, but they're limited and not designed for recovery from a serious incident. A real backup is a separate, independent copy with its own retention history.

How often should a small business back up?

Work backwards from how much you can afford to lose. For most businesses, daily backups of everything plus more frequent protection (continuous or hourly) for critical data like accounting files and customer databases is the right balance. If losing a day of invoices would hurt badly, daily isn't enough for that system.

What does business backup actually cost?

Typically tens of dollars per month for a small business. Cloud backup is commonly priced per computer or per terabyte, and Microsoft 365 backup per user at a few dollars each. A local NAS device adds a few hundred to a couple of thousand dollars up front. Compare that to the cost of a week's downtime and the maths ends quickly.

How long should backups be kept?

Longer than you think. Ransomware can sit quietly before triggering, and accounting errors can surface months later; if you keep only two weeks of history, you may find every copy is already corrupted. A common scheme keeps daily backups for a few weeks, weeklies for a few months, and monthlies for a year or more. Some records also have legal retention requirements in Australia (commonly five to seven years for financial records).

Talk to a local IT expert

Get straight answers about your IT: no jargon, no obligation. We support small businesses across Brisbane and the Gold Coast.

Get Your Free Consultation

The short answer: it's not either/or

The 3-2-1 rule in plain English

Local backup: strengths and limits

Cloud backup: strengths and limits

"We use Microsoft 365, so we're backed up": why that's wrong

Ransomware changes everything

Testing: an untested backup is a hope, not a plan

What a sensible small-business setup looks like

Frequently Asked Questions

Talk to a local IT expert

Related guides