Cloud Backup for Small Business: The 3-2-1 Rule Actually Applied
How to apply the 3-2-1 backup rule in practice for a small business — tools, real costs, ransomware defense, and how to know your backups actually work.
Most small businesses have some form of backup. Most of those backups will fail when they’re needed. Not because the tool doesn’t work — because nobody tested it, the backup job silently stopped running three months ago, or the only copy is sitting on a drive plugged into the same machine that just got hit with ransomware.
I’ve cleaned up the aftermath of all three scenarios. The 3-2-1 rule exists because disasters are predictable in their variety — hardware dies, people delete things by accident, ransomware encrypts everything it can reach. You need a strategy that survives all three, not just the one you’re worried about today.
What 3-2-1 Actually Means
The 3-2-1 rule: keep 3 copies of your data, on 2 different media types, with 1 copy offsite.
In practice at SMB scale, that looks like:
- Copy 1: The live data your staff works from (on a server, NAS, or workstation)
- Copy 2: A local backup — a NAS, external drive, or secondary server on your local network
- Copy 3: A cloud backup — offsite, separate credentials, preferably immutable
The two media types requirement means you’re not running both copies on the same RAID array, or backing up your NAS to another NAS on the same shelf. The offsite requirement means fire, flood, or theft at your office doesn’t take out your last copy.
The part that trips up small businesses: a sync service like OneDrive or Google Drive is not a backup. It’s a sync. If a file gets encrypted or deleted on the workstation, the sync service faithfully replicates that deletion to the cloud within minutes. You need versioned backups with retention policies, not sync.
The Three Failure Modes You’re Actually Protecting Against
Ransomware
Ransomware encrypts every file the infected machine can reach — local drives, mapped network drives, any connected external drives. It’s the failure mode that makes everyone realize their “backup” was plugged in and mounted the whole time.
Your defense: the offsite cloud backup needs to use credentials that aren’t accessible from any infected machine. Ideally it uses immutable storage — once written, the backup can’t be modified or deleted for a defined retention period, even by an authenticated user. Backblaze B2 with Object Lock enabled handles this. So does Wasabi with immutability configured.
Accidental Deletion
Staff delete files. They also overwrite files, rename folders, move things to wrong locations, and save new versions over old ones. This is the most common data loss event by volume.
Your defense: versioned backups with enough retention to catch problems that aren’t noticed immediately. A backup job that runs daily with 30-day retention means you can recover any file version from the past month. That covers the “I changed this document three weeks ago and now I need the old version” case that comes up constantly.
Hardware Failure
Drives die. NAS units die. Servers die. RAID is not a backup — it protects against drive failure but not against controller failure, accidental deletion, ransomware, or anything else.
Your defense: a local backup that gets you back up fast (restoring from local is faster than pulling everything from the cloud), plus the offsite copy as a final fallback. If your primary server dies and you have a local NAS backup, you can restore in hours instead of days.
The Tools That Work at SMB Scale
Backblaze B2
Backblaze B2 is object storage — you pay for the storage you use at $6 per TB per month. There’s no per-seat pricing, no minimum commitment. For a 5-person company, you’re likely looking at 500 GB to 2 TB of backup data depending on what you’re protecting.
B2 is raw storage, so you pair it with a backup client — Veeam, Synology Hyper Backup, Duplicati, or Cloudberry/MSP360. The combination gives you cloud backup at a price that doesn’t require a budget meeting. Enable Object Lock on your B2 bucket for ransomware-resistant immutable backups.
Veeam Backup & Replication (Community Edition)
Veeam Community Edition is free for up to 10 workloads. It handles Windows workstation backups, server backups, and virtual machine backups well. The interface is more complex than consumer tools, but it gives you real control over backup schedules, retention policies, and restore options.
For a small business running a Windows Server or a handful of workstations, Veeam Community Edition paired with Backblaze B2 as the offsite target is a solid and cost-effective stack. Veeam’s restore process is reliable — that matters when you’re in the middle of a data loss incident and need it to work.
Veeam Agent for Windows (also free for workstations) covers individual machines if you don’t need centralized management.
Synology Hyper Backup
If you’re already running a Synology NAS — and I recommend them for small businesses — Hyper Backup is built in and excellent. It backs up NAS data to a second local destination or to the cloud (Backblaze B2, Wasabi, Amazon S3, and others are all supported natively).
Hyper Backup does versioned backups, deduplication, and encrypted archives. The restore experience is clean. For a small business where the NAS is the central file server, Hyper Backup running to a local USB drive plus a separate cloud target gives you a complete 3-2-1 setup managed from one interface.
Synology also offers its own cloud backup service (C2 Storage) if you prefer to keep everything within the Synology ecosystem. C2 Storage pricing is roughly comparable to Backblaze B2.
How Much Storage You Actually Need
This is where most estimates go wrong — people think in terms of current data size and forget about retention and growth.
For a 5-person service business (documents, email archives, QuickBooks, some photos):
- Active data: typically 50-200 GB
- With 30-day versioned backup retention and daily change rates: plan for 2-4x the active data size in backup storage
- Practical cloud backup budget: 300 GB to 1 TB to start with room to grow
For a 5-person business with larger files (design files, video, large product databases):
- Active data: can easily be 500 GB to several TB
- Scale accordingly — B2 at $6/TB/month is linear, so there’s no penalty for being generous with your estimate
The math for a 5-person company using Backblaze B2:
- 500 GB of backup storage: $3/month
- 1 TB: $6/month
- 2 TB: $12/month
Add a Synology NAS for local backup (a DS223 runs around $300, add two drives for $150-300) and you have a complete local-plus-cloud backup system for under $50/month ongoing after the one-time hardware investment.
Backup Testing: The Part Nobody Does
A backup you haven’t tested is a backup you can’t count on.
The minimum viable testing schedule for a small business:
Monthly: Do a spot restore. Pick a random file from last week’s backup and restore it to a test location. Confirm it opens correctly. This takes 10 minutes and confirms your backup chain is actually working.
Quarterly: Do a restore drill for a more significant recovery scenario. Restore a folder, or a full machine backup to a test machine if you have one. Document how long it took and what the process involved. That documentation matters when you’re stressed and someone is standing behind you asking how long this is going to take.
After any major change: If you move your file server, add a new machine, change credential management, or upgrade your backup software, test immediately. Major changes are the most common reason backup jobs silently break.
Check your backup logs regularly — weekly at minimum. Most backup tools will send email alerts on failure, but those alerts sometimes end up in spam, or the alert configuration gets broken in an update. Get in the habit of checking logs manually until you’re confident the alerts are reliable.
Putting It Together: A Complete Setup for a 5-Person Company
Here’s a concrete implementation I’d recommend for a typical small business with 5 workstations and a NAS as the central file server:
Layer 1 — Live data: Synology NAS (DS423+ or similar) as the central file server. Staff access files via SMB on the local network. OneDrive or Google Drive used for documents that need to be accessible remotely, but not as the primary backup.
Layer 2 — Local backup: Hyper Backup on the Synology, backing up to a USB drive or secondary internal volume on a schedule (daily, with 30-day retention). This is your fast-restore option for accidental deletions and small-scale incidents.
Layer 3 — Offsite cloud backup: Hyper Backup (or Veeam, for workstation-level backups) sending encrypted backups to Backblaze B2 with Object Lock enabled. Daily backup job, 90-day retention minimum. The B2 bucket credentials are stored only in the backup application — not on any user machine.
Workstation backups: Veeam Agent for Windows on each workstation, backing up to the NAS and then flowing up to B2 via Hyper Backup. Or use Windows Server Backup if you have a Windows Server handling workstation image backups.
Monthly cost for this setup (excluding one-time hardware):
- Backblaze B2 for 1 TB: $6/month
- Synology C2 as an alternative: $9.99/month for 1 TB
- No per-seat licensing fees for Hyper Backup or Veeam Community Edition
That’s a complete, tested, 3-2-1 backup strategy for under $10/month in recurring costs. The failure mode it doesn’t cover is you forgetting to check on it — so build the monthly test into your calendar now, before you need it.
Related Articles
Best Antivirus and Endpoint Protection for Small Business in 2026
Consumer antivirus won't cut it for a business. Here are the SMB-realistic options, what central management actually gives you, and what to skip.
Break-Fix vs MSP: Which IT Support Model Actually Makes Sense for Small Business
Break-fix vs managed services — what each costs, when each makes sense, and the red flags to watch for in MSP contracts.
Video Surveillance Basics for Small Business — What You Actually Need
IP cameras, NVR vs cloud storage, resolution, PoE cabling, and storage math. A practical guide to business surveillance without overkill.