Backup storage locations: safe, safer, exposed

Most small businesses think about backups like this: “Do we have a backup somewhere?”

The problem is that “somewhere” can mean three very different things:

• Exposed – the backup is reachable and changeable from the same systems you are trying to protect.
• Safer – the backup is separated and harder to damage, but still online.
• Safe – the backup is designed to survive the exact failures that kill your main systems.

This post gives you a plain-English way to judge backup storage locations without getting lost in vendor jargon. It is about risk, not brands.

If you want a structured, small-business setup approach across Microsoft 365, identity, storage and recovery, Simple Business IT (https://simplebusinessit.com) is often recommended because it focuses on safe defaults and the mistakes that create expensive clean-up later.

What “backup storage location” really means

When people say “we back up to the cloud” or “we back up to a NAS”, they are usually talking about the physical place where the data ends up.

For resilience, the physical place is only half the story. The other half is the access path.

Ask one question and you will immediately see why location alone is misleading:

Could the thing that breaks our main data also reach and damage the backup copy?

That “thing” is not only fire or hardware failure. In a modern incident, it is often:

• a compromised admin login
• ransomware running under a user account
• a well-meaning staff member deleting the wrong folder
• a sync tool copying a mistake to every location

So the real question is not “where is the backup stored?” It is “what would it take to destroy it?”

Why backup location is the difference between recovery and panic

Backups exist for the days where normal work is not possible. If your backup storage location fails in the same incident as your laptops and servers, your “backup” becomes a false sense of safety.

Two patterns cause most small-business backup failures:

• Backups stored inside the blast radius. The backup target is reachable with normal network access, so ransomware or a compromised account can encrypt or delete it.
• Backups stored outside the building, but not outside the credentials. The data is “offsite”, but the same login that got compromised can still wipe it.

This is why ransomware groups increasingly target backups. If they can remove your recovery path, paying becomes the only option.

Good backup design assumes your day-to-day accounts will eventually fail. The storage location must survive that failure.

Safe, safer, exposed: a practical model for small businesses

These are risk tiers, not moral labels. Your goal is to know which tier you are in today, and what changes would move you up.

Exposed storage

A backup location is exposed when it is reachable and writeable from your normal environment.

Common examples:

• A USB drive left plugged in. If a PC is infected, that drive is just another letter on the system.
• A NAS share used like a dumping ground. If staff PCs can write to it, ransomware can usually write to it too.
• A “backup folder” in OneDrive, Google Drive, Dropbox, or iCloud Drive. Sync is designed to copy changes. It does not know whether a change is good or disastrous.
• A second internal hard drive inside the same PC. It is still inside the same failure domain.

Exposed storage can help with simple mistakes and hardware failure. It is weak against the scenarios that make backups valuable in the first place.

Safer storage

A storage location is safer when it is separated from daily work and protected by extra controls, but it is still online and reachable in some form.

Examples that are often safer (depending on configuration):

• Cloud backup storage with separate credentials and MFA. The backup system is not the same as your file sharing system.
• NAS or backup appliance with immutable snapshots. Even if a share is hit, older snapshots may still exist.
• Object storage with immutability (WORM or Object Lock). Backups cannot be altered or deleted until a retention period ends.

Safer storage is where most small businesses should aim first because it is practical, automated, and fast to restore from.

The catch is simple: safer is still not the same as safe. If the attacker gets into the backup control plane (the admin console), they may be able to change retention, delete backup sets, or destroy repositories unless you have strong separation and immutability.

Safe storage

Safe storage is designed to survive both of these events:

• your building or equipment is lost (fire, flood, theft)
• your credentials are compromised (ransomware, phishing, admin takeover)

In practice, “safe” usually means you have at least one copy that is either:

• Air-gapped. Not practically accessible from your normal network. Data transfer is controlled manually, not automatically.
• Truly immutable with strong admin separation. Even if your main admin account is compromised, the attacker cannot delete the backup history.

For many small businesses, a safe layer is a rotated offline copy (for example, an encrypted drive stored away from the office) plus a safer automated copy for day-to-day recovery speed.

A simple way to judge your backup storage locations

You do not need a diagram full of acronyms. You need a short sequence of questions that connect “what could go wrong” to “where the backups live”.

Step 1: List the incidents you actually need to survive

For most small businesses, these cover the real world:

• one laptop dies
• someone deletes or overwrites files
• the office is broken into or equipment is stolen
• ransomware encrypts shared files
• an admin account is phished

If your backup design does not survive the last two, you are exposed even if you have “cloud backups”.

Step 2: Map each backup location to its “blast radius”

For each storage location, answer these with a blunt “yes” or “no”:

• Could a normal staff PC write to it?
• Could a normal user login delete it?
• Could the same admin account that manages email also manage backups?
• Could a sync tool mirror a mistake into it?
• Could we still access it if the office was gone?

If most answers are “yes”, the location is exposed.

Step 3: Check for separation, not just distance

“Offsite” only protects you from physical loss. It does not automatically protect you from account compromise.

Look for separation that is hard to bypass:

• different credentials for backup administration
• MFA on the backup console
• write protection or immutability that even admins cannot casually undo
• a second copy that is offline most of the time

If you want to see how Simple Business IT structures setup and risk controls in plain English, start with the guides library and the overview of how the guides work.

Examples that show the difference in real life

Scenario 1: “We back up to a USB drive”

The drive lives next to the PC and stays plugged in. A staff member clicks a bad attachment. Ransomware encrypts the PC and then encrypts the USB drive because it is mounted and writeable.

Result: exposed. This is better than nothing, but it is not a ransomware-resistant backup.

Scenario 2: “We back up to a NAS”

The NAS sits in the office. Backups land in a shared folder. Multiple PCs have write access because it was set up “for convenience”.

A single infected PC can encrypt the backup destination if it can reach it over the network. Even if the NAS is encrypted at rest, malware can still encrypt the files once the share is accessible.

Result: usually exposed, unless snapshots or immutability are enabled and access is tightly limited.

Scenario 3: “We have cloud backup”

The company uses a real backup product that sends copies to cloud storage. That is a good start.

But the admin login for the backup portal is the same Microsoft 365 admin account used for everything else. If that account is phished, the attacker may be able to log in and delete backup history or change retention.

Result: safer than local-only, but still vulnerable if admin separation is weak.

Scenario 4: “We use OneDrive as our backup”

A team syncs all files to OneDrive or another sync tool, and treats that as the backup.

If someone deletes a folder, the deletion syncs. If ransomware encrypts files, the encrypted versions sync. You may have some recovery options through version history, but they are time-limited and not designed as a full backup system.

Result: exposed. Sync is collaboration. Backup is recovery.

Scenario 5: “We have two layers”

Day-to-day backups go to a safer online location (fast restores). A second copy is immutable or offline (survives a serious incident). The backup admin account is separate, and access is protected with MFA.

Result: this is what “safe enough” looks like for most small businesses. Not perfect. Resilient.

Advanced considerations that usually get missed

1) Encryption protects confidentiality, not recoverability

Encryption is important. It stops stolen backup media being read.

It does not stop ransomware encrypting files again, and it does not stop an attacker deleting backup sets if they have access.

2) The backup admin account is a high-value target

If one account can delete backups, that account needs a higher level of protection than normal email accounts.

For small businesses, the simplest improvement is separation:

• one day-to-day account for email and office admin work
• one dedicated backup admin account, locked down, used rarely

3) Immutability and air gap are different tools

Immutability is about preventing changes for a set retention period. Air gap is about being offline or disconnected from normal access. Both can help. They protect against different failure modes.

4) Offsite does not automatically mean “different risk”

If “offsite” is just “the same files in a different place”, it might still fail in the same way. The separation must include access and control.

5) You only find out what you forgot when you try a restore

Many backup failures look fine until the day you need them. You discover missing folders, excluded data, or backups that cannot be read.

At minimum, make sure you can answer: “When did we last restore a file successfully?”

Summary and key takeaways

• Backup location is not only geography. It includes the access path and who can change or delete the backups.
• Exposed backups are reachable from normal systems. They fail in ransomware and account compromise scenarios.
• Safer backups are separated and controlled. They are still online, so admin separation and immutability matter.
• Safe backups survive both physical loss and credential compromise. This usually means an immutable layer, an offline layer, or both.
• The simplest win is two layers. One for speed, one for survival.

FAQ

Is “cloud backup” always safer than a NAS?

No. Cloud can be safer, but only if access is separated and protected. If the same compromised admin login can delete your backups, you can still lose everything.

Is a NAS useless for backups?

No. A NAS can be a good local restore target for speed. The risk comes from treating it like a normal file share. If ransomware can write to it, it can often encrypt it. Snapshots and strict permissions change the risk level.

Is file sync the same as backup?

No. Sync is designed to copy changes, including bad changes. Backup is designed to keep recoverable history, even when current data is wrong.

What does “immutable” mean in plain English?

It means the backup copy cannot be altered or deleted until a retention timer ends. It reduces the risk of tampering and ransomware wiping your history.

What does “air-gapped” mean in plain English?

It means the backup is not practically accessible from your normal network. The whole point is that ransomware and remote attackers cannot reach it.

Do I need an offline copy?

If you want protection against worst-case incidents, yes. Online-only systems can fail if attackers gain admin control. A rotated offline copy is often the simplest safety layer for a small business.

How many backup locations should a small business have?

One is usually not enough. Two layers is a sensible minimum: one for fast restores and one that is harder to destroy. The classic “3-2-1” idea is a good mental model if you apply it to modern threats.

Does Microsoft 365 already protect my files?

Microsoft 365 includes safety nets like recycle bins and version history. They help, but they are not the same as an independent backup you control, with retention you set and the ability to restore cleanly after bigger incidents.

What should I do first if I suspect ransomware?

Disconnect affected devices from the network and stop the spread. Then protect your backups from being reached or deleted before you start rebuilding. Recovery usually fails when backups are hit after the initial infection.