Field notes · May 2026

The three backup mistakes I see every single week.

By Marc Stern · 7 min read

Affiliate disclosure: This post contains affiliate links. If you buy through them, justaskmajor.com earns a small commission at no extra cost to you. 10% of all revenue is donated to special needs nonprofits.

Here's a true story. Names changed, details slightly fuzzed, but it happened.

A small dental practice — call it three operatories, six employees, twenty years in business — called me on a Monday morning. Their server had crashed over the weekend. Their "IT guy" was on vacation. They couldn't pull up patient records, couldn't process payments, couldn't run the day.

"Do you have backups?" I asked.

"Yes," the office manager said, with real confidence. "We have an external hard drive that backs up every night."

The external hard drive was plugged into the back of the dead server. It hadn't been verified in three years. When we finally got it on another machine, two of the most recent six months of nightly backups were corrupt. The most recent good backup was from January. They were calling me in April.

This isn't a story about that practice being negligent. This is the story I hear every single week, with different details. Below are the three mistakes that come up over and over, and the affordable fix for each.

Mistake #1: "It's on OneDrive" — confusing sync with backup

This is the most common one, and it's the most dangerous because the people making it believe they're safe.

Microsoft 365 OneDrive (and Google Drive, and Dropbox) sync your files between devices. If you delete a file on your laptop, it deletes it from the cloud. If ransomware encrypts your files on your PC, it encrypts the synced cloud copies too. If you accidentally overwrite a critical spreadsheet, the cloud now has the bad version.

Sync is not backup. Backup means you can recover a file as it existed at a specific point in the past, not just whatever the most recent version happens to be.

The fix

You need a real backup of your Microsoft 365 tenant — separate from the sync. The right tool here is a dedicated M365 backup product, and the budget-friendly option I keep recommending to clients is Synology Active Backup for Business running on a small NAS.

A Synology DS224+ with two NAS drives in RAID 1 will back up an entire small-business M365 tenant — Exchange, SharePoint, OneDrive, Teams — with point-in-time recovery and unlimited retention, for the one-time cost of the hardware.

Synology DS224+ NAS on Amazon — the 2-bay starter model
WD Red Plus 4TB NAS drives — buy two, configure RAID 1

One-time spend roughly $700. No monthly subscription. You own your backup data. If the cloud goes sideways, your data is sitting on your own hardware, indexed and recoverable.

Mistake #2: The "backup" lives next to what it's backing up

The dental practice above had this version. So does the law firm whose backup NAS is in the same closet as their primary server. So does the e-commerce shop whose backup external drive sits on top of the PC it's backing up.

The reason this fails: most disasters that take out your primary system also take out the backup sitting next to it. Building fire. Burst pipe upstairs. Burglary. Lightning strike on the same power circuit. Ransomware that traverses the local network and encrypts the NAS too.

The professional rule is called 3-2-1: three copies of your data, on two different types of media, with one copy off-site.

The fix

You don't need a fancy cloud backup service to satisfy this. The cheap-and-effective version is a rotating pair of portable SSDs.

SanDisk Extreme Portable SSDs — fast, rugged, USB-C. Get two.

One SSD lives in a fireproof box at the office (or just in a drawer at home). The other goes home with the owner every Friday on rotation. The Synology from Mistake #1 writes scheduled backups to whichever drive is currently plugged in. Monday morning, you swap them.

Total marginal spend: about $200 for the two drives. Total time to set up: 30 minutes.

If that feels manual, the upgrade path is encrypted cloud backup — Backblaze B2, Wasabi, or AWS S3 — running as a destination from the Synology. Costs $5–25/month depending on data volume, but adds a third "off-site, online" copy that you don't have to think about.

Mistake #3: Never testing the restore

This is the one that bit the dental practice. They had a backup. They believed it worked. Nobody had ever actually pulled a file off of it to verify.

"My backup ran last night" tells you the backup software didn't crash. It doesn't tell you the backup is restorable. Storage media goes bad. Backup software gets misconfigured. Permissions silently change. The only way to know your backup works is to actually restore from it.

The fix

Schedule a quarterly restore test. Pick a file from a random folder, restore it to a temporary location, and verify it opens correctly. Document it. Put it on the calendar like any other quarterly task.

For Synology users: their Active Backup for Business includes a "Run a test recovery" button that mounts the backup as a read-only file system. You can browse, open, and verify any file in about 2 minutes per backup set. There is no excuse not to do this quarterly.

The other thing worth doing: periodically restore an entire device, not just files. Once a year, take an old laptop, wipe it, and do a bare-metal recovery from your backup. If you can't get a working machine back from your backup, you don't have a backup. You have a hope.

The bonus mistake: not protecting against ransomware

All three of the mistakes above have a fourth-mistake cousin: assuming your backup will save you from ransomware. Modern ransomware specifically targets backup repositories. If your backup is reachable from your primary network with normal credentials, ransomware can encrypt it too.

Mitigation isn't complicated, but it does require two things most small businesses skip:

Immutable / append-only backups — once written, the backup can't be deleted or modified until a retention period passes. Synology supports this natively. Most cloud backup services do too.
Hardware MFA for any account that can administer the backup system. Get a couple of YubiKey 5C NFC tokens for the admin account. Now an attacker who has your password still can't log in to the backup admin panel and disable retention.

The total cost to fix all of this

Item	Cost
Synology DS224+ NAS	~$320
2× WD Red Plus 4TB drives	~$200
2× SanDisk Extreme Portable SSD	~$200
2× YubiKey 5C NFC (admin MFA)	~$110
One-time total	~$830

Under a grand. One time. Solves all three mistakes plus the ransomware cousin. For perspective, the dental practice I opened with paid over $40,000 to a data recovery service to claw back what they could from the corrupt drive — and even then, they lost three months of patient records.

What I tell clients

Backup is not a technical problem. It's a discipline problem. The tools to do it right have never been cheaper or easier. What's missing is someone who'll actually set the system up correctly, document it, and put restore tests on the calendar.

If that someone isn't you, that's literally what I do. Get in touch and we can scope a backup audit and remediation as a fixed-bid project — usually a day of work plus the hardware above. You walk away with a backup system that actually works, documented in plain language, and a quarterly checklist your office manager can run.

Don't be the dental practice.

Want this set up for you?

Backup audit + remediation is one of my most-requested fixed-bid projects. One day on-site or remote, full documentation, restore-tested. Usually $1,500 plus the hardware.

Scope a backup audit

Related reading: The Small-Business IT Starter Kit for the complete picture, or the Resources page for the gear I personally use.