Your Cloud App Is Not a Backup: What Dutch SMEs Get Wrong About Data Protection
backupscloudmanaged-services

Your Cloud App Is Not a Backup: What Dutch SMEs Get Wrong About Data Protection

2 April 20265 min read
Back to blog

Published: April 2, 2026

A common conversation in IT support: a business loses important files, emails, or an entire database. When asked about backups, the answer is "yes, it's all in the cloud." Then comes the difficult part — explaining that "in the cloud" and "backed up" are not the same thing.

This confusion costs businesses data every week. It is worth understanding exactly why, and what a proper backup strategy looks like for a small or mid-sized business.

The Cloud Stores Your Data. It Does Not Protect It

Microsoft 365, Google Workspace, and most SaaS platforms are designed to keep your data available and synchronised across devices. They are excellent at that job. What they are not designed to do is protect you from:

  • Accidental deletion — Microsoft 365 retains deleted items for 30 to 93 days depending on your licence and settings. After that, the data is gone.
  • Ransomware that encrypts your files — Ransomware attacks frequently target cloud-synced drives. Because your sync client faithfully replicates the encrypted files to the cloud, the encrypted versions replace the originals. You have a perfectly synchronised encrypted copy of everything.
  • Malicious deletion by a departing employee — If someone with access deletes data deliberately, your sync platform replicates that deletion just as efficiently.
  • Application bugs or migrations gone wrong — A botched CRM migration or a failed update can corrupt or overwrite data. The application has no concept of "before this happened."

The platforms are not at fault. They do exactly what they promise. The mistake is treating availability as protection.

The 3-2-1 Rule, Applied Practically

The 3-2-1 rule is the standard baseline for data protection:

  • 3 copies of the data
  • 2 on different storage media or systems
  • 1 offsite (or air-gapped from the primary environment)

For a typical SME this looks like:

  1. Live data in your primary system (Microsoft 365, your file server, your database)
  2. A daily backup to local NAS or on-premises storage
  3. A replicated copy to an offsite or cloud backup target with immutable storage

The immutability of the third copy is critical. If your backup target can be reached by the same credentials or systems that your ransomware-infected machine uses, it is not a safe copy. It is a second victim.

Retention Policy Matters More Than Frequency

Many businesses discover their backup is useless not because it failed to run, but because the problem started before the retention window. If you keep 7 days of backups and your ransomware infection sat dormant for 10 days before activating, all 7 backups are compromised.

A sensible retention policy for an SME:

  • Daily backups retained for 30 days
  • Weekly snapshots retained for 3 months
  • Monthly snapshots retained for 1 year

This is not expensive with modern backup tooling. It is a small multiple of your storage cost but an enormous multiple of your recovery options.

Recovery Time Is Half the Equation

A backup you cannot recover from quickly is worth considerably less than one you can. The key metrics are RPO (Recovery Point Objective — how much data you can afford to lose) and RTO (Recovery Time Objective — how long you can afford to be offline while restoring).

A file server backup sitting on a NAS in the corner has a good RPO. Its RTO, if the server hardware has failed, might be two to four days while replacement hardware is sourced and the restore runs. For a business that processes orders or invoices, that is a serious problem.

Modern managed backup solutions offer:

  • Granular file-level restores — recover a single deleted document in minutes, without restoring the entire system
  • Bare-metal restore — rebuild a complete server onto new hardware from a single restore job
  • Virtual machine snapshots — spin up a copy of your server in the cloud while physical hardware is being replaced

Testing matters too. A backup that has never been tested is a backup that might not work. Quarterly restore tests confirm everything is actually usable before you need it.

What Monitored Backup Looks Like in Practice

The key advantage of managed backup is monitoring. Backup jobs fail silently more often than people realise. A disk fills up, a credential expires, a new data source is added and nobody updates the backup job to include it. With managed backup, someone checks that everything ran correctly every day — and acts on failures before you find out the hard way.

For most SMEs, the practical stack is:

Microsoft 365 or Google Workspace backup — a dedicated third-party tool takes daily snapshots of email, SharePoint, OneDrive, and Teams to a separate vault, outside Microsoft's own retention system.

Server and NAS backup — replicated to offsite or cloud object storage with immutable write-once retention, so ransomware cannot modify or delete the backup copies even with administrative access.

Database point-in-time recovery — for critical transactional data, log shipping allows recovery to any minute, not just the last nightly snapshot.

A Practical Starting Point

If you are not sure where you stand, answer three questions:

  1. If you lost all your email from the last 6 months today, could you recover it? From where, and how long would it take?
  2. If ransomware encrypted your file server tonight, what would your recovery process look like?
  3. When did you last test a restore?

If any of those answers are uncertain, your backup strategy needs attention. A proper solution for a 10 to 50 person business is neither complicated nor expensive — certainly not relative to the cost of unrecoverable data.

Next step

Ready to talk?

Talk to an engineerBack to blog