A distributor owner I know had his laptop stolen from his car in a mall parking lot. Annoying, replaceable, insured. Except that laptop held the only copy of three years of customer records, pricing sheets, and the accounting file. Not the primary copy. The only copy. The company spent the next two months reconstructing its own customer list from staff memory and old chat logs, and it never fully recovered the receivables data. Data backup for small business is the most boring topic I write about, and it is the one most likely to save your company.
Here is the pattern I see everywhere: owners think of backups as an IT concern, something to sort out someday, after the urgent things. But data loss is not an IT event. It is a business continuity event. The laptop, the server, the hard disk, those are cheap. The data on them is often the accumulated memory of the entire business.
And the threats are mundane. Not hackers in hoodies. Theft, coffee spills, dead hard drives, a staff member deleting a folder by accident, and increasingly, ransomware that encrypts everything on the office network and demands payment. Every one of these is fully survivable with a backup discipline you can set up in a week.
The 3-2-1 rule, in plain language
Forget vendor jargon. The industry standard for backups fits in one line:
Keep 3 copies of your data, on 2 different types of storage, with 1 copy off-site.
Why each number matters:
- 3 copies means the original plus two backups. One backup is not enough, because backups fail too. Drives die, sync tools misconfigure, and you often discover it only when you need the backup.
- 2 different types of storage means not all copies on the same kind of device. For example: the working copy on your laptop, one backup on an external drive, one in cloud storage. If a flaw or a virus hits one storage type, the other survives.
- 1 off-site is the one people skip and the one that matters most. If all your copies sit in the same office, one fire, flood, or burglary takes them all. Jakarta and Tangerang flood. Offices get robbed. Off-site today usually means cloud, and that is fine.
For a typical Indonesian SME, a compliant setup costs surprisingly little: an external drive at Rp 800 thousand to 1.5 million, plus a cloud plan like Google Workspace or Microsoft 365 you probably already pay for, or a dedicated backup service at Rp 100 to 300 thousand per month. That is the entire insurance premium.
Prioritize by pain, not by size
You do not need to back up everything on day one. Rank your data by a single question: how much would it hurt if this disappeared right now?
| Priority | Data | Why it is first |
|---|---|---|
| 1 | Accounting and financial records | Legal obligations, tax, receivables. Losing who owes you money is direct cash loss. |
| 2 | Customer database and contracts | Years of relationships. Nearly impossible to reconstruct. |
| 3 | Operational files: pricing, SOPs, supplier lists, product specs | The business's working knowledge. |
| 4 | Often the only record of agreements. Usually already cloud-hosted, but check retention. | |
| 5 | Everything else: photos, archives, old projects | Nice to keep, survivable to lose. |
Notice what is at the top: small files, gigabytes at most. The stuff that would end your month fits on a flash drive. There is no cost excuse.
Two special cases. If you run a POS or any local database, that database file is priority zero, and it needs application-aware backup, not just file copying, because copying a database while it is running can produce a corrupt backup. Ask your POS vendor how to export or schedule dumps. And if your team works from Google Drive or OneDrive already, good, but understand that sync is not backup: if ransomware encrypts a synced folder or someone deletes it, the deletion syncs too. You still need versioning enabled and a second, independent copy.
Automate it, because humans forget
Any backup that depends on someone remembering will stop within a month. I have never seen an exception, including in my own habits. The fix is automation:
- Cloud sync with version history for working files, running continuously.
- Scheduled backup software for machines and databases: nightly, automatic, with email alerts on failure. On Windows, even the built-in File History plus a scheduled copy to cloud storage beats nothing. Dedicated tools like those bundled with NAS devices, or services like Backblaze, do it better for little money.
- Weekly external drive rotation if you want a truly offline copy that ransomware cannot touch: two drives, swap them weekly, one always disconnected and ideally at another location.
Then put one recurring event in your calendar: a monthly five-minute check that the backups actually ran. Automation plus a human glance at the logs. That combination is what survives.
The step everyone skips: test a restore
Here is the uncomfortable statistic from my own client work: most businesses that have backups have never once restored from them. A backup you have never restored is a hope, not a plan.
Untested backups fail in predictable ways: the backup job silently stopped eight months ago, the drive is full and has been overwriting nothing, the database dumps are corrupt, or nobody knows the encryption password because the person who set it up resigned.
So this week, run a fire drill:
- Pick one important file and one folder.
- Pretend the original is gone. Do not look at it.
- Restore both from your backup to a different location.
- Open them. Check they are current and intact.
- Time the process and write down the steps.
If that takes you 15 minutes and works, congratulations, you have a real backup. If it fails or nobody knows how, you just learned it for free instead of during a crisis. Do a full-machine restore test twice a year, and make sure at least two people know the procedure and the passwords. This drill belongs on the same list as your other periodic hygiene, alongside the year-end security audit you can do in one afternoon, because backups are also your last line of defense against ransomware: with a clean off-site copy, the ransom demand becomes irrelevant.
The takeaway: one week to insured
Boring, cheap, and decisive. Here is the whole program: list your priority-1 and priority-2 data today. Set up 3-2-1 this week: working copy, automated local backup, automated cloud copy. Automate everything, calendar a monthly check, and run one restore test before Friday.
Total cost for most SMEs: under Rp 2 million up front and a few hundred thousand per month. Total cost of the alternative: ask the man reconstructing his customer list from memory. If your data has outgrown ad-hoc fixes and you want someone to own this properly, that is exactly the kind of unglamorous foundation a fractional tech partner should put in place first.