I need to tell you about a conversation I had last year with a property management firm that thought they had off-site backup. Their office manager was taking home an external hard drive every Friday night and bringing it back Monday morning. When I asked them what would happen if there was a fire in the office on a Tuesday, they suddenly realized their “off-site” backup was sitting in a drawer ten feet from the server it was supposed to be protecting.
This is more common than you’d think. Lots of businesses believe they have off-site backup when what they actually have is backup that occasionally leaves the building but spends most of its time in the same disaster zone as their primary data.
What Off-Site Actually Means
Off-site backup means your data is stored in a location that is geographically separate from your primary location and would not be affected by any disaster that could reasonably hit your main office. The point is to protect you from localized disasters: fires, floods, theft, ransomware, power surges, angry former employees, and all the other ways that everything in one physical location can be destroyed or compromised simultaneously.
According to FEMA’s disaster statistics, 40% of businesses never reopen after a disaster, and another 25% fail within one year. Off-site backup is your insurance policy against being in those statistics.
Cloud backup is genuinely off-site. When your data is stored in a data center in another state, a fire in your office doesn’t touch it. A flood in your building doesn’t reach it. Ransomware that encrypts every computer on your network can’t encrypt data that’s not connected to your network at that moment.
The Problems with ‘Portable’ Off-Site Backup
The external hard drive that goes home with an employee seems like a reasonable approach, and it’s better than nothing, but it has some serious problems that most businesses don’t think about until it’s too late.
First, it’s only off-site part of the time. If your disaster recovery planning assumes you always have an off-site backup available, but that backup is actually in the building 70% of the time, your plan has a 70% chance of failing when you need it.
Second, portable drives get lost, damaged, or stolen. They get left in cars that get broken into. They get knocked off desks. They get erased accidentally. They get run over in parking lots. I’ve seen all of these happen. Kroll Ontrack’s data recovery statistics show that portable drives have a 25% higher failure rate than stationary drives, primarily due to physical damage from transport and handling.
Third, and this is the big one that nobody thinks about, portable drives that get plugged into your network regularly can be compromised by ransomware just like everything else on your network. If your backup drive is connected to an infected computer when the ransomware decides to encrypt everything it can reach, congratulations, your backup just got encrypted too.
The Ransomware Problem with Connected Backups
Modern ransomware is sophisticated. According to Sophos’s State of Ransomware 2024 report, 94% of ransomware attacks attempt to compromise backups. They specifically look for backup drives, backup software, and cloud backup credentials. The entire point is to make sure you can’t recover your data without paying the ransom.
This is why business continuity planning requires truly isolated off-site backup. If your backup can be accessed from your network, it can potentially be compromised from your network. Cloud backup services that use immutable storage or versioning can protect against this. A backup drive that never connects to your network can protect against this. A backup drive that plugs in every Friday is vulnerable.
What Actually Counts as Off-Site
Cloud backup with a reputable provider absolutely counts. Services like Backblaze, Carbonite, Datto, or Veeam’s cloud offerings store your data in professional data centers that are geographically distant from your location. They use redundant storage across multiple facilities, so even if one data center has a problem, your data still exists somewhere else.
Tape backups that are physically stored off-site count. Some firms still use tape drives and rotate tapes to a safe deposit box or storage facility. This is old school, but it works. The tapes are genuinely off-site, genuinely disconnected from any network, and genuinely protected from local disasters.
Replication to a second office location can count, if you actually have a second office location that’s far enough away to not be affected by the same disaster as your primary location. A second office across town works for fire or theft. A second office in the same building does not work for anything.
The Hybrid Approach That Actually Works
For most professional services firms I work with, the answer is a hybrid approach. You keep local backup for fast recovery from common problems like accidental deletions or hard drive failures. You keep true off-site backup in the cloud for disaster recovery. And you test both regularly to make sure they actually work.
The local backup gets you back up and running in hours when someone accidentally deletes an important folder. The off-site backup gets you back up and running in days when your office floods and destroys all your hardware. Different tools for different scenarios, both important.
This is what professional disaster recovery planning looks like. Not just having backup, but having the right kinds of backup in the right locations for the right purposes. It’s not exciting. It’s not sexy. But it’s what keeps your business alive when everything goes wrong.
Quick and Easy
True off-site backup must be geographically separated from your primary location and protected from the same disasters. Cloud backup meets this requirement while portable drives that regularly connect to your network don’t, as modern ransomware specifically targets connected backup devices during attacks.
