Let's clear something up right away: copying files to a NAS is not a backup. Syncing to Dropbox is not a backup. A backup is a recoverable copy of your data that survives the failure, ransomware attack, or human error that destroyed the original. Most small businesses in Montreal don't have that. They have the illusion of it.

The 3-2-1 Rule

Every serious conversation about backup starts here. You need:

3 copies of your data
2 different storage media types
1 copy offsite

Simple in theory. Rarely followed in practice. The businesses we audit most often have one copy on a NAS that's connected to the same network as their workstations — which means if ransomware hits, it encrypts the NAS too. That's not 3-2-1. That's 1-1-0.

Local Backup: What It Does Well

A well-configured local backup — NAS with RAID, or even tape in larger environments — gives you speed. Recovery time matters when you're down. Restoring 500 GB from a local NAS takes 20 minutes. Pulling that same dataset from cloud storage over a typical SMB internet connection can take 8 to 24 hours.

Local also costs less per gigabyte at scale. A Synology NAS with 8 TB of usable capacity runs around $800-1,200 upfront, then essentially nothing per month to run.

The problem: local backup fails against local disasters. Fire, flood, theft, and ransomware all have the potential to take out both your production data and your local backup simultaneously. We've seen it happen. It's not hypothetical.

Cloud Backup: What It Does Well

Cloud backup solves the offsite problem without requiring you to physically drive a tape somewhere every week. Options worth considering for SMBs:

Veeam + Backblaze B2 is a strong combination. Veeam handles the backup job orchestration (it's the industry standard for on-prem and virtual machine backup), and Backblaze B2 provides S3-compatible object storage at around $6/TB/month — significantly cheaper than AWS S3 or Azure Blob at typical SMB volumes.

Azure Backup integrates tightly if you're already on Microsoft 365. It handles SQL Server, file shares, and VMs natively. Cost is roughly $10-25/month per server protected, depending on data volume.

Acronis Cyber Protect bundles backup with endpoint security and ransomware detection. More expensive (~$8-15 per device per month), but the integration matters if you want a single vendor for both.

The cloud's weakness: recovery time. If you suffer a total infrastructure loss and need to restore 2 TB of data, cloud-only backup means you're waiting. For some businesses, that's acceptable. For others, it isn't.

RTO vs RPO: The Questions That Matter

Two metrics define what your backup strategy actually protects:

Recovery Time Objective (RTO): How long can your business be down before the damage is unacceptable? One hour? One day? For a law firm or accounting firm billing by the hour, the answer is probably "not long." For a retail shop, maybe a day is survivable.

Recovery Point Objective (RPO): How much data can you afford to lose? If your backup runs nightly and ransomware hits at 4pm, you've lost a full day of work. Can your team reconstruct it? Can your clients wait?

These aren't IT questions — they're business questions. Your backup strategy has to match your actual risk tolerance, not what was convenient to set up.

Ransomware Resilience: Immutable Backups

Ransomware doesn't just encrypt your files. Modern strains actively search for and encrypt backup targets. A backup on a writable network share is gone. A Dropbox sync is gone — ransomware encrypts the local files, Dropbox syncs the encrypted versions.

Immutable backups solve this. Backblaze B2 supports Object Lock, which prevents any file from being deleted or overwritten for a defined retention period — even by an attacker with your credentials. Azure Backup has soft-delete enabled by default. Veeam has its own immutability layer.

If your backup solution doesn't offer immutability, it's not a ransomware-resilient backup. It's a convenience copy.

Law 25 and Data Residency

Quebec's Law 25 (Bill 64) introduced requirements around personal information that catch some businesses off guard when it comes to cloud backup. If your backups contain personal data about Quebec residents — and they almost certainly do — you need to know where that data is stored and who can access it.

US-based cloud storage means your data is potentially subject to US law, including requests under the CLOUD Act. That may or may not create compliance issues depending on your sector. If you're in healthcare, legal, or financial services, this matters more than in other industries. Azure Canada Central and Azure Canada East keep data resident in Canada, which simplifies compliance significantly.

What It Costs

For a typical Montreal SMB with 10-30 employees:

Cloud-only (Backblaze B2 + Veeam): $80-150/month
Local-only (NAS refresh every 5 years): ~$20-40/month amortized, but no offsite protection
Hybrid (local NAS + cloud): $120-300/month depending on data volume and cloud provider

The $300/month scenario hurts until you compare it to average ransomware recovery costs, which ran $1.85 million globally in 2024 according to Sophos — and that includes businesses that paid the ransom and still lost data.

What We Actually Recommend

Hybrid. Local backup for speed of recovery, cloud backup for resilience. Immutable storage on the cloud tier. Tested restores — not just backup jobs that run, but actual restore tests at least quarterly. Recovery plans that are documented and rehearsed.

A backup job running green in your dashboard is not a working backup. The only way to know your backup works is to restore from it.

If you don't know the last time your team did a restore test, that's the first thing to fix.

Cloud Backup vs Local Backup: What Montreal Businesses Need to Know