Two backup myths I encounter regularly: the first is a NAS drive in the corner running nightly backups and the owner feeling well protected. The second is everything in Microsoft 365 and the assumption that Microsoft backs it up. Both positions leave businesses exposed in ways they haven't thought through.
The problem is that "backup" isn't one scenario. It's five or six quite different scenarios, and what protects you against one often doesn't protect you against another.
What you're actually protecting against
Hardware failure (a server or drive dying) is the scenario most people have in mind when they set up a backup. Local backup handles this well. It's fast to restore from, which is what matters when you need to be operational the same day.
Ransomware is a different problem entirely. Ransomware encrypts your live data and then, if it can reach your backup location, encrypts that too. A NAS drive that's permanently connected and mapped as a network drive is the most common setup and it is visible to ransomware. Your backup is as encrypted as your originals. The protection you need is a backup that ransomware can't reach: something offline, air-gapped, or with immutable (write-once) storage.
Accidental deletion or file corruption needs version history going back far enough to find the clean copy, not just the last 30 days. Files get corrupted gradually. Sometimes nobody notices until months later.
Site disaster (fire, flood, theft) requires an off-site copy. A backup NAS sitting next to the server it backs up is not off-site backup.
Why Microsoft 365 backup isn't what most people think
Microsoft keeps deleted items for 30-93 days depending on version and whether the user has managed their recycle bins. That helps with accidental deletion. It does not protect against ransomware, because ransomware encrypts files that then sync to OneDrive. Microsoft is faithfully syncing your encrypted data. It does not protect against a user account being compromised and data being bulk-deleted.
Separate Microsoft 365 backup using a third-party provider (Veeam, Dropsuite, Acronis, and others all offer this) maintains an immutable copy outside Microsoft's own infrastructure. For most businesses, this costs £2-4 per user per month. It's not expensive, and it closes a genuine gap.
What actually works
The 3-2-1 rule (three copies of data, on two different media, with one off-site) is old and still correct. In practice for an SME:
Local backup to a NAS with a retention period long enough to catch slow corruption. A separate cloud backup with immutable retention settings. And, critically, a tested restore process: not just a check that the backup job completed, but an actual file restore, monthly, with the results documented.
The last part is where most backup strategies break down. A backup that hasn't been tested in 18 months is a belief, not a safety net.