Is OneDrive or Microsoft 365 a backup for my practice?

Not on its own. Microsoft keeps your service running, but the data inside it is your responsibility. If a file is deleted, overwritten or encrypted by ransomware, and it syncs across your devices before anyone notices, that change is faithfully copied everywhere. Most Microsoft 365 retention windows are short, so a true backup means a separate copy held independently of the live system. Microsoft themselves recommend a third-party backup.

How long do accountancy practices need to keep client records?

It varies by record type, but a common rule of thumb is that many business and tax records should be retained for around six years, and some for longer. Your professional body (ICAEW, ACCA or AAT) and HMRC set the specifics. The practical point for backup is that losing records isn't only downtime, it can be a compliance failure and a data-protection issue, so your backups need to reach back far enough to satisfy those duties.

What is the 3-2-1 backup rule?

Keep at least 3 copies of your data, on 2 different types of media, with 1 copy held offsite (or in the cloud). It is a simple, long-standing principle that protects you whether the threat is hardware failure, accidental deletion, ransomware, or fire and flood at the office. A single USB drive sitting next to the server fails all three parts of it.

How often should we test our backups?

Regularly, and at least before your busiest period. An untested backup is just a hope. We'd suggest a proper restore test at least quarterly, plus a dry run in the autumn so any problems are found and fixed well before the January self-assessment peak, not during it.

How to Back Up Your Accountancy Practice Properly (and Why January Is the Worst Time to Find Out You Haven't)

There’s a particular kind of phone call no accountant wants to make in late January. The server won’t boot, or every file on the network has been renamed with a strange extension, or someone has realised the only backup is a USB stick that hasn’t worked since October, and there are tax returns due in days.

Backup is one of those jobs that feels done long before it actually is. A drive is plugged in, a tick appears somewhere, and everyone moves on. But “we have a backup” and “we can get the practice working again quickly” are two very different statements. This guide explains, in plain English, how a small accountancy practice should really protect its data, and why the busiest month of your year is the worst possible time to discover the gaps.

The risks are more ordinary than you think

When people picture losing their data, they tend to imagine a dramatic cyber attack. That happens, but most data loss is far more mundane. A good backup has to cover all of it.

Ransomware

This is the headline risk, and a real one. Ransomware encrypts your files and demands payment to unlock them. For a practice holding client tax data, payroll and company accounts, the disruption is severe and the data-protection implications are serious. The cruel detail is that modern ransomware often goes looking for connected backups and encrypts those too, which is exactly why a backup that’s permanently plugged in offers far less protection than people assume. (Our cyber security and Cyber Essentials service covers how to keep ransomware out in the first place; backup is your safety net for when something gets through.)

Hardware failure

Drives and servers fail. They fail without warning, and they fail more often as they age. A practice running an older on-premises server is carrying a quiet, growing risk: one component lets go, and years of working files are suddenly inaccessible.

Accidental deletion and overwriting

The most common cause of “where’s that file gone?” isn’t a hacker, it’s a human. A folder dragged into the wrong place, a working paper overwritten, a client file deleted in a tidy-up. Often nobody notices for weeks, which means your backup needs enough history to go back and recover the version from before the mistake.

Theft, fire and flood

The unglamorous physical risks. A break-in, a burst pipe, an electrical fire. If your only copy of the data lives in the same room as the computer it came from, a single bad event takes both. This is the whole reason “offsite” matters.

A failure during the January peak

This one deserves its own line, because the timing multiplies everything else. A two-day outage in June is a nuisance. The same two days lost in the third week of January, with self-assessment deadlines bearing down, is a crisis, missed filings, anxious clients, late-filing penalties, and a team already running flat out. The risk isn’t only whether something fails; it’s when.

This isn’t just downtime, it’s a duty

For most businesses, losing data is expensive and embarrassing. For an accountancy practice it can also be a professional and legal failure.

You’re required to retain client records for years, and you’re handling personal financial data under UK data protection law (GDPR). Lose it, and you’re not just inconvenienced, you may be looking at a reportable data-protection incident, awkward conversations with the Information Commissioner’s Office, and questions from your professional body about whether you were looking after client information properly.

In a profession built on trust, the reputational hit can outlast the technical one. Clients forgive a slow afternoon. They don’t easily forgive losing their records.

So backup, for a practice, is part of running a responsible firm, not an IT nicety. It sits right alongside your AML obligations and your duty of confidentiality.

The 3-2-1 rule, in plain English

There’s a long-standing principle that cuts through all the product talk. It’s called 3-2-1, and it’s worth committing to memory:

3 copies of your data, the live copy you work on, plus two backups.
2 different types of media, so you’re not relying on a single technology that could fail in the same way at the same time.
1 copy offsite, held somewhere else entirely, usually in the cloud, so a fire or theft at the office can’t take everything.

The beauty of 3-2-1 is that it quietly defends against every risk above at once. Hardware failure? You’ve got other copies. Accidental deletion? There’s history to restore from. Ransomware? An offsite copy that isn’t permanently connected can’t be encrypted with the rest. Fire or flood? The offsite copy survives.

Why a single USB drive is not a backup

A USB drive plugged into the server breaks every part of the rule. It’s one copy, on one type of media, in one location, and it’s connected, so ransomware can reach it. Drives also wear out silently; plenty of practices have reached for the backup drive only to find it stopped working months ago and nobody knew.

Why “it’s all in the cloud” or “it’s in OneDrive” is not a backup either

This is the most common and most dangerous misunderstanding, so it’s worth being blunt about it. OneDrive, SharePoint and Microsoft 365 are sync-and-store services, not backups.

The difference matters. Sync means that when a file changes, the change is copied everywhere. That’s brilliant for working across devices, and a disaster when the “change” is a deletion or a ransomware encryption. The bad version syncs out to every copy before anyone realises. Microsoft keeps the service available, but the data inside it is your responsibility, and the built-in recovery windows are short. Microsoft’s own guidance recommends using a separate, third-party backup for exactly this reason.

A genuine cloud backup is different: it’s an independent copy, held separately, with enough version history to roll back to a known-good point. If you’re moving systems to the cloud, this distinction is one to get right from the start, our practical guide to moving a practice to the cloud goes into how backup should be designed in rather than bolted on.

Backup is not the same as disaster recovery

Here’s the distinction that separates practices that merely survive an incident from ones that barely notice it.

Backup answers one question: does a copy of the data exist?

Disaster recovery answers a much more important one: how quickly can we actually be working again?

You can have a perfect backup and still be out of action for a week, if the only plan for restoring it is “find a new server, reinstall everything, and copy the files back over a slow connection.” For a practice in January, the recovery time is the whole game.

Two ideas help here, and they’re worth agreeing with your team in plain terms:

How much data can you afford to lose? If backups run once a day, a failure could cost you up to a day’s work. For some practices that’s fine; during the peak it might not be.
How long can you afford to be down? An hour? A day? Three days? The honest answer drives everything else, because faster recovery generally costs more, and you want to spend it where it matters.

A good disaster-recovery setup means you can get back to a working state in hours rather than days, sometimes by spinning the practice up from a recent image rather than rebuilding from scratch. That’s the difference between a bad morning and a ruined fortnight. It’s the core of what our backup and disaster recovery service is built around.

An untested backup is just a hope

This is the part almost everyone skips, and it’s the part that bites hardest.

A backup that has never been restored is an assumption, not a safeguard. Backups fail quietly all the time: a job stops running after a software update, a drive fills up, a folder gets excluded by mistake, a credential expires. Nothing alerts anyone, because nothing has gone wrong yet, until the day you need it, and that’s the worst possible moment to learn it doesn’t work.

The only way to know a backup works is to restore from it. Pick a file, pick a folder, occasionally pick the whole thing, and prove you can bring it back cleanly. Do it on a schedule, and crucially, do a proper dry run in the autumn so any problems surface in October, not on 28 January.

What good looks like for a small practice

If you want a quick yardstick, here’s a practical checklist. A well-protected practice can tick most of these:

At least three copies of practice data exist, following the 3-2-1 principle.
One copy is genuinely offsite (cloud or another location) and isn’t permanently connected to the network, so ransomware can’t reach it.
Microsoft 365 / OneDrive / SharePoint data is backed up separately, not relied on as its own backup.
Backups run automatically, on a sensible schedule, without anyone having to remember.
There’s enough version history to recover a file from before a mistake or infection, days and weeks back, not just the latest copy.
Someone is actually told when a backup fails, there’s monitoring and an alert, not silent trust.
Backups are tested by restoring, on a regular schedule and at least once before the January peak.
There’s a written recovery plan that says, in plain terms, how the practice gets working again and roughly how long it would take.
Retention reaches back far enough to meet your record-keeping duties.

If you read that list and felt unsure about more than a couple of items, you’re in very normal company, and it’s worth sorting out before the next busy season rather than after.

Design it so the busiest month isn’t the riskiest

The thread running through all of this is timing. Your practice is under the most pressure precisely when downtime hurts most. So the goal isn’t simply “have a backup”, it’s to build things so that January is just busy, not fragile.

That means: backups that run and are watched all year; a recovery plan you’ve actually rehearsed; an offsite copy ransomware can’t touch; and a tested restore behind you before the deadline rush begins. Get those right, and a hardware failure or a bad click in late January becomes a few hours of inconvenience rather than the phone call no accountant wants to make.

The simplest way to find out where you stand is a free Practice IT Health Check. In 15 to 20 minutes we’ll look honestly at your current backup and recovery setup and tell you what, if anything, is worth fixing before the next January comes round. No jargon, no sales pressure, just a clear picture of how resilient your practice really is.