Internal Backups Done Right: How Small Businesses Can Protect Their Data Without Exposing Themselves

Many small businesses invest in backups - but unknowingly introduce serious security risks in the process.

A very common setup is:

• A NAS device plugged into the network
• Port forwarding enabled for "remote access"
• Default or weak configurations left unchanged

While this seems convenient, it can actually turn your backup system into a primary attack vector.

In this blog, we will explore the risks of poorly managed internal backups, safer architectures, and best practices to secure your data properly.

The Hidden Risks of NAS-Based Backups

NAS devices (like QNAP or Synology) are popular because they are affordable, easy to deploy, and feature-rich. But misconfiguration leads to devastating consequences.

Common Risks

• Exposed ports (e.g. 443, 8080, 22)
• Default credentials or weak passwords
• Outdated firmware
• Direct internet exposure without VPN
• Ransomware targeting network shares

In many incidents, attackers do not break in - they simply log in.

Option 1: NAS as an Internal-Only Backup Target (Recommended Baseline)

Instead of exposing your NAS to the internet, keep it locked down internally.

Best Practice Setup

• NAS NOT accessible from the internet
• No port forwarding
• Access only from internal file server or backup server

Extra Protection

• Place NAS on a separate VLAN
• Restrict access via firewall rules
• Disable unnecessary services (FTP, SSH if unused)

Think of the NAS as a vault, not a public service.

Option 2: File Server + Backup Software (More Controlled)

A more robust approach uses dedicated backup software for centralised management.

Architecture

• Workstations connect to a Backup Agent
• Backup Server (e.g. Veeam, Altaro) manages the process
• Storage targets a NAS or disk array

Advantages

• Centralised control
• Backup scheduling and monitoring
• Encryption and compression
• Role-based access

This removes direct dependency on the NAS interface.

Option 3: Hybrid Backup (Internal + Cloud)

The gold standard is the 3-2-1 rule: 3 copies of data, 2 different media, and 1 offsite (cloud).

Example Setup

• Primary data on your server
• Local backup to NAS
• Offsite backup to cloud (Azure, Backblaze, AWS)

Benefits

• Protection from ransomware
• Disaster recovery (fire, theft)
• Business continuity

Best Practices for Securing Internal Backups

Network Security

• No direct internet exposure
• Use VPN for remote access
• Segment backup infrastructure on its own VLAN

Access Control

• Use strong passwords combined with MFA
• Disable default admin accounts
• Limit user permissions to only what is needed

Backup Protection

• Enable immutable backups where possible
• Use versioning to retain previous copies
• Regularly test restores to confirm recoverability

Maintenance

• Keep NAS firmware updated
• Monitor logs and alerts
• Remove unused services

Real-World Scenario

A small business sets up a NAS, opens port 443 for remote access, uses the default admin account, and has no monitoring in place.

The result: The NAS gets accessed externally, backups are encrypted or deleted, and there is no recovery path. The business is left with nothing.

Key Takeaway

Backups are only useful if they are secure, isolated, and recoverable.

A poorly secured backup system is worse than no backup at all - because it gives a false sense of security.

Is Your Backup Protecting You - or Exposing You?

If your business is using a NAS for backups, now is the time to ask that question. Get in touch with IT-MSP to review your backup infrastructure and ensure your data is truly protected.