Home About Tools Projects Guides & Blog ⚡ Hire Me ✦ Websites Contact →
⚠️ Data Protection

Cloud Sync Is Not a Backup: Why Dropbox and Google Drive Won't Save You

Published 20 March 2026
Jack Davies
8 min read

Somewhere along the way, a lot of small businesses convinced themselves that having files in Dropbox or Google Drive counts as having a backup. It does not. Sync and backup are two completely different things, and treating them as the same is one of the more reliable ways to lose data you can never get back.

This comes up regularly when I'm working with clients. Someone has a ransomware incident, a mass accidental deletion, or a disgruntled employee who wipes a shared drive on their way out the door. They tell me they have backups. What they actually have is a sync client. By the time they find out the difference, the damage is already done.

Contents
  1. Sync vs Backup: The Actual Difference
  2. Why Sync Fails When You Need It Most
  3. Version History Is Not a Backup Either
  4. Real Scenarios Where Sync Leaves You Exposed
  5. What a Proper Backup Actually Looks Like
  6. What Small Businesses Should Use

Sync vs Backup: The Actual Difference

🔴 Core Concept

Sync tools like Dropbox, Google Drive, and OneDrive do one thing: they mirror your files across devices and to the cloud. Whatever is on your machine is reflected in the cloud. Whatever is in the cloud is reflected on your machine. That is the entire point of them.

A backup is a separate, independent copy of your data taken at a specific point in time, stored somewhere that cannot be affected by what happens to the original.

The key word is independent. A backup needs to be isolated from the source. If deleting a file on your laptop also removes it from your backup, you do not have a backup. You have a mirror.

Cloud Sync (Dropbox / Google Drive)Proper Backup
Purpose Access files across devices Recover data after loss or damage
Deleted file Deleted everywhere, immediately Recoverable from backup copy
Ransomware encrypts files Encrypted version synced to cloud Clean copy available pre-infection
Accidental overwrite Overwritten version synced immediately Previous version recoverable
Account compromised Attacker has access to all files Backup isolated, unaffected
Point-in-time recovery Not available Restore to any backup point
Offsite / air-gapped copy Linked to source Separated from source

Why Sync Fails When You Need It Most

💥 Failure Modes

The fundamental problem with sync as a recovery strategy is that it propagates every change, including the bad ones, almost instantly. The same feature that makes it useful for accessing your files on multiple devices is what makes it useless for recovery.

Ransomware

This is the scenario that catches most companies out. Ransomware encrypts files on the local machine. The sync client sees those files as modified and dutifully uploads the encrypted versions to the cloud, overwriting the clean originals. By the time anyone notices, the cloud copy is just as encrypted as the local one. Dropbox, Google Drive, OneDrive - they all behave the same way.

🔴
Ransomware propagates through sync
Modern ransomware encrypts files faster than most sync clients can upload them. Even if you catch it mid-attack, the cloud copy will contain a mix of clean and encrypted files with no easy way to tell which is which. Without a proper backup, you are either paying the ransom or rebuilding from scratch.

Accidental deletion

Someone deletes a folder they should not have. It could be a staff member who does not realise what they are deleting, someone with too many permissions, or a script that runs against the wrong directory. The sync client removes the files from every connected device and from the cloud copy within seconds. You have a very short window before it is gone everywhere.

Corrupt files

An application crashes mid-save and corrupts a file. The corrupt version syncs immediately. If you do not notice for a few days, the older clean versions in the version history may have already cycled out, depending on your plan. On a free or basic tier, that window can be as short as 30 days.

Insider threat

A disgruntled employee with access to a shared drive deletes or exfiltrates files before leaving. If they have sync access, those deletions hit everywhere. If they downloaded everything before you revoked access, you have a data breach even if your own copy is intact.

Version History Is Not a Backup Either

⚠️ Common Misconception

Most sync platforms offer some form of version history or trash retention. Dropbox keeps deleted files for 30 days on the free plan, 180 days on Plus, and up to a year on Business plans. Google Drive keeps deleted files in the bin for 30 days. This is sometimes pointed to as a backup mechanism. It is not.

Version history has several critical limitations as a recovery tool:

  • Time limited. Once the retention window closes, files are gone permanently. If you do not notice a deletion for two months and you are on a 30-day plan, you have nothing to recover.
  • Scope limited. Version history typically covers individual file changes, not entire folder structures or bulk deletions. Recovering thousands of files one by one from a trash folder is not a practical recovery process.
  • Tied to the same account. If the account itself is deleted, compromised, or suspended, the version history goes with it. A compromised admin account that permanently deletes files can bypass the trash entirely.
  • Not guaranteed. Cloud providers are businesses. They can change their retention policies, discontinue features, or have outages. You are relying on their infrastructure for your only copy of data you cannot afford to lose.
⚠️
Microsoft 365 and Google Workspace have the same problem
This applies equally to SharePoint, Teams files, and Google Workspace shared drives. Microsoft and Google are not responsible for backing up your data - their agreements make this clear. They protect their infrastructure. Your data is your responsibility. If a user permanently deletes items and empties the bin, Microsoft will not retrieve them for you without a third-party backup in place.

Real Scenarios Where Sync Leaves You Exposed

📋 Examples

These are not hypothetical edge cases. They are the kinds of incidents that come up regularly in IT support and are almost always preceded by the same assumption: "we back up to Dropbox."

The ransomware that synced

A small accountancy firm gets hit by ransomware via a phishing email. The attack encrypts the local drive. The Dropbox client syncs 14,000 encrypted files to the cloud in about four minutes. By the time the IT engineer is called, the Dropbox copy is encrypted. There is no offline backup. The firm pays the ransom.

The wrong folder delete

A project manager at a marketing agency has admin access to the company Google Drive. They are clearing up old project folders and accidentally delete the current year's client work folder rather than the archive. Google Drive syncs the deletion. The files sit in the bin for 12 days before anyone notices. They are recovered. Two weeks later, the same user permanently empties their bin without checking it. The files are gone. Google cannot retrieve them. The agency has to rebuild months of work from email attachments and client copies.

The ex-employee

A developer at a software company resigns and has two weeks of notice. During that period their Dropbox access is not revoked because no one owns the offboarding process. On their last day they permanently delete their personal folder, which contains code repositories they have been working on. The sync propagates. By the time IT notice, the files are gone from the cloud and from every other synced device in the company.

What a Proper Backup Actually Looks Like

✅ The 3-2-1 Rule

The standard backup framework is the 3-2-1 rule. It is old, it is simple, and it holds up:

  • 3 copies of the data
  • 2 different storage media or locations
  • 1 copy offsite (or offline, or air-gapped)
// interactive diagram
The 3-2-1 Backup Rule
3
COPIES
💻
Primary
Local machine or file server
2
MEDIA TYPES
☁️
Copy 2
Cloud backup
(different service)
💾
Copy 3
External or NAS drive
1
OFFSITE
📍
1 Offsite
Different location or air-gapped
3-2-1 overview
Click each node or use the tabs above to explore the three parts of the rule. The goal is that any single failure - hardware fault, ransomware, account compromise, or physical disaster - cannot wipe out all your copies at once.

A sync client counts as one copy and one storage location. It does not satisfy any part of this rule on its own because it is not independent of the source.

A proper backup strategy for a small business typically looks like this:

  • Primary copy: Working files on local machines or a file server / SharePoint
  • Secondary copy: Automated daily backup to a separate cloud backup service (not the same platform as your working storage)
  • Tertiary copy: Weekly or monthly backup to an external drive kept offsite, or a separate backup-only cloud account with immutability enabled
ℹ️
Immutability matters
An immutable backup is one that cannot be modified or deleted for a defined retention period, even by an admin. This is the key protection against ransomware operators who specifically target backup systems. If your backup can be deleted by someone with account access, it is not truly protected. Look for backup solutions that support immutable or write-once storage.

What Small Businesses Should Use

🛠️ Recommendations

There is no shortage of options for proper backup at a small business price point. The right choice depends on what you are protecting and how much recovery speed matters.

For Microsoft 365 data (SharePoint, Teams, Exchange)

Microsoft does not back up your data. You need a third-party Microsoft 365 backup tool. Options worth looking at include Veeam Backup for Microsoft 365, Acronis Cyber Backup, and Backupify. These take independent copies of your M365 data on a schedule and store them separately from Microsoft's infrastructure.

For file servers and endpoints

Veeam, Acronis, and Datto cover most SMB scenarios. Datto in particular is worth considering for businesses where downtime cost is high, as it supports image-based backups with fast virtualisation so you can spin up a recovered environment quickly rather than waiting for a full restore.

For very small businesses on a tight budget

Backblaze Business Backup is inexpensive, runs silently in the background, and keeps 30-day version history with the option to extend. It is not a full enterprise solution but it is a significant step up from relying on sync alone and costs almost nothing.

For Google Workspace data

Google does not back up Workspace data on your behalf either. Spanning Backup and Backupify both cover Google Workspace and take regular independent copies of Gmail, Drive, Calendar, and Contacts.

Test your restores
A backup you have never tested is a backup you cannot trust. Run a restore drill at least once a quarter. Pick a random file or folder, restore it from backup, and confirm it works. Companies regularly discover their backup jobs have been failing silently for months - only when they try to recover from an actual incident. At that point there is nothing to restore.

Dropbox and Google Drive are good products for what they do. What they do is sync files. That is a different problem from protecting files. Use them for accessibility and use a dedicated backup tool for recovery. Do not confuse the two.

Backup Data Protection Cloud Storage Dropbox Google Drive Microsoft 365 Ransomware Small Business IT
// monthly tips

Get M365 tips in your inbox

Practical Intune and Microsoft 365 tips, once a month. No spam, no fluff.