Most SMBs are using AI but data loss remains a persistent risk

Across Australia, small and medium-sized businesses (SMBs) are racing to adopt AI. According to Deloitte’s 2025 research, the majority (54%) of SMBs are integrating AI across the business while 41% use AI for simple tasks like email automation. While AI offers faster growth, smarter customer engagement and more efficient operations, it also creates a dangerous paradox: the more SMBs rely on data to drive their business, the greater their exposure to potential data loss.

The scale of that vulnerability is becoming increasingly clear, especially in the event of a cyber attack or major system disruption. According to Commvault’s 2025 State of Data Readiness in ANZ, 80% of business leaders expect to recover within five days — however, 55% of businesses take more than a week to do so, with the average being four weeks. Of those breached, only one in three (32%) recovered 100% of their data.

As AI adoption accelerates, these risks are magnified, making resilience more critical than ever. So how can SMBs build strategies to protect their operations and data?

The resilience gap: AI adoption outpacing data protection

AI amplifies data risk as much as it amplifies capability. Deploying AI for customer personalisation, predictive analytics and automated operations enables growth, but also concentrates business-critical functions on digital infrastructure — often without updating backup and data resilience strategies to match.

According to Boston Consulting Group’s (BCG) 2025 research, 78% of APAC employees use AI at least weekly, yet only 33% feel they understand these tools well. The significant knowledge gap is concerning as AI is scaling rapidly while many SMBs still rely on single-point backup strategies, whether cloud-only or local-only, leaving them exposed to vulnerabilities.

Cloud-only approaches can falter when service outages, latency or bandwidth throttling delay recovery at critical moments. Conversely, local-only backups offer little protection if ransomware encrypts both primary and backup data simultaneously. Even routine internet disruptions can derail recovery efforts during crucial recovery windows when businesses depend solely on remote access to restore systems.

The 3-2-1 rule: an enduring standard, emerging urgency

As businesses embed AI deeper into core operations, the importance of a layered backup strategy is paramount. Downtime that once meant lost productivity could now mean halted AI-driven operations, broken customer commitments, and regulatory penalties under tightening data protection laws.

This is why the proven 3-2-1 backup rule is increasingly becoming a baseline requirement rather than a best practice for SMBs in the AI era. The strategy is simple but adds critical safeguards.

‘3’ means the original plus two backups of different sources, while ‘2’ ensures those backups reside on different storage technologies. For example, saving the original copy on a file server using HDDs, with two backup copies on a NAS device, an external drive or in the cloud. This diversification reduces the risk of simultaneous failure. Finally, ‘1’ requires an offsite copy that is immutable — such as a cloud backup in a remote data centre that cannot be altered or deleted, even if the main or primary network is breached.

This multi-layered approach helps improve the likelihood that businesses can continue operating even with AI-powered threats that could potentially bypass initial defences and also makes it easy to recover after data loss.

Ultimately, resilience must be engineered rather than assumed. Layered backup architectures that span local, removable and offsite storage form the foundation for dependable data protection at scale. The 3-2-1 strategy is no longer optional for AI-era SMBs.

Hybrid strategy: the middle ground between cloud dependence and local control

While cloud storage is a critical component of SMBs’ backup strategies, connectivity issues, service availability constraints and long-term cost predictability can all become challenges when cloud is treated as the sole line of defence.

A hybrid backup model that combines cloud and local HDD backup is a more resilient approach. This allows SMBs to retain rapid access and recovery capabilities while maintaining greater control over performance, efficiency and data availability during disruptions or service limitations. Local backups enable faster restores and continued access even when networks or cloud services are unavailable, while cloud backups provide offsite protection and scalability.

Cloud and local storage should be viewed as complementary rather than competing. Together, they enable SMBs to build balanced backup environments that meet the requirements of the 3-2-1 strategy, aligning accessibility with control and reinforcing operational resilience under real-world conditions.

Backup as a business continuity capability

As SMBs accelerate AI adoption, the real advantage will go to those who build data resilience into their foundations rather than retrofit it after a crisis.

The question for SMB leaders is: Can your business survive 48 hours without your data? If not, it’s time to rethink backup as infrastructure, not insurance. In an AI-driven, always-on environment where disruption may be inevitable for SMBs, aligning layered resilience, hybrid cloud flexibility and local control under the 3-2-1 framework transforms backup from a technical safeguard into a strategic business capability — one that minimises disruption, protects customer trust and underpins long-term resilience.

Image credit: iStock.com/hirun