I’m looking to set up a small business working from home, and would like some advice on back up and security measures. I have an Office 365 account so my main directory for saving documents will be OneDrive. I was looking to back up on a Synology NAS drive, perhaps to two separate hard drives as a precaution. Also, I currently just use Windows’ built-in security, but wondered whether I should look for something else. Initially, it would just be me, but if things go well then I may have another two or three people helping. I’m assuming I can just scale up any security measures as the need arises. Allen

Technology manufacturers cater to two very large markets with different needs: home users and businesses. You’re about to enter the SoHo (small office, home office) market where home technologies dominate because most single traders don’t need proper business systems with all the extra costs and complications involved.

Some complications are unavoidable. These include, as you know, backup and security, plus things like coping with data protection requirements. But as you will be a startup business working from home, I suggest using home technologies as far as possible. You can move to a business-oriented approach when you need to expand. When that time comes, you will have a much better idea of what you actually need.

However, note that the Home and Personal versions of Office 365 are not licensed for commercial use, even though many people don’t know about or ignore this restriction. If you’re on a Home version, consider switching to one of the small business versions (up to 300 users), if only for the 24/7 support.

Office 365 Business Essentials is the cheapest because it doesn’t include the desktop Microsoft Office programs, which Office 365 Business does. In the long run, Office 365 Business Premium is the best option because it includes business-class email with your own domain name via Microsoft Exchange. It also includes a calendar and booking feature, SharePoint and Teams collaboration software (Teams is Microsoft’s rival to Slack), invoicing, and a lightweight CRM (customer relationship management) program.

Anti-malware solutions

There are many things to consider when choosing anti-malware software. How good is it at protecting your PC? Does it create other problems by making your PC slower or by blocking things unnecessarily? (File blocking and “false positives” can be really annoying.) How valuable are the things you need to protect? What are the risks? How much does it cost?

Microsoft Defender (formerly Windows Defender) is good enough for most home users and many business users. I use it myself. It doesn’t offer the maximum protection, but it rarely causes any problems, and it’s free.

Some people should consider paying for extra protection. For example, they may have data that is particularly valuable, because they work for a financial institution or whatever. They may be potential targets because they work for a non-governmental organisation or, for example, the Dalai Lama. They may be at greater risk because they surf hacking sites or the dark web, or because a lack of understanding leads them to do stupid things. People who have the best AV software can still get their PCs infected by attacks based on scam emails and/or fake websites and “social engineering”. You can email people password-protected viruses and persuade some of them to decrypt and run the files.

Paid-for anti-virus suites try to improve on or offer utilities that Windows lacks. These can include password managers, real-time protection based on scanning background processes, anti-phishing and anti-ransomware features, controlling access to USB ports and external drives, botnet protection and network monitoring. Some of these are useful to small businesses where PCs are used by staff who are not computer experts. Kaspersky’s promotional blog post, The 10 most important features of Kaspersky Small Office Security, will give you an overview.

There are plenty of reviews of anti-virus products for small business on sites such as Windows Report, Digital Trends and Tech Radar. The consensus is that Bitdefender for Business is probably your best bet, and good value. Kaspersky Small Office Security for Business and the Avast Endpoint Protection Suite Plus are also worth a serious look. You can usually get a free trial period so have a quick look at the suites you fancy, preferably on a spare PC.

Oddly enough, having a good, trusted backup is also a good form of anti-virus protection. Ransomware doesn’t work on people who know all their data is safely stored offline.

Cloud-based security

Note that pretty much every effective computer security system, including Microsoft’s, now uses the cloud to store, update and check virus signatures, and Cloud AI to analyse suspicious processes. Some things – digital fingerprints or even whole files – may be uploaded for extra checking. I don’t regard this as a threat to privacy and, frankly, I think it’s stupid to block it.

Cloud systems lighten the load on the local PC, and as Webroot showed roughly a decade ago, provide better protection. Companies with “honeypot” PCs and continuous updates from millions of users can spot and deal with new and emerging threats long before they reach your PC. As a result, a growing number of companies are now marketing Cloud Antivirus or Security Cloud software. This is clearly where the AV industry is heading.

Simple backups

I’ve been writing about backups for decades, and you can get most of the information you need from earlier answers. Two appropriate ones, in this case, are What is the best way to back up data? and Is my data safe in online drives, or should I back it up as well?

In brief, you should have backups of all your business data on different media (choose between hard drives, optical discs, SD cards, online and so on) and in different places, in case you are burgled or your house burns down. OneDrive should provide an online/off-site backup of all your business data, but I’d still want some form of backup stored outside your house.

However, at this stage, I would not buy a NAS (network-attached storage) device. You don’t need one. You could justify a NAS if, for example, you wanted to stream media files to half a dozen laptops and smartphones, or your business depended on several people sharing files at once. For your purposes, the extra complexity and cost don’t make sense.

In any case, a NAS is not, by itself, a very good backup. You would certainly want to back it up to an external hard drive. Instead, just use one external hard drive to back up your PC, and a second external hard drive to back that up.

Business recovery

What you really need is a business recovery system. If something failed, how long would it take you to get back up and running? How long a delay is acceptable?

I have a desktop PC with all the files on the hard drive synchronised to an external USB hard drive using FreeFileSync, backed up to a second external hard drive. These files are not compressed or encrypted so they don’t need to be restored. If my desktop’s hard drive fails – which it has done – then I can switch to a laptop, plug in one of the external monitors, the keyboard and the external hard drive, and carry on as normal in 10-15 minutes. Of course, I had to spend some time the next day installing a new hard drive and restoring my old system from a different backup – a big, digital blob – but I could do that at my leisure. It didn’t affect my work.

It’s relatively easy for me because I do almost everything in Microsoft Office, which was already installed on my laptop, all my email is online in Outlook, and I don’t have a lot of data. (My whole work directory of about 10,500 files takes up 3GB.) It might be harder for people with more complicated setups, but should be easier for you if everything is in OneDrive. You might even be able to manage with the online versions of the Microsoft Office programs.

Business recovery is a much broader concept than backups. It involves going through your business processes and working out what you would do if any hardware, software or communications link failed, or if you were hacked, or hit by some type of natural disaster.

Companies that don’t have viable business recovery strategies can easily go out of business.

Have you got a question? Email it to Ask.Jack@theguardian.com

This article contains affiliate links, which means we may earn a small commission if a reader clicks through and makes a purchase. All our journalism is independent and is in no way influenced by any advertiser or commercial initiative. By clicking on an affiliate link, you accept that third-party cookies will be set. More information.