We all know they are important to ensure the resilience and continuity of the business if something happens. Here is the minimum to consider to establish an effective backup strategy.
How often depends on you, your needs, business and speed at which things can change...
For the web applications I build, I have the code hosted in github or gitlab, that I trust to be reliable enough. For other files and database, I have a baseline of daily backup, as well as everytime I deploy a new version that alter the data schema.
It is a "semi-random" decision that makes sense in my context. Yours may be different.
To multiple locations
You need as many copies as possible. But that's not always very practical.
What you need to make sure is that there is no risk (or as little as possible) for you to loose anything important.
And what's important depend on you. It can be code (use source version control, backed up if you self-host it (hint: in most cases, it is not worth the headache)), database, documents, ...
Which is why you need multiple locations, as sure as you want to be that your system has reliable backups, you want to be sure that those backups are available when you need them.
There are multiple risks that can affect them. Make sure you got things covered. Hardware failure, security of the facility, vulnerability of the facility (to weather, hazards like fire, ...), network breakdowns, war, ... anything you can imagine.
Which means that locations should be independant from each other.
For each location you add, you're increasing the chances of being able to retrieve a working backup should you need it. Unless you're extremely unlucky...
That you can recover with
We touched a bit about availability above, but that is another point to make sure, and it can easily be forgotten...
You need to make sure you can actually recover using your backups.
After all, that's the point of having backups... If you can't use them for any reason, it's as bad as not having any...
So, make sure that your backup process work seamlessly, that you can retrieve what you need when you need it and that the end result is usable.
If you have the time, a little recovery test once in a while doesn't hurt.