What is the best to keep the backup of sensitive enterprise data: "onsite or offsite"?
The easy answer is that any enterprise class backup system should include offsite backup. If all your eggs are in one basket, you are leaving yourself open to failure when you need your backup.
For instance, at smaller companies, theft of the server usually includes all attached peripherals and any backups in the immediate vicinity.
Placing backups in a fire proof safe may not prevent your backup media from melting at temperatures easily reached within the safe (even a little warping from direct sunlight can render some media inoperable).
Then there are a multitude of other disasters, both natural and man-made that can ruin a company if they do not have data off-site.
Once you determine that you have to take sensitive data offsite, you must protect it from prying eyes while it is outside of your control. This even includes the transportation system used to deliver the data to the place of storage. Not long ago, a large company sent tapes for storage, only to have them misplaced by the carrier in shipment.
Transporting your data via an online service has several problems too. The biggest is that the transmit bandwidth of your Internet connection often limits the size of your backup as you do not wish to saturate the link during business hours. And then you have to worry about the security of the server that is always on the Internet. FYI, any backup service using FTP transmits your name and password in the clear over the Internet.
Now how do you protect the sensitive part? Well, the best answer is encryption.
In the end, only someone with knowledge of the data's sensitivity vs. the cost of it's loss can determine if data should be stored off-site. However, even for the smallest of businesses I always recommend doing so as no business can afford to loose data.
Unfortunately all of this boils down, all too often, to budget. TPHTA is correct in that no business can afford to lose all of it's data. The question is how much data loss is acceptable. This will determine much of the cost of your backup solution.
a monthly off-site backup solution will cost much much less than a weekly, or daily solution.
Without any additional information there is a limit to what recommendations can be made. The only way to tackle this is to ask questions which you have here at any rate. Come up with some cost estimates and threat and risk assessments how much will it cost to do X and what are the risks we take do the risks outweigh the benefits? Present them to someone with budget discretion. Pray that they don't just say whatever.
Most people see IT as a hole in the corporation that money disappears into never to be seen again. Show them what that money is doing and you'll have more success.