“We have a backup” is one of the most dangerous things a business owner can believe without verifying.
I’ve had the conversation with clients after ransomware hits. “We have a backup, right?” The answer is almost always: sort of. We have something that we thought was a backup. But it hasn’t been tested. Or it’s on the same network as the infected machines. Or it ran for a while and then stopped and nobody noticed.
The 3-2-1 rule is a simple framework for backup that actually works. It’s been the industry standard for over 20 years because it survives scenarios that simpler approaches don’t.
What 3-2-1 means
3 copies of your data. Your original data plus two backups. This sounds redundant until you realize how many failure modes it covers - a failed backup job, a corrupted backup file, accidental deletion of a backup.
2 different types of storage. Don’t keep both backups on the same type of media. If you have a local external drive and a cloud backup, that’s two storage types. If you have two external drives sitting next to each other, fire or theft takes both. If you have two cloud services on the same account, a credential compromise takes both.
1 copy offsite. At least one backup has to be somewhere physically separate from your primary location. This protects against the scenarios that would destroy on-site backups entirely: fire, flood, theft, or ransomware spreading across your local network and encrypting the backup drive too.
For most small businesses, “offsite” means cloud. Azure Backup, Backblaze B2, Wasabi, iDrive Business - all solid options at prices that have dropped significantly in recent years. A 1 TB cloud backup typically runs $5–$20/month.
The part most people skip: verification
A backup you’ve never tested is not a backup you can count on.
Testing a backup means actually restoring something from it. Not just checking that the backup job shows “success” in the log - pulling a real file or folder from the backup and confirming it opens correctly. Ransomware groups have been known to target backup software and corrupt the backups in ways that don’t show up in job logs. The only way to know your backup works is to use it.
Do a test restore quarterly. Pick a random folder. Pull it. Confirm it. Five minutes of verification every three months is enormously cheaper than finding out your backups were corrupt when you actually need them.
What counts as a backup (and what doesn’t)
OneDrive or SharePoint sync: Not a backup. Syncing means that if you delete a file on your computer, it gets deleted in OneDrive too. Microsoft 365 has a recycle bin with some retention, but relying on it as your primary recovery plan is risky. Use it as one copy; back it up separately with a tool like Veeam or Synology Active Backup for Microsoft 365.
External hard drive in your desk drawer: One copy, one location, one storage type. Fails the 3-2-1 test by itself. Fine as one component of a three-part strategy; not fine as your only backup.
RAID on your server: RAID is not a backup. RAID protects against a single drive failure. It doesn’t protect against ransomware, accidental deletion, fire, or most other data loss scenarios. Many businesses learn this the hard way.
A simple 3-2-1 setup for a small office
- Local backup to a NAS (Network Attached Storage) device - separate from your workstations/server
- Cloud backup from the same NAS or from your Microsoft 365 / Google Workspace using a dedicated backup tool
- Original data on your workstations, server, or Microsoft 365
This covers the three copies, two media types (local NAS + cloud), and one offsite (cloud). Cost for a small setup: $200–$500 in hardware (NAS) plus $20–$50/month in cloud storage and backup software.
If you’re not sure whether your current backup setup actually meets this standard, it’s worth finding out before you need to find out the hard way. DarkHorse IT can audit your backup situation and tell you exactly where you stand.