Most businesses have backups. Most businesses have never tested whether those backups actually work.
That is not a guess. It is what we see in almost every IT environment we assess. The backup is running, the dashboard shows green ticks, and everyone assumes the data is safe. Then something goes wrong, ransomware, a failed server, an accidental deletion, and the restore fails, or the backup is weeks out of date, or the backup was encrypted by the same ransomware that hit the server.
The 3-2-1 backup rule is the standard that prevents this. It is simple to understand and, with the right setup, straightforward to maintain.
What the 3-2-1 Rule Actually Means
Three numbers, three requirements:
3 copies of your data. Your original data plus two backup copies. If one backup fails or is compromised, you still have another.
2 different types of storage media. Your backups should not all sit on the same system. If your data is on a local server, one backup might be on a separate network-attached storage device and another in the cloud. The point is redundancy. If one type of storage fails, the other survives.
1 copy stored offsite. At least one backup must be physically or logically separate from your main environment. If your office floods, if your server room overheats, if ransomware encrypts everything on your network, the offsite copy is untouched.
This is not a new concept. The 3-2-1 rule has been around for decades because it works. What has changed is the threat landscape. Ransomware has made one additional requirement essential: immutability.
Why Immutable Backups Matter
An immutable backup is one that cannot be changed, deleted, or encrypted, not by your staff, not by your IT provider, and not by an attacker who has compromised your network.
Modern ransomware is designed to find and destroy backups before encrypting your production data. Attackers know that if they only encrypt your servers, you will restore from backup and carry on. So they target the backups first.
An immutable backup solves this. Once the data is written, it cannot be altered for a set retention period. Even if an attacker gains full admin access to your network, they cannot touch the immutable copy.
For a deeper look at how immutable backups work, see our guide to immutable backups.
”The Backup Is Running” Is Not Enough
Here is what we typically find when we audit a small business’s backup environment:
Backups that have been failing silently for months. The job was set up years ago. No one is monitoring it. The dashboard shows errors that no one is reading.
No offsite copy. The backup runs to an external hard drive sitting next to the server. If the office is broken into or catches fire, both the server and the backup are gone.
No restore testing. The backup runs daily, but no one has ever tested whether the data can actually be restored. A backup that cannot be restored is not a backup. It is a false sense of security.
Backup on the same network as production. The backup device is connected to the same network as everything else. Ransomware that spreads across the network encrypts the backup along with everything else.
Any one of these gaps can turn a manageable incident into a business-threatening disaster. If you want to walk through your own setup the same way we would in an audit, our Backup Audit Checklist is free and takes about 20 minutes.
What a Proper Backup Looks Like
A backup setup that follows the 3-2-1 rule and accounts for modern threats looks like this:
Automated daily backups of all critical data, files, databases, email, and system configurations. Not just documents. If your server died tomorrow, you should be able to rebuild the entire environment from backup.
Local backup to a dedicated device on your network for fast restores. If a staff member accidentally deletes a file, you can recover it in minutes.
Offsite or cloud backup to a geographically separate location. This covers fire, flood, theft, and network-wide ransomware. The offsite copy is your last line of defence.
Immutable retention on at least one copy. A set period (typically 30 to 90 days) during which the backup data cannot be modified or deleted by anyone.
Regular restore testing. Not once a year. Quarterly at minimum. Your IT provider should be performing test restores and documenting the results. If they are not, ask them why. Your backup and disaster recovery setup is only as reliable as the last successful test restore.
How to Check Whether Your Backups Are Actually Working
Ask your IT provider these four questions:
- Are we following the 3-2-1 rule, three copies, two media types, one offsite?
- Are any of our backups immutable?
- When was the last time you tested a full restore?
- If our main server was encrypted by ransomware right now, how long would it take to get us back up and running?
If they cannot answer all four clearly and confidently, you have a gap that needs closing.
Get a Clear Picture
Your backups are one part of your overall security stack. If you are not sure whether your backup setup would survive a real incident, an IT Audit will give you the answer. We review your backup configuration, test your restore capability, and give you a clear report with priorities. It is $990, it takes 90 days, and there is no ongoing commitment. Just a straight assessment of where you stand.
