The 3-2-1 rule is the simplest way to make backups actually protect the company, rather than just look good in a report. It sounds trivial, but the devil is in how you implement it.

What 3-2-1 exactly means

  • 3 copies of your data: the original and two backups.
  • 2 different media or technologies, so that one failure does not take everything.
  • 1 copy off-site, separated from the main environment.

The point is that losing one copy, one device or one location does not mean losing your data. It is the cheapest insurance a company can have.

The most common mistake: a permanently connected backup

We see it constantly when taking over environments. Copies sit on a network drive connected to the same domain and the same credentials as production. Then a ransomware attack encrypts the data and the backups at the same moment.

A modern attack looks for the backup first, because it is the backup that decides whether the company will pay the ransom. A copy the attacker can reach is not a safeguard.

That is why at least one copy should be immutable or separated, out of reach of ordinary credentials.

Microsoft 365 is not your backup

A common, costly misconception. Microsoft is responsible for the availability of the service, not for recovering your data after it has been deleted by a user or an attacker. The recycle bin and version history have time limits.

  • Email, OneDrive, SharePoint and Teams require an independent copy.
  • Without it, deleted data disappears for good after a certain time.

This is exactly the scenario in which a company finds out it has no backup at the worst possible moment.

A copy without a test is just an assumption

A backup no one has restored is hope, not a guarantee. A copy can run for years and look fine, only to turn out incomplete during a real failure.

  • Set your RTO, that is, how quickly you need to be back at work.
  • Set your RPO, that is, how much data you can afford to lose.
  • Test restores regularly, rather than just checking whether the job ran.

Where to start in practice

  1. Make a list of critical data and assign it an RTO and RPO.
  2. Design your copies in a 3-2-1 model, with one immutable copy off-site.
  3. Cover Microsoft 365 with backup too, not just servers.
  4. Plan restore tests and monitoring, so that a failed backup is an alert rather than silence.

If you want to be sure your copies really work, see how we deliver server backup and Microsoft 365 backup.