The 3-2-1 rule is the simplest way to make backups actually protect the company, rather than just look good in a report. It sounds trivial, but the devil is in how you implement it.
What 3-2-1 exactly means
- 3 copies of your data: the original and two backups.
- 2 different media or technologies, so that one failure does not take everything.
- 1 copy off-site, separated from the main environment.
The point is that losing one copy, one device or one location does not mean losing your data. It is the cheapest insurance a company can have.
The most common mistake: a permanently connected backup
We see it constantly when taking over environments. Copies sit on a network drive connected to the same domain and the same credentials as production. Then a ransomware attack encrypts the data and the backups at the same moment.
A modern attack looks for the backup first, because it is the backup that decides whether the company will pay the ransom. A copy the attacker can reach is not a safeguard.
That is why at least one copy should be immutable or separated, out of reach of ordinary credentials.
Microsoft 365 is not your backup
A common, costly misconception. Microsoft is responsible for the availability of the service, not for recovering your data after it has been deleted by a user or an attacker. The recycle bin and version history have time limits.
- Email, OneDrive, SharePoint and Teams require an independent copy.
- Without it, deleted data disappears for good after a certain time.
This is exactly the scenario in which a company finds out it has no backup at the worst possible moment.
A copy without a test is just an assumption
A backup no one has restored is hope, not a guarantee. A copy can run for years and look fine, only to turn out incomplete during a real failure.
- Set your RTO, that is, how quickly you need to be back at work.
- Set your RPO, that is, how much data you can afford to lose.
- Test restores regularly, rather than just checking whether the job ran.
Where to start in practice
- Make a list of critical data and assign it an RTO and RPO.
- Design your copies in a 3-2-1 model, with one immutable copy off-site.
- Cover Microsoft 365 with backup too, not just servers.
- Plan restore tests and monitoring, so that a failed backup is an alert rather than silence.
If you want to be sure your copies really work, see how we deliver server backup and Microsoft 365 backup.