The 3-2-1 Backup Rule: How to Back Up Your Business Data

Imagine coming into work one morning to find that every file your business has ever created — every client record, every invoice, every document — has been encrypted by ransomware. The criminals want $15,000 to give you the decryption key. Do you pay? Or do you restore from a backup?

If your backup strategy is solid, you restore from backup, rebuild, and get back to business. If your backup strategy has gaps — and for many small businesses, it does — you face a devastating choice with no good options.

The 3-2-1 backup rule is a simple, time-tested framework that eliminates those gaps. It is recommended by the Australian Signals Directorate (ASD) and is widely considered the gold standard for data protection. Best of all, it is achievable for businesses of any size.

What Is the 3-2-1 Backup Rule?

The 3-2-1 rule says:

• 3 — Keep three copies of your data
• 2 — Store it on two different types of media
• 1 — Keep one copy offsite (or offline)

Let us break each of these down.

Three copies of your data

One is your live, working data — the files you use every day. The second is your primary backup. The third is an additional backup, separate from the first. Why three? Because backups fail. Hard drives fail. Human error happens. Having a third copy means that if your primary backup is unavailable when you need it, you are not left with nothing.

Two different types of media

Storing all your backups on the same type of storage — say, multiple external hard drives made by the same manufacturer — means a single failure mode (a particular fault, a firmware issue, even a manufacturing defect) could take out multiple backups at once. Using two different media types (for example, a local NAS device and cloud storage) reduces this risk. Common combinations include:

• Internal drive + external hard drive + cloud
• NAS (Network Attached Storage) device + cloud backup service
• Server + cloud backup + tape (for businesses with larger data volumes)

One copy offsite or offline

This is the most critical element — and the one most often missing in small business backup strategies. If all your backups are in the same physical location as your primary data, a single event — a fire, a flood, a theft, or a ransomware attack that spreads across your network — can destroy everything at once.

An offsite copy can be cloud-based (geographically separated from your office) or a physical copy stored at a different location, such as a director's home. "Offline" is equally important for ransomware protection — a backup that is disconnected from your network cannot be encrypted by ransomware.

Why Small Businesses Often Get This Wrong

The most common backup mistake is simple: relying on a single backup method. A business might have an external hard drive plugged into their server at all times. That is one copy, on one medium, in one location. It is better than nothing, but it fails all three criteria of the 3-2-1 rule.

A permanently connected external drive is also vulnerable to ransomware. Modern ransomware actively scans for and encrypts connected backup drives — so that "backup" disappears at exactly the moment you need it most.

How to Implement 3-2-1 for Your Small Business

Step 1: Identify what data you need to protect

Not everything needs the same level of protection. Start by identifying your critical data: client records, financial data, operational databases, documents with regulatory or legal significance. Where does this data live — on local servers, individual computers, cloud platforms?

Step 2: Choose your backup tools

For most small businesses, a combination of cloud backup and local backup covers the 3-2-1 requirements effectively.

Cloud backup services to consider:

• Acronis Cyber Protect — comprehensive backup with built-in ransomware protection, popular with Australian SMBs
• Veeam — strong option for businesses with on-premises servers or virtual machines
• Backblaze for Business — affordable cloud backup for files on individual computers
• Microsoft 365 Backup (via Microsoft) or third-party tools like Veeam Backup for Microsoft 365 — critical if your business data lives in SharePoint, OneDrive, or Exchange

Important note on Microsoft 365 and Google Workspace: These platforms are not backups of your data. They provide some version history and recycle bin functionality, but they are not designed for long-term backup or recovery from major incidents. If your business data lives primarily in these platforms, you need a dedicated third-party backup solution.

Local backup options:

• External hard drives — affordable but must be kept disconnected when not in use
• NAS (Network Attached Storage) devices — useful for automated local backups, brands like Synology and QNAP are popular
• Windows Server Backup or Apple Time Machine for individual machines

Step 3: Automate your backups

Manual backups get forgotten. Any backup that requires a human to remember to do it will eventually not happen. Configure your backup software to run automatically — daily at minimum, more frequently for high-transaction data like sales records or booking systems.

Step 4: Make one copy immutable or air-gapped

For ransomware protection, at least one of your backup copies should be either immutable (cannot be modified or deleted, even by administrators) or air-gapped (physically disconnected from your network). Most modern cloud backup services offer immutable storage options. For physical media, this means physically disconnecting the drive after each backup.

Step 5: Test your backups regularly

A backup you have never tested is a backup you cannot trust. At a minimum, attempt a test restore of a sample of files every quarter. We have a dedicated guide on backup testing that walks you through this process.

How Much Data Can You Afford to Lose?

Two important concepts to consider as you design your backup strategy:

• Recovery Point Objective (RPO) — how much data can you afford to lose? If you back up daily, you could lose up to a day's worth of data in an incident. For a high-transaction business, that might be unacceptable.
• Recovery Time Objective (RTO) — how long can your business operate without access to its data? If the answer is "not long," your backup and recovery process needs to be fast.

Defining these objectives helps you choose the right backup frequency and recovery approach.

Key Takeaways

• The 3-2-1 backup rule means three copies of data, on two types of media, with one copy offsite or offline
• A single backup — particularly one that is always connected to your network — is not sufficient protection against ransomware or physical disasters
• Cloud backup services like Acronis or Veeam, combined with a local backup, typically satisfy 3-2-1 requirements for small businesses
• Microsoft 365 and Google Workspace are not backups — use a dedicated third-party solution for cloud data
• Automate your backups so they do not rely on human memory
• Test your backups regularly — an untested backup may not work when you need it most

Backup is one of the most important areas of cyber resilience for any business. Flagged is a free cyber risk assessment tool for Australian small businesses — it includes a thorough review of your backup and recovery posture. Visit flagged.com.au to get your free report today.