We talk to business owners every week who tell us confidently: "Yes, we have a backup." When we dig in, the reality is usually one of these three scenarios: the backup is on the same machine that would be destroyed in a fire, the backup hasn't run successfully in months, or nobody has ever tested whether the backup actually restores.
Having "a backup" is not the same as having a working, recoverable backup. The 3-2-1 rule is the industry standard that closes every one of these gaps. Here's exactly what it means and how to implement it.
What Is the 3-2-1 Rule?
The rule is simple to remember: 3 copies of your data, on 2 different types of media, with 1 copy stored offsite.
- 3 copies: Your live data + two backups
- 2 media types: For example, an external hard drive AND a cloud backup — not two external drives
- 1 offsite: At least one copy must be physically or geographically separate from your office
A client came to us after a ransomware attack that encrypted their entire server — including the backup drive that was plugged into the same machine. Their only copy of five years of patient records was gone. A proper 3-2-1 strategy would have saved them.
Why Each Number Matters
Why 3 copies?
Because hardware fails. A single backup on a single drive has roughly a 5% annual failure rate. Two copies drop that to a statistical rarity. Three copies give you one working backup even if two methods fail simultaneously — which does happen during disaster scenarios.
Why 2 media types?
Different storage technologies fail in different ways. A cloud backup fails if your internet is down; a local drive fails if there's a fire or flood. Using two different types means no single failure mode can take out both copies.
Why 1 offsite?
Fire, flood, theft, or a ransomware attack that spreads across your network will destroy everything in your physical location. An offsite copy — whether that's a cloud service or a drive kept at a different location — is your ultimate safety net.
Common Mistakes We See
- Backup to a drive plugged into the same server — ransomware encrypts everything connected to that machine
- Only backing up to one cloud service — cloud providers have outages and can permanently delete data
- Never testing restores — a backup that can't be restored is worthless. Test monthly.
- Backing up the wrong files — many businesses back up desktops but forget the server, email, or accounting software databases
- Infrequent backups — if your last backup was a week ago and your server dies today, you lose a week of work
What a Proper 3-2-1 Setup Looks Like for a Small Business
A practical implementation for a 5-25 person Toronto business typically looks like this:
- Copy 1: Live data on your server or workstations
- Copy 2: Local backup appliance (NAS or backup server on-site) running continuous or nightly backups
- Copy 3: Cloud backup service (e.g., Datto, Veeam Cloud, or Backblaze B2) running daily offsite replication
With this setup, you can recover from a ransomware attack in hours rather than weeks — or never. Starcomm designs and manages exactly this type of layered backup infrastructure for our clients across Toronto and Mississauga.
How to Test Your Backup Today
Don't assume your backup works. Take these steps this week:
- Open your backup software and check the last successful backup timestamp
- Look for any error or warning alerts — these are often ignored and pile up unnoticed
- Pick one non-critical file or folder and attempt to restore it to a different location
- Confirm the restored file opens correctly and is the expected version
If you can't complete any of these steps, call us. A broken backup you don't know about is far more dangerous than having no backup at all — because it gives you false confidence.