What Is the 3-2-1 Backup Rule and Does Your Business Follow It

The 3-2-1 backup rule is the simplest framework for protecting your business data, and most small businesses violate it without realizing. The rule has been around for decades because it works. It is not theoretical. It is a practical minimum that covers the most common ways businesses lose data – hardware failure, ransomware, accidental deletion, fire, flood, and theft. If your backup strategy does not meet all three requirements, you have gaps that will surface at the worst possible time.

This guide explains the rule, walks through how each part protects you against a specific type of failure, shows where most small businesses fall short, and describes what a compliant backup setup actually looks like.

The rule

The 3-2-1 backup rule has three requirements:

• 3 copies of your data. Your production data (the files you work with every day) plus two backup copies. If you have one copy and one backup, a single failure wipes out your safety net.
• 2 different media types. Your backups should exist on at least two different types of storage. If both copies are on the same NAS, a firmware bug, ransomware, or power surge can take out both at once.
• 1 copy offsite. At least one backup must be physically separate from your office. If everything is in the same building, a fire, flood, or break-in takes out your production data and every backup simultaneously.

Each requirement protects against a different failure mode. Three copies protects against a single backup failing. Two media types protects against a technology-specific failure. One offsite copy protects against a physical disaster that affects your entire location.

Why each part matters

3 copies: protecting against backup failure

Backups fail more often than most people realize. A backup job that has been running green for months can silently produce incomplete or corrupted backup files. The backup software reports success, but the files it wrote are not actually restorable. You find out when you try to restore, which is the worst possible time to discover the problem.

With two backup copies, you have redundancy. If one backup turns out to be corrupted when you need it, the other gives you a second chance. If one backup is encrypted by ransomware, the other (stored separately) may still be intact.

The production data itself counts as copy one. Your first backup is copy two. Your second backup is copy three. That is the minimum. Some businesses keep more, especially in regulated industries where retention requirements demand years of backup history.

2 media types: protecting against technology failure

If your production data is on a server and both backups are on an attached NAS, all three copies depend on the same technology stack – the same network, the same power supply, and often the same physical location. A NAS failure from a firmware update gone wrong, a power surge, or ransomware spreading across network shares can compromise all three copies at once.

“Different media” does not mean you need tape drives. It means your backups should not all live on the same type of storage in the same environment. Practical combinations for small businesses include:

• Local NAS or external drive + cloud backup
• Local backup server + offsite replication to a second location
• On-premises NAS + cloud storage (Azure Blob, AWS S3, Backblaze B2)

The point is that a single failure should not be able to reach all your copies.

1 offsite: protecting against physical disaster

This is the requirement most small businesses miss entirely. A backup that lives in the same building as your server protects you against hard drive failure. It does not protect you against a fire, flood, burst pipe, theft, or electrical event that damages the whole office.

Offsite backup used to mean driving a tape to a bank vault. Now it typically means cloud backup, replication to a second physical location, or both. Cloud backup is the most practical offsite option for most small businesses because it requires no second location, no manual transport, and no hardware to maintain at the offsite end.

How most small businesses violate the rule

We see the same patterns repeatedly when auditing backup configurations for new clients. Most businesses have some form of backup. Very few meet all three requirements of the 3-2-1 rule.

Backup to the same server or attached storage

The most common violation. A Windows Server backing up to an external USB drive or a NAS plugged into the same network. Both copies are in the same building, often on the same network segment, and sometimes powered by the same UPS. This satisfies “3 copies” (barely) but fails on “2 media types” (both are on local storage) and “1 offsite” (both are in the same room).

Ransomware is particularly dangerous in this setup. Modern ransomware variants specifically scan for network-attached storage, mapped drives, and connected backup devices. If your backup NAS is reachable from the infected machine, the attacker encrypts your backups along with everything else. Your backup becomes just as useless as the data it was supposed to protect. Our deep dive on why your backup might not save you from ransomware covers exactly how attackers target each type of backup storage and what it takes to make your backups truly resilient. Understanding how ransomware gets into small business networks makes it clear why backup isolation matters – the same access paths attackers use to reach your data are the ones they use to reach your backups.

Relying on Microsoft 365 retention as backup

This is increasingly common and it is not backup at all. Microsoft 365 retention policies are not backup. They are compliance tools with limited recovery capabilities. The recycle bin keeps deleted items for 93 days. Retention policies can hold data longer but do not provide point-in-time restore. If an attacker compromises your tenant admin account, they can disable retention policies and purge recycle bins. Your “backup” is controlled by the same system it is supposed to protect.

Microsoft 365 data needs real backup – a third-party solution that pulls copies to independent storage with separate credentials. Without it, your email, SharePoint files, and OneDrive data have zero copies outside of Microsoft’s platform. For a complete walkthrough of what to back up and how, see our guide on how to back up Microsoft 365 data the right way.

Cloud sync mistaken for backup

OneDrive, Google Drive, and Dropbox sync files between devices. They do not back them up. If you delete a file on your laptop, the deletion syncs to the cloud and every other device. If ransomware encrypts your local files, the encrypted versions sync up and overwrite the clean copies. Sync services have some version history and recycle bin features, but these are limited in duration and are not designed to survive a targeted attack.

Cloud sync is useful for file access. It is not a backup strategy. If you are using OneDrive or SharePoint as your primary file storage, understanding the difference between the two matters for backup planning – they have different retention behaviors and different backup requirements.

No offsite copy at all

Some businesses have a solid local backup – a dedicated backup server, good software, regular jobs that complete successfully. But everything is in the office. If the building floods, both the server and the backup are gone. This satisfies “3 copies” and “2 media types” but fails on “1 offsite.”

Adding cloud backup to an existing local backup setup is usually the fastest way to close this gap. It does not require replacing anything you already have. It adds the offsite layer on top of your existing setup.

What a compliant 3-2-1 setup looks like

For a typical 20-person business with an on-premises server and Microsoft 365, a 3-2-1 compliant backup configuration might look like this:

Copy 1 (production): The data itself – files on the server, email in Microsoft 365, databases in line-of-business applications like QuickBooks and other critical business software.

Copy 2 (local backup): A backup appliance or NAS on the local network running scheduled backup jobs. Full backups weekly, incremental backups daily. Retention of 30 to 90 days of local backup history for fast restores. For a deeper look at how to configure these jobs, see our server backup best practices guide.

Copy 3 (offsite/cloud backup): Local backups replicated to cloud storage nightly. Separate credentials from the local backup system. Retention of 90 days to one year depending on compliance requirements. Encrypted in transit and at rest. The backup frequency for each component should be driven by your RTO and RPO requirements – how fast you need recovery and how much data loss is acceptable.

Microsoft 365 backup: A third-party backup solution (Veeam, Datto, Acronis, or similar) backing up Exchange, SharePoint, OneDrive, and Teams to independent cloud storage. Daily backups with one year retention minimum.

This setup gives you three copies, two media types (local hardware and cloud), and one offsite copy (cloud). The local backup handles the most common recovery need – restoring a deleted file or recovering from a failed update – quickly and without internet dependency. The cloud backup handles the scenarios you hope never happen but need to plan for anyway.

The security layer matters too. Your Microsoft 365 environment should be hardened to reduce the risk of a tenant compromise that could affect both production data and any backup connected to the same admin credentials. The backup system’s credentials must be completely separate from your Microsoft 365 admin accounts and your domain admin accounts.

Recovery scenarios with a 3-2-1 setup

Single file accidentally deleted: Restore from local backup in minutes. No need to go to the cloud copy.

Ransomware encrypts the server and local NAS: Isolate the infected systems, wipe them, rebuild from the cloud backup. Recovery takes longer than a local restore but the data is there.

Office fire destroys all on-premises equipment: Order new hardware or spin up cloud infrastructure, restore from cloud backup. The data loss is limited to whatever changed between the last backup and the event.

Microsoft 365 account compromised, email deleted: Restore the mailbox from the third-party M365 backup. Independent of whatever the attacker did to the tenant.

Without the 3-2-1 structure, at least one of these scenarios results in permanent data loss.

Beyond 3-2-1: immutable and air-gapped backups

The 3-2-1 rule is the baseline. For businesses facing ransomware risk – which is every business – there is an additional layer worth considering: immutability.

An immutable backup is one that cannot be modified or deleted for a defined retention period, even by an administrator. If ransomware compromises your backup admin credentials, it cannot encrypt or delete immutable backups. The backup provider enforces the immutability at the storage level, so even a compromised account cannot override it.

Air-gapped backups take this further by ensuring the backup is completely disconnected from the network except during backup windows. A cloud backup with separate credentials is a form of logical air gap. A physically disconnected drive that is only connected during backup jobs is a physical air gap.

For businesses that have been through a ransomware attack or that operate in industries where data loss is catastrophic – healthcare with HIPAA requirements, for example – immutable backups are not optional. They are the difference between a recovery measured in days and one measured in months – if recovery is possible at all.

How to audit your current backup against the rule

You can check your own compliance with the 3-2-1 rule in about 15 minutes:

1. Count your copies. List every place your data exists. Production systems, backup devices, cloud backups. If you cannot name three, you have a gap.
2. Check your media types. Are all your copies on the same type of storage? If your production data and both backups are on devices plugged into the same network, a single event can take out all three.
3. Find your offsite copy. Is at least one copy in a physically separate location? If everything is in one building, you are not protected against physical disaster.
4. Check your Microsoft 365 backup. Do you have a third-party backup for Exchange, SharePoint, OneDrive, and Teams? If not, your cloud data has no backup at all.
5. Verify your backups actually work. When was the last time someone restored a file from backup to confirm the backup is functional? If the answer is never, your backup is unverified and may not work when you need it.

If you find gaps, the fix is usually straightforward – adding cloud backup to an existing local setup, or adding a third-party backup for Microsoft 365 data. The cost of a data breach for a small business runs into hundreds of thousands of dollars. The cost of closing backup gaps is typically a few hundred dollars per month. The math is not complicated.

How Sequentur handles backup for clients

Backup configuration and monitoring is part of our managed services. During onboarding, we audit the client’s existing backup setup against the 3-2-1 rule and identify any gaps. For most clients, this means adding or reconfiguring cloud backup for offsite protection, setting up third-party Microsoft 365 backup, and ensuring local backup jobs are running correctly with proper retention.

After setup, we monitor backup jobs daily. Failed jobs are investigated and resolved the same day, not discovered weeks later when someone needs a restore. We run periodic test restores to verify that backups are not just completing but actually producing restorable data.

When a client needs a restore – whether it is a single file, a mailbox, or a full server – we handle it. The client tells us what they need and when, and we recover it from the appropriate backup copy.

If you are not sure whether your current backup meets the 3-2-1 rule, or if you suspect there are gaps you have not identified, reach out through our contact page. We can audit your backup configuration and show you exactly where you stand.