Keep 3 copies of your data, on 2 different types of media, with 1 copy stored offsite. This protects against hardware failure, local disasters, and most data loss scenarios.
Quick answer: Keep 3 copies of your data, on 2 different types of media, with 1 copy stored offsite. This protects against hardware failure, local disasters, and most data loss scenarios.
The Rule Explained
3 copies of your data Your original data plus two backups. One backup isn't enough—if your backup fails at the moment you need it, you're stuck.
2 different media types Don't put all copies on the same type of storage. If you have three copies on the same NAS device, a single failure loses everything. Mix it: local storage plus cloud, or disk plus tape.
1 copy offsite At least one copy in a different physical location. If fire, flood, or theft hits your office, an onsite backup doesn't help.
Why This Works
The 3-2-1 rule protects against:
Hardware failure Your server dies. You have two other copies.
Human error Someone deletes files accidentally. Recover from backup.
Ransomware Malware encrypts your local systems. Offsite backup survives.
Local disaster Office floods. Offsite backup is unaffected.
Backup failure One backup is corrupted. You have another.
No single event destroys all three copies on different media in different locations.
Modern Implementation
Copy 1: Production data Your live systems—servers, Microsoft 365, workstations.
Copy 2: Local backup Fast recovery for everyday issues. Local NAS, backup server, or disk-based backup. Quick to restore individual files.
Copy 3: Offsite/cloud backup Protection against site-level disasters. Cloud backup service, replicated to another site, or offline media stored elsewhere.
The 3-2-1-1 Update
Modern threats (especially ransomware) have prompted an update:
3-2-1-1: Add one immutable or air-gapped copy.
Ransomware specifically targets backups. If attackers can reach and encrypt your backups, the 3-2-1 rule fails. An immutable copy (cannot be modified or deleted) or air-gapped copy (physically disconnected) survives even sophisticated attacks.
Common Mistakes
Only backing up to the same device RAID isn't backup. A second partition isn't backup. You need separate physical media.
Offsite backup in the same building A different room isn't offsite. Different floor isn't offsite. Different building is offsite.
Never testing restores Backups you haven't tested aren't backups. Verify you can actually recover data.
Backing up but not monitoring Backup jobs fail silently. Monitor backup success and investigate failures immediately.
Forgetting Microsoft 365 Cloud services need backup too. Microsoft doesn't backup your data the way you think.
What We Implement
For managed clients, we implement 3-2-1-1:
- Production data in Microsoft 365/Azure
- Local backup where applicable
- Cloud backup to UK data centres (offsite)
- Immutable retention (ransomware-proof)
---
about a backup assessment.
---