Backups are one of those things almost every business thinks they have covered. You’ve got an external drive somewhere. Or files are syncing to the cloud. Or your IT provider set something up a while back and it’s probably still running.
The problem is “probably” and “somewhere” are not a backup strategy. They’re a feeling of safety that can evaporate the moment you actually need to recover something.
The 3-2-1 rule is the industry-standard framework that underpins serious data protection. It’s been recommended by cybersecurity bodies, government organisations, and IT professionals for decades. Not because it’s complicated – it isn’t – but because it works. Understanding it takes about five minutes, and applying it properly could save your business.
What Is the 3-2-1 Backup Rule?
The 3-2-1 rule describes how your backup data should be structured and stored. It breaks down like this:
3 – Keep three copies of your data. That’s your live data plus two backups.
2 – Store those copies on two different types of media or storage. Not two external drives in the same drawer.
1 – Keep at least one copy stored offsite – somewhere completely separate from your main location.
That’s it. Three copies, two different media, one offsite. The logic behind each number is worth understanding, because it explains why the rule holds up even in worst-case scenarios.
Why Three Copies?
If you only have one backup, you have one chance. If that backup is corrupted, incomplete, or stored somewhere affected by the same incident as your live data, you’re in serious trouble.
Two copies sounds more sensible, but hardware failures, ransomware infections, and even human error can take out more than one system at a time – especially if they’re stored in the same place or on the same network.
Three copies means you need three independent failures before you’re completely unprotected. That’s not impossible, but it’s unlikely enough that your recovery options remain realistic even when things go badly wrong.
Why Two Different Types of Media?
“Media” here means storage type – a local server, an external drive, a NAS device, cloud storage, and so on. The reason you want two different types is simple: failure modes differ between storage technologies.
An external USB drive fails in different ways to a cloud storage service. A local server can be wiped by ransomware without necessarily affecting an isolated cloud backup. If all your copies sit on the same type of storage, or worse, the same system, you’re not as protected as you think.
This is why cloud sync tools like OneDrive or Google Drive, on their own, are not a backup strategy. They mirror your live data – including accidental deletions, ransomware-encrypted files, and corrupted documents. The moment your live data is compromised, your sync follows.
Why One Offsite Copy?
This is the most important number for businesses that think local backups are enough.
Local backups – drives in your office, a server in the back room – protect you against individual file loss and hardware failure. They do not protect you against fire, flood, theft, or a ransomware attack that spreads through your local network before anyone notices.
Offsite storage means a copy of your data lives somewhere physically and logically separate from your main location. Typically that means a secure cloud environment, though it can also mean encrypted backups stored at a secondary site.
If your office burns down tomorrow, your local backups burn with it. Your offsite copy survives.
Where the 3-2-1 Rule Falls Short
The 3-2-1 rule is an excellent foundation, but it is worth understanding that it was developed before cloud storage was widespread and before ransomware became a defining business risk.
Some IT professionals now advocate for a 3-2-1-1-0 model – which adds an immutable (write-protected, unalterable) copy that even ransomware cannot encrypt, and zero errors across verified backup tests. The core principle is the same, but with additional resilience built in for the modern threat environment.
Whether you follow the original rule or an extended version of it, the fundamentals remain the same: redundancy, separation, and offsite storage.
What About Microsoft 365?
This catches a lot of businesses out. Microsoft 365 – Outlook, Teams, SharePoint, OneDrive – is not a backup system. Microsoft is responsible for keeping the platform running, not for keeping your data recoverable.
If a user deletes emails that then clear from the deleted items, if a SharePoint site is accidentally wiped, or if a malicious actor removes data, Microsoft’s built-in retention tools have limits. They are not designed to be a full backup and recovery solution.
Your Microsoft 365 data needs to be backed up separately, by a third-party solution, following the same 3-2-1 principles as everything else. This is a common gap in business backup strategies, and one that tends to surface at the worst possible moment.
The Compliance Angle
If your business handles personal data – and almost every UK business does – you have obligations under UK GDPR to protect it appropriately. The ICO’s guidance is clear that organisations need to implement appropriate technical measures to protect personal data, and that includes being able to restore data following an incident.
Following the 3-2-1 rule is not a legal requirement written in law, but it is a recognised standard that demonstrates you are taking data protection seriously. In the event of a breach or data loss incident, being able to show you had a structured, tested backup strategy in place matters – both to the ICO and to any partners or clients affected.
Equally, if your business is working toward Cyber Essentials certification, or operates in a sector with specific compliance requirements, your backup strategy will be scrutinised. Fragmented, untested, or partial backups are a common reason businesses fail assessments they thought they would pass.
How AOIT Networks Approaches Backup
We manage backup for businesses across the North East covering workstations, servers, virtual servers, and Microsoft 365 – all built around the 3-2-1 framework and monitored continuously.
What that means in practice: we do not just configure backups and leave them running. We monitor every job, verify backups are completing successfully, and test recovery regularly to make sure that when you actually need to restore something, it works. A backup that completes without errors but cannot be restored is not a backup – it is a false sense of security, and we have seen it happen more than once to businesses that thought they were protected.
If you want to understand exactly what we use and how it works, we are happy to talk through that when you get in touch.
Is the 3-2-1 Rule Right for Your Business?
Yes – and it is not really a question of whether you should follow it, but whether your current backup strategy already does.
Most businesses are closer than they think in some areas and further away than they realise in others. Common gaps include no offsite copy of local backups, no separate backup of Microsoft 365 data, backups that have never been tested, and local copies that share the same network as production systems.
Review Your Backup Strategy
If you are not certain your current backup setup follows the 3-2-1 rule – or if you want to move to a managed backup solution where someone else handles the monitoring, testing, and recovery – get in touch. We will look at what you currently have in place, identify any gaps, and talk through how to build a strategy that genuinely protects your business.
Because a backup that exists is not the same as a backup that works.