Picture this. It is 9am on a Monday. You open your laptop and every file your business depends on is locked. A message on screen is demanding payment in cryptocurrency. You call your IT provider. They say four words that change everything: "We can restore from backup."
Within a couple of hours, your systems are back. Your data is intact. The week carries on.
Now picture a different business, same Monday morning, same attack. They call their IT provider too. But this time the backup was just a synced OneDrive folder. The ransomware encrypted the files. The sync pushed those encrypted files straight to the cloud. The backup and the original data are both gone.
Two businesses. Same threat. One survived because somebody followed a rule so simple it fits on a Post-it note. The other did not even know the rule existed.
That rule is called the 3-2-1 backup rule. And if you run a business, it is the single most important thing to understand about protecting your data.
What Is the 3-2-1 Backup Rule?
The 3-2-1 rule is not new. It has been the standard in data protection for decades. But for some reason, it rarely gets explained to the people who actually need it most: business owners.
Here is what it means.
3 — Keep three copies of your data. That is the original plus two backups.
2 — Store those copies on two different types of storage. For example, your computer and a cloud backup service. Or a server and an external drive. The point is they should not all live in the same place or on the same system.
1 — Keep one copy offsite. Somewhere physically separate from your office. If your building floods, or a fire takes out your server room, or someone breaks in and steals your hardware, that offsite copy is what saves you.
Think of it like this. You would not keep three copies of your house key and then leave all three on the kitchen table. You would give one to a neighbour, put one in your wallet, and keep one by the door. Different places, different risks. The same logic applies to your data.
Why Does This Matter for Small Businesses?
There is a dangerous assumption that data loss is a big-company problem. It is not. Small businesses are targeted more often precisely because attackers know they are less prepared.
The consequences are brutal. Research consistently shows that a significant number of small businesses that suffer major data loss do not recover. They close. Not because the attack itself was sophisticated, but because there was nothing to fall back on.
Here is the part that concerns me most. In many of the businesses I work with, there is no dedicated IT person. Instead, there is someone — usually an operations manager, an office administrator, sometimes the founder — who has absorbed IT responsibilities on top of their actual job. I call them the accidental IT person. They are doing their best, but nobody has ever sat them down and explained what a proper backup looks like or how to check whether one is actually running.
This is not a criticism. It is a gap. And it is a gap that the 3-2-1 rule was designed to close.
Where Do Most Businesses Get It Wrong?
I see the same three mistakes over and over again.
Mistake 1: Thinking File Sync Is the Same as Backup
OneDrive, Google Drive, and Dropbox are brilliant tools. But they are file synchronisation services, not backup solutions. If a file gets deleted, corrupted, or encrypted on your device, that change syncs to the cloud too. A true backup is a separate, protected copy that does not get overwritten when something goes wrong at the source.
Mistake 2: Having Backups but Never Testing Them
A backup you have never restored is a backup you cannot trust. I have seen businesses discover — at the worst possible moment — that their backups had been failing silently for months. Nobody checked. Nobody tested. The safety net they thought they had simply was not there.
Mistake 3: Keeping All Copies in One Place
If your original data and your backups are both on the same server, in the same office, connected to the same network, a single event can wipe out everything. Ransomware that spreads across your network does not politely skip the backup folder. A burst pipe does not avoid the cupboard where the external hard drive lives.
How Do You Check Whether Your Business Follows the 3-2-1 Rule?
You do not need to be technical to hold your IT provider (or yourself) accountable. You just need the answers to three questions.
Question 1: How many separate copies of our data exist right now?
Not files in different folders on the same system. Genuinely separate copies, stored independently. If the answer is fewer than three, you are exposed.
Question 2: Are those copies stored on different systems or in different locations?
If everything lives on the same server or the same cloud platform, a single failure could take it all down. You need variety. Different systems, different locations, different risk profiles.
Question 3: When was the last time someone tested a backup by actually restoring something from it?
This is the question that makes IT providers uncomfortable. A backup that has never been tested is not a backup. It is a hope. And hope is not a strategy.
If your IT provider cannot answer these three questions clearly and confidently, that tells you something important.
What Does a Proper Backup Setup Actually Look Like?
For a typical small business in London, a solid 3-2-1 setup might look something like this.
Copy one: Your live data. The files and systems you use every day. Sitting on your devices or your server, wherever you normally work.
Copy two: A local backup. This could be a dedicated backup appliance or a network-attached storage device in your office. It gives you fast recovery if something goes wrong — a deleted file, a failed update, a corrupted document. Because it is local, restoring is quick.
Copy three: A cloud backup stored offsite, ideally with immutable storage. Immutable means that once a backup is written, it cannot be altered or deleted for a set period — not even by ransomware, not even by an attacker who has compromised your admin credentials. This is your insurance policy. The copy that survives even the worst-case scenario.
The specifics will vary depending on the size of your business, the tools you use, and the data you need to protect. But the principle stays the same: three copies, two different types of storage, one offsite.
The Post-it Note Version
The 3-2-1 backup rule is not complicated. You could explain it to someone in thirty seconds. The hard part has never been understanding it.
The hard part is making sure someone in your business is actually responsible for it. That it is set up properly. That it is being monitored. That it gets tested.
If you have read this far and you are not sure whether your business follows this rule, that is not a failure. It is just the starting point. Now you know what to ask, who to ask, and what a good answer sounds like.
The only real mistake is knowing the question and choosing not to ask it.
If your business needs help getting a proper backup strategy in place, or you want someone to check whether your current setup actually follows the 3-2-1 rule, get in touch with Blue Icon IT. We are a London-based IT partner for small businesses who believe you deserve a straight answer, not a sales pitch.
