14 Feb 2026 7 min read Core Networks

The 3-2-1 Backup Rule — And Why You're Still Getting It Wrong

Every business owner thinks they have backups until they actually need them. The moment of truth usually arrives with ransomware, a dead NAS, or a staff member who accidentally deleted a year's worth of financial records.

Backup Security SMB IT

What is the 3-2-1 rule?

The 3-2-1 rule is the gold standard of backup strategy, and it's been around for decades because it works. It's simple:

The point of having multiple copies on different media is resilience against different failure modes. RAID protects you from a single disk dying. An offsite copy protects you from fire, flood, theft, and ransomware (which will encrypt your local backups too if you're not careful).

Most businesses fall down on the offsite copy. It's the inconvenient one. It requires effort or a recurring cost. And it's the one that saves you when everything else fails.

The mistakes we see over and over

After 25 years of recovering businesses from data loss events, we've seen every failure mode. Here are the ones that come up again and again.

"We have RAID"

RAID is not a backup. We cannot say this enough.

RAID protects against disk failure. It does not protect against:

RAID improves availability. Backup improves recoverability. They solve different problems. You need both.

Backups to the same location as primary data

An external hard drive plugged into the server doesn't count as an offsite backup. Neither does a NAS in the same server room as the server it's backing up. If the building floods, they both go.

We've seen businesses lose everything this way — not because they had no backups, but because their "offsite" backup was in the same building.

Never testing restores

This is the big one. If you haven't tested restoring from your backups, you don't have backups. You have hopes.

Backup software fails silently. Tapes degrade. S3 buckets get misconfigured. VM snapshots grow until the disk is full and stop working. The only way to know your backups work is to restore from them.

Test a restore every month. Actually restore a file, a database, or a full VM to a test environment and verify it works. Schedule it. Put it in the calendar.

No defined RPO or RTO

These two terms define what a backup strategy actually needs to deliver:

Until you've defined these numbers, you can't evaluate whether your backup strategy actually meets your business requirements. Start there.

Backing up the wrong things

We've seen businesses restore from backup only to find they backed up the OS and applications, but not the application data. Or they backed up the files, but not the database. Or they backed up the VM, but the backup application itself wasn't configured correctly and the jobs have been silently failing for three months.

Do a recovery audit: for each critical system, define exactly what you'd need to restore to get it running. Then verify your backups contain those things.

A practical backup stack for SMBs

You don't need expensive enterprise backup software to implement a solid 3-2-1 strategy. Here's a stack we'd recommend, all either free or very low cost:

For Windows Server environments

For Linux environments

For files and documents (all platforms)

The offsite requirement, practically

Object storage (Backblaze B2, Cloudflare R2, Wasabi) has made offsite backup affordable for businesses of any size. B2 is $6/TB/month for storage. R2 is $15/TB/month but has zero egress fees, which matters if you're restoring frequently.

For a business with 1TB of backup data, you're looking at $6–15/month for a genuine offsite copy. That's cheaper than a single hour of your IT support bill. There's no financial argument against it.

The restore test checklist

Every month, do at least one of these:

  1. Restore a random file from three days ago to a different location and verify it opens correctly.
  2. Restore a database to a test server and run a query to confirm data integrity.
  3. Restore a VM snapshot to a test environment and verify the application starts.
  4. Attempt a full restore drill for one critical system and time how long it takes.

Document the results. If a restore fails, that's your warning sign — not the disaster itself.

The bottom line

Backup is not exciting. It doesn't generate revenue, it doesn't impress anyone, and it's easy to deprioritise when everything is working fine. But after 25 years of helping businesses recover from data loss events, we can tell you: the ones that recover cleanly have one thing in common. They tested their backups.

The 3-2-1 rule isn't complicated. It's just disciplined. Three copies, two media, one offsite, and a monthly restore test. That's the whole thing.

Questions about your backup strategy? We're happy to point you in the right direction: info@corenetworks.com.au

Backup Security SMB IT
← Back to Blog