← ALL POSTS
IT SUPPORT & MANAGED SERVICES EXPLAINER

The 3-2-1 backup rule, and why restore is the part that matters

Ask a business owner if they have backups and most say yes. Ask when they last restored a file from those backups and the room goes quiet. That gap is where companies get hurt. A backup you have never restored from is a guess, not a plan.

The rule itself

The 3-2-1 rule is old, simple, and still right:

The reasoning is boring math. Any single copy can fail. Drives die, ransomware encrypts, an employee deletes the wrong folder. Independent copies on independent systems mean one failure does not take everything.

What usually passes for backup

Here is what we actually find when we walk into a small business:

None of these people were careless. They set something up once, it worked once, and nobody looked again. Backup is not a setup task. It is a maintenance task.

Restore is the whole point

Nobody actually wants backups. They want restores. The backup is just the receipt.

A restore drill is the only way to know your receipt is good. Here is the drill we run for clients, and you can run it yourself:

  1. Pick a real file that changed recently. An invoice, a spreadsheet, a contract.
  2. Restore it from backup to a different location. Do not overwrite the original.
  3. Open it. Confirm it is the right version, not a copy from six months ago.
  4. Time the whole thing and write the time down.

Then, once or twice a year, do the bigger version: restore a whole folder, or spin up a server backup on spare hardware or a cloud VM and confirm it boots. This is where you learn the ugly stuff, like the backup that technically completed but skipped the accounting database because the file was locked.

The number that comes out of the drill matters as much as the pass or fail. If a full restore takes three days and your business cannot survive three days down, your backup is fine and your plan is broken. Fix the plan before you need it.

Ransomware changed the offsite copy

Modern ransomware crews go hunting for backups first. If your offsite copy is a mapped drive or a NAS the server can write to, the attacker can encrypt it right along with everything else. The offsite copy needs to be one of these:

Some people call this 3-2-1-1: the extra 1 is an immutable or offline copy. Whatever you call it, assume an attacker with admin passwords will try to delete your backups, and make sure they cannot.

How to know it is done right

You do not need to be technical to audit this. Ask whoever handles your IT these five questions:

  1. Where are our three copies, exactly? Name the systems.
  2. Which copy is offsite, and can ransomware with admin access delete it?
  3. When did the last backup actually complete, and who gets told when one fails?
  4. When did we last restore a file, and did it work?
  5. How long would a full restore take after a total loss?

Confident, specific answers with recent dates mean you are in good shape. Vague answers, or a pause before question four, mean you have backup software but not a backup plan. The fix is usually a day of work and a recurring calendar entry, which is cheap compared to the alternative.

Stuck on this, or want it done for you? That's the job.

Email us →
RELATED READING
Server care: what maintaining a server actually involves Explainer
What good help desk looks like (a person answers) Explainer
How to actually test your backups: a restore drill Step-By-Step Guide
Automated patching: the boring habit that prevents ugly weeks Explainer
Device management basics: MDM without the acronym soup Explainer
NO FORMS. JUST EMAIL.
mason@hurbs.io
or (832) 457-4317, LA and Houston