05 · Resilience

Backups and Recovery: The 3-2-1 Rule for Business Data

The Ops Manual · Updated 2026-07-18

Every business says it has backups. Far fewer can say when they last restored something from one. The difference between those two sentences is the difference between an inconvenience and a catastrophe when a laptop dies, ransomware hits, or someone deletes the wrong folder.

The 3-2-1 rule

3-2-1 in one breath: keep three copies of important data, on two different types of storage, with one copy off-site. The working file on your computer counts as copy one.

The rule survives because each number kills a different failure. A second copy kills device failure. A different storage type kills the “both drives died together” problem. Off-site kills fire, theft and anything that takes out the whole premises — including ransomware that encrypts every drive it can reach on the network.

What actually needs backing up

DataWhere it usually livesAsk yourself
Accounting file, invoicesCloud accounting platformDoes the platform let me export a copy?
Customer records, job historyCRM or spreadsheetsWhen did I last export these?
EmailHosted mailIs deleted-mail recovery enough, or do I need an archive?
Shared documentsCloud driveIs sync the same as backup? (No — see below.)
WebsiteHosting providerDo I hold my own copy, or only trust the host?
Job photos, signed formsPhonesAre these anywhere other than one phone?
Sync is not backup. A cloud drive faithfully syncs your mistakes: delete a file — or let ransomware encrypt it — and the damage syncs everywhere in seconds. Backup means point-in-time copies with history kept long enough to notice a problem: weeks, not hours.

Testing restores: the step everyone skips

  1. Pick one real file or record you would genuinely miss.
  2. Restore it from your backup to a different location, following your own runbook.
  3. Open it. Confirm it is complete and current.
  4. Time the exercise. That number — not the brochure — is your real recovery speed.
  5. Diarise the next test. Quarterly is plenty for most small businesses.

An untested backup is a rumour. Restore testing turns it into a fact, and it routinely surfaces silent failures: a job that stopped running months ago, a full disk, a payment card that expired on the backup account.

A sensible starting setup

For a typical Australian small business the workable pattern looks like this: keep working files in a cloud service with version history and multi-factor authentication; run an automatic daily backup of the important folders to an external drive that is disconnected between runs or rotated weekly; and schedule a monthly export of the systems that hold your business records — accounting, customer list, job management — into a dated folder that joins the same backup cycle. None of this requires enterprise software; it requires the jobs to run automatically, because any backup that depends on someone remembering will eventually depend on someone who forgot. Write the whole arrangement down in a one-page runbook: what is backed up, where the copies live, how to restore, and who holds the passwords. That page is what turns a pile of drives into a recovery plan.

Ransomware changes the maths

The Australian Cyber Security Centre (cyber.gov.au) lists regular, tested backups kept out of reach of the everyday network among its core mitigations for small business, because modern ransomware hunts connected backups and deletes them first. At least one copy should be offline, or in a service with version history an attacker cannot reach using your day-to-day login.

FAQ

Is the cloud my off-site copy?

It can be — provided it is a true backup with point-in-time history rather than the same live sync your computers write to, and provided the account has multi-factor authentication turned on.

How long should backups be kept?

Long enough to discover a problem and reach back before it started. Many issues surface at BAS or year-end, months after the fact, so keep some monthly points rather than only last night. For records you are required to retain, treat backups as part of meeting those obligations and confirm the specifics with your accountant.