Backups and Recovery: The 3-2-1 Rule for Business Data
Every business says it has backups. Far fewer can say when they last restored something from one. The difference between those two sentences is the difference between an inconvenience and a catastrophe when a laptop dies, ransomware hits, or someone deletes the wrong folder.
The 3-2-1 rule
The rule survives because each number kills a different failure. A second copy kills device failure. A different storage type kills the “both drives died together” problem. Off-site kills fire, theft and anything that takes out the whole premises — including ransomware that encrypts every drive it can reach on the network.
What actually needs backing up
| Data | Where it usually lives | Ask yourself |
|---|---|---|
| Accounting file, invoices | Cloud accounting platform | Does the platform let me export a copy? |
| Customer records, job history | CRM or spreadsheets | When did I last export these? |
| Hosted mail | Is deleted-mail recovery enough, or do I need an archive? | |
| Shared documents | Cloud drive | Is sync the same as backup? (No — see below.) |
| Website | Hosting provider | Do I hold my own copy, or only trust the host? |
| Job photos, signed forms | Phones | Are these anywhere other than one phone? |
Testing restores: the step everyone skips
- Pick one real file or record you would genuinely miss.
- Restore it from your backup to a different location, following your own runbook.
- Open it. Confirm it is complete and current.
- Time the exercise. That number — not the brochure — is your real recovery speed.
- Diarise the next test. Quarterly is plenty for most small businesses.
An untested backup is a rumour. Restore testing turns it into a fact, and it routinely surfaces silent failures: a job that stopped running months ago, a full disk, a payment card that expired on the backup account.
A sensible starting setup
For a typical Australian small business the workable pattern looks like this: keep working files in a cloud service with version history and multi-factor authentication; run an automatic daily backup of the important folders to an external drive that is disconnected between runs or rotated weekly; and schedule a monthly export of the systems that hold your business records — accounting, customer list, job management — into a dated folder that joins the same backup cycle. None of this requires enterprise software; it requires the jobs to run automatically, because any backup that depends on someone remembering will eventually depend on someone who forgot. Write the whole arrangement down in a one-page runbook: what is backed up, where the copies live, how to restore, and who holds the passwords. That page is what turns a pile of drives into a recovery plan.
Ransomware changes the maths
The Australian Cyber Security Centre (cyber.gov.au) lists regular, tested backups kept out of reach of the everyday network among its core mitigations for small business, because modern ransomware hunts connected backups and deletes them first. At least one copy should be offline, or in a service with version history an attacker cannot reach using your day-to-day login.
FAQ
Is the cloud my off-site copy?
It can be — provided it is a true backup with point-in-time history rather than the same live sync your computers write to, and provided the account has multi-factor authentication turned on.
How long should backups be kept?
Long enough to discover a problem and reach back before it started. Many issues surface at BAS or year-end, months after the fact, so keep some monthly points rather than only last night. For records you are required to retain, treat backups as part of meeting those obligations and confirm the specifics with your accountant.