Backup Strategy for Small Businesses: The 3-2-1 Rule and Tools That Actually Work

TL;DR:

• The 3-2-1 rule means 3 copies of data, on 2 different storage types, with 1 copy offsite
• Ransomware can encrypt connected backups — immutable cloud backups are your protection
• A backup you’ve never tested is not a backup — run restore tests monthly

A backup strategy is the difference between a ransomware attack costing you an afternoon and costing you your business. Ransomware — software that encrypts your files and demands payment to unlock them — is one of the most common causes of catastrophic data loss for UK small businesses. The attackers are explicit: pay, or lose everything. Without a backup, many businesses do pay. With a tested, offsite backup, recovery becomes a matter of hours, not days, and you never hand money to criminals.

Here’s the thing: a backup strategy isn’t complicated. But most small businesses either have no backup at all, or they have one they’ve never actually tested.

The 3-2-1 backup rule explained

The 3-2-1 rule is the industry-standard framework for reliable backup:

• 3 copies of your data — one original plus two backups
• 2 different storage types — for example, an internal drive and a cloud service
• 1 copy offsite — stored somewhere physically separate from your office

The reasoning is redundancy. A single backup on an external drive at your desk fails if the drive corrupts, if you have a fire or flood, or if ransomware encrypts everything the infected computer can reach — including mapped network drives. Multiple copies on different media in different locations removes any single point of failure.

A practical 3-2-1 setup for a small business looks like this: live data on your computer (copy 1), a local backup to an external drive or NAS device (copy 2, different media), and a cloud backup to an offsite service (copy 3, offsite).

Cloud backup tools worth using

Backblaze for Business is the simplest and most cost-effective cloud backup for small businesses. It runs silently in the background and backs up everything on the computer for around $7 per computer per month (approximately £6). Unlimited storage, automatic, and restores are straightforward. If you do nothing else today, install Backblaze on every computer in your business.

Veeam is the industry standard for businesses with servers or more complex infrastructure. It supports virtual machines, physical servers, and cloud workloads. The free Community Edition handles basic server backup; paid plans start around £120–160 per year per server.

Acronis Cyber Protect combines backup with ransomware detection in a single product. It can detect ransomware behaviour and stop it mid-attack, then automatically restore any encrypted files. Around £50–70 per device per year — good if you want backup and endpoint protection in one product.

For Google Workspace or Microsoft 365 data: your files in cloud platforms are not automatically backed up by the provider against accidental deletion or malicious activity. You need a dedicated SaaS backup tool. Backupify (now Datto SaaS Protection) or Spanning Backup both handle Google Workspace and Microsoft 365 data. Around £2.50–4 per user per month.

How often should you back up?

The right frequency depends on how much data loss you can tolerate. The technical term is RPO (Recovery Point Objective) — how far back in time are you willing to go if you need to restore?

For critical files like accounting, contracts, and client data, backing up every few hours or in real-time is the right approach. For everything else, daily is generally sufficient. Full system images — so you can restore an entire computer, not just individual files — are worth doing weekly.

Most cloud backup tools handle all of this automatically once configured. Backblaze runs continuously and backs up changes as they happen.

Immutable backups: your ransomware insurance

Immutable backups cannot be modified, encrypted, or deleted for a specified period — not by ransomware, not by an attacker who’s compromised your admin credentials, not by accident. This is the protection that standard cloud sync services like Google Drive, OneDrive, and Dropbox don’t provide.

Here’s the problem with cloud sync: if ransomware encrypts your files, the sync service will faithfully sync the encrypted versions to the cloud, overwriting your clean copies. You’ve got ransomware in three places instead of one.

True immutable backup works differently. Once written, the backup is locked for a fixed period — 30, 60, or 90 days. Ransomware can’t touch it. Backblaze Business includes an immutable storage option (Object Lock) in its cloud backup. Veeam supports immutability with compatible storage targets. Wasabi cloud storage offers immutable buckets at around $7 per TB per month, compatible with most backup tools.

Testing your backups: the step most businesses skip

A backup you’ve never tested is a promise, not a guarantee. Backup systems fail silently — the software reports success while quietly writing incomplete or corrupted data. You’ll discover the problem at the worst possible moment.

Run a restore test monthly. Pick a random file from last week’s backup, restore it to a different location (not over the original), open it, and verify the contents are correct. This takes five minutes and is the only way to know your backup actually works.

Once a year, run a more thorough test — try restoring a full folder or, if you have a server, a full system restore to a test environment. Many businesses discover their backups haven’t been working for months only when they try to recover from an incident. Don’t be one of them.

Quick-start checklist

• Install Backblaze on every computer
• Attach an external drive to each computer for local backup
• Enable version history or immutable backup in your cloud service
• Back up Google Workspace or Microsoft 365 data with Backupify or Spanning
• Test a restore this week, then schedule monthly reminders

Bottom line

Ransomware is only catastrophic if you have no backup. Set up Backblaze on every computer for offsite cloud backup, add a local external drive for fast restores, and enable immutability so ransomware can’t touch your offsite copies. Test a restore monthly — that single habit is what separates businesses that recover in hours from those that never recover at all.