← Blog

Backups that actually save you — the 3-2-1 rule in plain English

Tenant Strike4 min read

Backups are the last line of defence against ransomware, accidental deletion, and a lost laptop. But a backup you have never tested is not really a backup. Here is what actually works.

If something goes seriously wrong — a ransomware attack, an employee deleting a year's worth of files, a laptop stolen from a car — a working backup is the difference between a bad afternoon and a business-ending event.

Most small businesses know backups matter. Fewer have them set up in a way that would actually help.

The traps that make backups useless

Before the solution, the three common ways backups fail:

No backup at all. More common than you'd think. "We keep everything in Microsoft 365" or "it's all in the cloud" gets mistaken for a backup strategy. It isn't.

Backups that were never tested. A backup you have never restored from is a guess. The file might be there. The restore process might work. Or it might not — and you'll only find out when you desperately need it to. An untested backup is not a backup; it's an optimistic assumption.

Backups connected to the same system being attacked. Ransomware — software that encrypts your files and demands payment — is smart enough to look for attached drives and network shares before it starts encrypting. If your backup lives on a USB drive plugged into your server, or a network folder accessible from every computer, it gets encrypted too.

The 3-2-1 rule

The 3-2-1 rule is a simple way to remember a backup setup that actually holds up. It means:

  • 3 copies of your data (the original, plus two backups)
  • 2 different kinds of storage (for example, an external drive and a cloud service — not two USB drives in the same drawer)
  • 1 copy kept offsite or offline (in a different physical location, or on a drive that is disconnected from your network when not in use)

The offsite or offline part is what makes backups survive ransomware. An encrypted network cannot reach a drive that is not attached to it.

For a small business, a practical version of 3-2-1 might look like: your files in Microsoft 365 (one copy), a backup service that copies those files to cloud storage daily (second copy), and a periodic export to an external drive kept at a different location — an owner's home, a safe deposit box — and disconnected when not in use (third copy, offline).

Microsoft 365 is not a backup

This one surprises a lot of people. Microsoft 365 keeps your email, files, and Teams data available and highly reliable — Microsoft is very good at not losing your data through hardware failure. That is not the same as a backup.

Microsoft 365's built-in recycle bins and version history are short-lived. Deleted emails are recoverable for 30 days (in most configurations). Version history on files is helpful for rolling back an accidental change, but it is not designed to restore your entire mailbox from six months ago after a ransomware attack encrypted your OneDrive sync folder.

If you want a true backup of your Microsoft 365 mailboxes and SharePoint data — one that you control and can restore from independently — you need a third-party backup tool. Several exist specifically for this purpose.

What a working backup habit looks like

You do not need elaborate software or an IT team. A simple, consistent habit is enough:

  1. Decide what data actually matters — email, financial records, client files, contracts.
  2. Choose a backup method that puts at least one copy somewhere physically separate from your office network.
  3. Set it to run automatically on a schedule so it does not depend on someone remembering.
  4. Once a quarter, restore a small sample of files and confirm they come back correctly.

That last step is the one most people skip. It is also the only step that tells you whether any of the others worked.

The only backup that counts

A backup is a plan. A tested restore is proof the plan works. Run through the restore process at least once a year, preferably more often — before you need to depend on it.

Tenant Strike is a read-only scanner for Microsoft 365 and Azure, not a backup tool — but it does check the settings that affect how exposed your data is in the first place. A five-minute scan shows you what is open and where to start.

AI-researched from public sources. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.