The 3-2-1 Backup Rule: How to Make Sure One Hack Doesn't Shut You Down

Every time a new Canadian ransomware story hits the news, the same question pops into my head: "Did they actually have backups they could restore?"

The federal Cyber Centre, Get Cyber Safe, and even Ontario IT providers have been repeating the same simple idea for years: backups are non-negotiable, and you need more than one copy.

One article from an Ontario IT shop in 2024 laid it out clearly: follow the 3-2-1 rule if you don't want to roll the dice with your data.

Let's pull this out of the "IT buzzword" bucket and into something a construction company, clinic, or logistics outfit around Hamilton can actually implement.

What Is the 3-2-1 Backup Rule?

The rule is old, but it still works:

• 3 copies of your data
• 2 different types of storage
• 1 copy off-site

Translated to local business reality:

• Original data on your office systems or cloud apps
• Second copy on a local backup (NAS, backup server, or external drive)
• Third copy somewhere off-site (cloud backup or another location)

The Cyber Centre's backup tips and several Canadian SMB guides push a similar pattern: multiple copies, different media, and one copy physically separate.

Why a Single Backup Is a Trap

Here's where a lot of businesses on the Mountain or along the QEW get burned:

• One backup drive plugged into the main server
• Same building, same power, same flood risk
• Sometimes even mapped into the system so ransomware can encrypt it too

That's not a backup; that's a slightly delayed failure.

We've seen cases where ransomware hit not just production data but also connected backup systems. That's why some providers now talk about 3-2-1-1-0 (an extra offline copy and no-error test restores), but let's walk before we run.

Step 1 – Decide What Actually Needs Backing Up

Not everything is mission-critical. Start with:

• Accounting and bookkeeping data
• Client files and project folders
• Line-of-business apps (dental, legal, construction, logistics, etc.)
• Email and cloud storage (M365, Google Workspace)
• Configurations for key systems (firewalls, switches, key apps)

Make a short list of systems where, if you lost a week of data, you'd be in deep trouble.

Step 2 – Set Up Your "3"

For each critical system:

• Production copy – Where you work day-to-day
• Local backup – Fast restore, usually in the same office
• Off-site backup – Cloud backup or another physical location

Examples for a small Hamilton shop:

File server in the office:

• Nightly backup to a NAS box in a locked network closet
• Encrypted cloud backup to a Canadian or reputable provider's data centre

For pure cloud systems (like Microsoft 365), remember: Microsoft isn't your backup. They give you resilience, not a full history. Use a proper third-party backup for email, OneDrive, and SharePoint.

Step 3 – Make the "2 Different Media" Part Real

Don't put all copies on:

• One RAID array
• One SAN
• One cloud storage account

Mix it up:

• Internal storage + external disk / NAS
• Local NAS + cloud backup
• Cloud productivity suite + third-party backup tool

Canadian backup best-practice articles keep coming back to this: same technology, same failure mode.

Step 4 – Get the "1 Off-Site" Right

Off-site doesn't have to be fancy:

• A cloud backup that isn't directly reachable from your main network
• An encrypted hard drive rotated weekly to a different location (not your truck)
• Replication to another office or trusted co-location

For ransomware specifically, you want at least one copy that:

• Isn't always connected
• Requires separate credentials to access
• Can't be easily deleted by someone who compromises your main environment

Some backup vendors now support "immutable backups" that can't be changed or deleted for a set retention period. For businesses that can afford it, that's worth a look.

Step 5 – Test Restores Like You Mean It

Every Canadian guide on backups hits this point: a backup you've never restored is just a theory.

At least quarterly:

• Pick a random file, mailbox, or small dataset
• Pretend it's gone
• Time how long it takes to restore from each backup source

Record:

• Where you restored from (local vs off-site)
• How long it took
• Any surprises (missing access, corrupted files, etc.)

Your future self will thank you the day a real incident hits.

How This Ties Into Insurance and Compliance

More cyber insurance guidance and self-assessment tools in Canada now explicitly ask about:

• Regular, tested backups
• Off-site or immutable copies
• Retention times and recovery objectives

If your answer is "We think our IT guy has that covered," that's not going to impress anyone after an incident.

A documented 3-2-1 strategy, plus proof of test restores, goes a long way with:

• Insurers
• Clients who audit you
• Regulators, if you're in a regulated space

A Realistic 90-Day Plan for a Golden Horseshoe SMB

Over the next three months, aim to:

Month 1:

• List critical systems and data
• Confirm what's being backed up today and where

Month 2:

• Put a proper local backup in place (NAS or similar)
• Add an off-site/cloud component where it's missing

Month 3:

• Run and document a test restore
• Add "quarterly restore test" to someone's job description

No drama, no scare tactics. Just making sure that if a fire, flood, or ransomware campaign hits your building off the LINC, it's a bad week—not the end of your business.