Data loss is one of the most devastating things that can happen to a small business. Whether it's caused by ransomware, a failed hard drive, accidental deletion, a flood in your server room, or a disgruntled employee — the result is the same: your business data is gone, and your operations grind to a halt.
The 3-2-1 backup rule is the simplest, most widely accepted framework for protecting your data. It's not complicated. But most Montreal SMBs aren't following it — and most wouldn't know it if their backups silently failed three months ago.
What Is the 3-2-1 Rule?
The 3-2-1 rule states that you should have:
- 3 copies of your data — the original, plus two backups
- 2 different storage media — e.g., internal drive + external drive, or local NAS + cloud
- 1 copy offsite — physically or geographically separate from your primary location
The logic is simple: any single failure — hardware failure, fire, flood, theft, ransomware — should not be able to take out all three copies simultaneously.
The most common backup mistake: Having your only backup on an external drive plugged into the same computer it's backing up. If the computer gets ransomware, the external drive gets encrypted too. If the building floods, both are lost.
Why Each Part Matters
Why 3 Copies?
The original and one backup feels like enough — until your backup corrupts the same day your primary drive fails (which happens more often than you'd think, because the same aging hardware that causes one failure often causes the other). A third copy provides a safety net for exactly this scenario.
Why 2 Different Media?
Different media types fail in different ways and at different times. An internal SSD and a cloud backup have completely separate failure modes. If both copies live on spinning hard drives in the same enclosure, they share a common failure point.
Why 1 Offsite?
Physical disasters — fire, flood, theft — affect everything in one location simultaneously. An offsite copy (cloud storage, a drive at a second location, or a cloud backup service) survives a physical disaster at your primary location. This is especially important for Montreal businesses in older buildings with aging infrastructure.
What Should Be Backed Up?
A common mistake is backing up the wrong things — or not backing up everything that matters. Your backup scope should include:
- All company files and documents (local and shared drives)
- Email data (Microsoft 365 does NOT automatically back up email to a restorable format by default)
- Databases — accounting software, CRM, custom applications
- Server configurations and virtual machines
- SharePoint and OneDrive data (again, M365 recycle bins are not a backup)
- Any cloud application data that doesn't have its own backup system
Important: Microsoft 365 is not a backup. It has recycle bins and version history, but these have retention limits and are not designed for disaster recovery. You need a third-party backup solution for M365 data.
The Part Everyone Gets Wrong: Testing
Having a backup is necessary. Having a backup that actually works is what matters.
Backups fail silently. The backup software reports success. The job runs every night. And then, when you need to restore after a ransomware attack or drive failure, you discover that the backup files are corrupted, incomplete, or missing the specific folder that contained your most critical data.
This is not a hypothetical. It happens to businesses in Montreal every year.
Testing your backup means actually restoring files from it — not just confirming the job ran. A proper backup test looks like:
- Restore a specific file from a backup taken last week to confirm the process works
- Restore a folder from 30 days ago to confirm retention is working as expected
- Periodically perform a full server restore to a test environment to confirm you could recover from a total failure
At minimum, test your backups quarterly. Monthly is better. Your MSP should be doing this for you and reporting on it.
The Modern 3-2-1: Cloud-First for Montreal SMBs
For most Montreal SMBs today, a practical 3-2-1 implementation looks like this:
- Copy 1: Live data on your server, workstations, or Microsoft 365
- Copy 2: Local backup on a NAS (network-attached storage) device in your office — fast recovery for common scenarios
- Copy 3: Cloud backup to an offsite data centre — survives any physical disaster at your location
This gives you fast local restores for everyday scenarios (accidentally deleted file, one drive fails) and offsite protection for disasters (ransomware that encrypted the NAS, building fire, flood).
Ransomware and Your Backups
Modern ransomware operators specifically target backups. Before triggering encryption, they look for backup devices connected to your network and encrypt those too. This is why the "1 offsite" part of 3-2-1 is critical — and why that offsite copy should ideally be air-gapped (not continuously connected to your network).
Cloud backup services that use immutable storage (where data cannot be modified or deleted for a defined period) provide strong protection against ransomware targeting backups.
The Bottom Line
The 3-2-1 rule isn't complicated — it's just three numbers. Three copies. Two media. One offsite. The failure isn't understanding the rule; it's actually implementing it and testing it consistently.
At Evolv I.T, backup implementation and monthly testing is part of every managed IT plan. We verify restores, report on backup health, and make sure that when something goes wrong — and eventually something does — your data is actually recoverable.
If you're not confident in your current backup setup, our free IT assessment includes a review of what you have in place and what gaps exist.
Want to Know Where Your IT Stands?
Book a free 30-minute IT assessment with Evolv I.T — we'll review your current setup and give you honest, actionable advice. No commitment, no sales pitch.
Request My Free IT Assessment