Yes, even in 2026. Yes, especially if you're in the cloud. Yes, even if you think you've got it covered. The 3-2-1 rule is forty years old and still the simplest way to make sure you can actually recover when you need to.
3 copies
Three copies of your data: the live original, plus two backups. The reason isn't paranoia — it's simple probability. The chance of one backup failing when you need it is uncomfortably high. The chance of two failing at the same time is vanishingly low.
2 different media
The two backup copies should live on different media types. One can be cloud (S3, OneDrive for Business, Datto Cloud). The other should be local — a NAS or appliance on your premises. If your cloud provider has an outage or you can't reach the internet, you've still got the local copy. And vice versa.
1 off-site
One of those copies must be physically off-site. A fire, flood, theft, or ransomware that encrypts your local server can't reach a backup that's 50km away in another building. Cloud backup counts as off-site by default; an external drive in the same room emphatically does not.
We use Datto for image-based backups across most of our managed customers — on-site appliance, immutable cloud copy, 15-minute RPO, 4-hour RTO. Tested every month. Used in anger three times in 2025.
Why three copies, two media, one off-site
The 3-2-1 rule is decades old and still the clearest backup standard there is. Keep three copies of your data, on two different types of media, with one copy stored off-site. The logic is simple probability: the chance of one backup failing when you need it is uncomfortably high, but the chance of all copies failing at once, in different places, is vanishingly small. Most data-loss disasters we are called to involve a business that thought one copy was enough.
Where cloud sync is not a backup
A common and dangerous assumption is that OneDrive, SharePoint or Google Drive count as a backup. They are sync services. If a file is deleted, corrupted or encrypted by ransomware, that change syncs to every copy almost instantly. True backup keeps point-in-time versions you can roll back to, isolated from the live data, so an attack or an accident cannot reach them. This is why we run dedicated backup alongside Microsoft 365, not instead of it.
Testing is the part everyone skips
A backup you have never restored is a hope, not a plan. We test restores on a schedule so that when something does go wrong, recovery is a known, timed process rather than a frantic discovery. For most clients we target a recovery point of around fifteen minutes and a recovery time of a few hours, with immutable copies that ransomware cannot alter. The goal is that a bad day stays a bad day, not a business-ending one.
Backup is not the same as business continuity
A backup protects your data. Business continuity protects your ability to keep working while that data is restored. The two are related but not identical, and the gap between them is where many businesses get caught. A good plan answers practical questions in advance: how long can you operate without your main system, who needs access first, and what is the agreed order of recovery. We build that plan with you, document it, and rehearse it, so that a failure becomes a managed event with known steps rather than an emergency invented on the spot. For Geelong businesses that cannot afford to stop, that preparation is the difference between an inconvenience and a genuine crisis.