The 3-2-1 Backup Rule:
Does Your Setup Actually Qualify?

What the 3-2-1 Rule Actually Means

The 3-2-1 backup rule is a straightforward framework used by the Cybersecurity and Infrastructure Security Agency (CISA) and widely adopted across the IT industry. It gives you three concrete things to verify, not just a vague sense that your data is "backed up."

According to CISA's guidance, the rule states:

• 3 copies of your data. Your original working copy plus two backups. Having two total is not enough. If your primary file and your only backup are both lost in the same event, you have nothing left.
• 2 different types of storage media. The copies should not all live on the same kind of device. For example, one copy on an internal drive and one on an external USB drive counts as two media types. Two internal drives in the same machine does not.
• 1 copy kept off-site. At least one backup must be stored in a physically separate location, away from your office or home. A fire, flood, theft, or power surge can destroy every device in a single building at once. Off-site storage survives local disasters.

CISA's #StopRansomware campaign adds an important fourth element to this framework: keeping at least one copy offline or air-gapped, meaning it is not continuously connected to your network. Ransomware that encrypts your live files will often reach across network connections to encrypt mapped drives and cloud-synced folders as well. An offline or air-gapped copy is unreachable by that kind of attack.

The 3-2-1 rule does not guarantee recovery from every scenario, but it addresses the most common causes of permanent data loss: hardware failure, local disaster, ransomware, and accidental deletion.

Does Your Current Setup Actually Meet 3-2-1?

Most small business owners are surprised when they walk through this checklist. Setups that feel thorough often fall short on the off-site requirement or the copy count.

Here are the most common small business setups and where they stand:

• One PC with no backup at all. This is one copy, one media type, zero off-site. A single drive failure, theft, or ransomware attack means permanent loss. This does not meet 3-2-1 on any point.
• One PC plus an external drive in the same office. This is two copies and two media types, which satisfies two of the three requirements. But both devices are in the same location. A fire, flood, or burglary takes both. Zero off-site copies means this setup fails 3-2-1.
• OneDrive, Dropbox, or Google Drive sync only. Cloud sync is not the same as a backup. Sync mirrors your current file state. If you delete a file or ransomware encrypts it, the sync service replicates that change to the cloud, often within seconds. Version history varies by plan and is often limited. See Cloud Sync vs. Backup for a full breakdown of the difference.
• External drive kept at the office plus a sync service. Better, but the sync service's version history and recovery controls may not meet your needs, and neither copy is truly a managed, independent off-site backup. You are also dependent on the sync provider's retention policies, which can change.
• Server with RAID storage. RAID protects against a single drive failure. It does not protect against ransomware, accidental deletion, fire, or theft. RAID is not a backup. It is redundancy within a single system. It does not contribute a copy toward the 3-2-1 count in any meaningful way.
• Rotating external drives taken home weekly. This is one of the stronger offline strategies a small business can run manually. It qualifies as an off-site copy when the drive is actually off-site. The gaps are that it requires consistent human action, provides no automatic failure alerts, and version history is limited to the rotation interval.

The honest summary: a PC plus an external drive in the same building is the most common small business setup, and it leaves you exposed to local disasters and ransomware. If you want a fuller look at why a single external drive is not a complete backup plan, see Why Your External Drive Is Not a Backup.

What a Complete 3-2-1 Plan Looks Like

Here is what a complete, defensible backup plan includes for a small business, built around the 3-2-1 standard and CISA's #StopRansomware recommendations.

• Three distinct copies of your data. Your working files on your primary device, a local backup (external drive or NAS), and a separate off-site backup. All three should be independent of each other so no single failure destroys more than one copy.
• Two different media types. For example, internal or local network storage plus a cloud-based off-site backup. The goal is that a failure mode affecting one type (say, a ransomware attack encrypting network-connected drives) does not automatically compromise the other.
• One off-site copy, managed and encrypted. The off-site copy should be stored outside your office, encrypted in transit and at rest, and not dependent on you remembering to carry a drive somewhere. Managed cloud backup fulfills this requirement automatically.
• At least one offline or air-gapped copy. Per CISA's #StopRansomware guidance, one copy should be unreachable from your network. This is typically a drive that is disconnected after backup, or a cloud backup with immutable storage that prevents overwriting by ransomware.
• 30 or more days of version history. Ransomware and accidental deletions are not always discovered immediately. Version history lets you roll back to a clean point in time before the damage occurred. Shorter retention windows reduce your options significantly.
• Automatic scheduling, every day. Manual backups fail because people get busy. An automatic daily backup schedule means your off-site copy stays current without relying on anyone remembering to run it.
• Failure alerts. If a backup job fails silently, you may not discover the gap until you need to restore. A complete plan includes monitoring that notifies you or your provider when something goes wrong.
• Periodic restore testing. A backup you have never tested is a backup you cannot trust. CISA's guidance and general IT best practice both call for periodically verifying that your backups actually restore. This should be a scheduled activity, not a one-time setup task.

If you want to run through how your current setup performs against each of these criteria, the Small Business Backup Checklist walks you through it step by step.

For small businesses dealing with ransomware risk specifically, Ransomware Restore Readiness covers what your backup plan needs to survive an attack and actually get you back online.

Where EverydayBackups Fits In

EverydayBackups is a paid managed backup service built to fill the gaps most small businesses have: no off-site copy, no automatic scheduling, no failure alerts, and no meaningful version history.

When you run EverydayBackups, your files are encrypted on your device before they leave, transmitted over an encrypted connection, and stored encrypted off-site. Backups run automatically on a daily schedule without you doing anything. If a backup job fails, you get an alert. Version history is retained so you can restore from a point in time before a problem occurred.

Combined with a local copy on an external drive or NAS, EverydayBackups gives you the off-site, independently managed third copy that completes the 3-2-1 framework. Plans start at $5.99/mo. There is no free backup tier, but you can take the free 2-minute self-check to see where your current setup stands before you decide anything.