In 2023, a ransomware group encrypted the entire file server of a small manufacturing company in South Texas. Everything — customer files, CAD drawings, QuickBooks data, employee records, everything. The owner called us after the attack. We asked one question: "When did you last verify your backups?" He said the backup drive was connected to the server. It was encrypted too.

This story repeats itself constantly. The business had a backup. The backup was useless. And the reason comes down to not understanding one simple concept that the data storage industry established more than two decades ago: the 3-2-1 rule.

What the 3-2-1 Rule Actually Means

3
Copies of Your Data
The original plus two additional backups. If one copy is lost or corrupted, you have two more to fall back on.
2
Different Storage Media
Copies on two different types of media — for example, a local NAS and cloud storage. Not two external drives from the same brand sitting next to each other.
1
Copy Offsite
At least one copy physically or logically separated from your primary location. Fire, flood, or ransomware cannot reach all three copies at once.

The original formulation came from Peter Krogh, a photographer who published it in his 2005 book on digital asset management. It has been adopted by nearly every enterprise IT standard since. It predates most modern ransomware by a decade — and it still directly defends against it.

Why the Backup You Have Probably Does Not Count

Most small businesses have one of these "backup" setups, and none of them are 3-2-1 compliant:

  • External drive plugged into the server: This is a single copy, same location, same physical attack surface. Ransomware encrypts it. Fire destroys it. Theft removes both at once.
  • Cloud sync (Dropbox, OneDrive, Google Drive): Sync is not backup. When ransomware encrypts your files, the sync service dutifully uploads the encrypted versions and overwrites your cloud copies. Versioning helps — but only if you actually configure it and test it.
  • RAID array: RAID is redundancy, not backup. RAID protects against a single drive failure. It does not protect against ransomware, accidental deletion, corruption, or fire. A RAID array that gets encrypted is a very reliable copy of encrypted data.
  • Backup that has never been tested: An untested backup is not a backup — it is hope. A backup that fails during restore is discovered at the worst possible moment. The restore test is the only thing that makes a backup real.
// Ransomware Reality

Modern ransomware variants explicitly target backup systems. Before encrypting files, they scan for connected backup drives, network shares, and cloud sync folders, then encrypt those first. The 3-2-1 rule — specifically the offsite, air-gapped copy — is the primary defense against backup-targeting ransomware.

A Practical 3-2-1 Setup for Small Business

Here is how a realistic, cost-effective 3-2-1 implementation looks for a typical small business with 5–50 employees:

Copy 1: Production Data (Your Servers or Workstations)

This is your live data — whatever system your team works from. It could be a Windows Server, a NAS running file shares, or data in a cloud application like QuickBooks Online. This is always Copy 1.

Copy 2: Local Backup (On-Premises NAS)

A dedicated NAS (Network Attached Storage) device on your local network, running automated backup software. This copy should be on a separate device from your production data — not the same server, not the same RAID array. This gives you fast local restores when someone accidentally deletes a file or a drive fails. It is accessible in minutes.

Synology DiskStation

The most widely deployed small business NAS platform. Synology's Hyper Backup software handles scheduled backup jobs, deduplication, versioning, and integrity verification natively. The DS423+ or DS923+ are solid starting points for most small businesses. Pair with WD Red Pro or Seagate IronWolf drives rated for 24/7 NAS operation. A 4-bay unit with 4TB drives runs $600–$900 total.

Best Value // Most Recommended

Copy 3: Offsite or Cloud Backup

This is the copy that saves you when a ransomware attack, fire, flood, or physical theft takes out everything else on-site. It needs to be logically or physically separated from your primary location. This is non-negotiable under 3-2-1.

Wasabi Hot Cloud Storage + Veeam

Wasabi is an S3-compatible object storage provider priced at $7.99/TB/month with no egress fees — significantly cheaper than AWS S3 or Azure Blob for backup workloads. Veeam Backup & Replication (free Community Edition covers up to 10 workloads) handles the backup orchestration and sends encrypted backups to Wasabi. This combination covers most SMBs for under $50/month total.

Cloud Offsite // Best Price/TB
Backblaze B2 + Synology Hyper Backup

If you are already running a Synology NAS, Hyper Backup includes native integration with Backblaze B2 cloud storage ($6/TB/month). Set up a backup task to run nightly, encrypting data before upload. Simple configuration, reliable execution, and you get versioning that ransomware cannot touch because it is offsite and your NAS credentials are the only thing that can modify it.

Integrated // Simple Setup
Veeam Backup for Microsoft 365

If your business lives in Microsoft 365 — email in Exchange Online, files in SharePoint, teams in Teams — Microsoft does not back up your data. They are responsible for uptime, not your data retention. Veeam Backup for Microsoft 365 backs up Exchange, SharePoint, OneDrive, and Teams to a location you control. Around $60/year for 10 users.

Microsoft 365 // Critical

The Step Most Businesses Skip: Testing the Restore

The backup job running every night does not mean your data is recoverable. Backup software can silently fail. Storage media can have silent corruption. Backup jobs can skip files due to permissions issues. The only way to know your backup actually works is to restore from it.

The test restore protocol we recommend for small businesses:

  1. Monthly spot restore test: Pick three or four random files from your most recent backup set. Restore them to a temp folder. Open them and verify the contents look correct. This catches most backup corruption issues early.
  2. Quarterly full restore test: Stand up a test machine (virtual machine is fine) and attempt a full system restore from your most recent backup. Verify the system boots, applications launch, and data is intact. This is the only real validation that you can actually recover from a disaster.
  3. Log review: Most backup software sends success/failure emails or maintains a job log. Review these weekly. A backup job that reports completion but has been failing silently for three months is a ticking clock.
  4. Verify your RPO and RTO: RPO (Recovery Point Objective) = how much data you can afford to lose. RTO (Recovery Time Objective) = how long you can be down. If your backup runs nightly and your RTO is four hours, test that you can actually restore within four hours — because an untested RTO is fictional.
// By the Numbers

The average cost of ransomware recovery for a small business in 2024 was $1.4 million when you include downtime, ransom payment (if paid), remediation, and reputational damage. A complete 3-2-1 backup infrastructure for a 20-employee business runs $200–$400/month in hardware, software, and cloud storage. The math is not close.

What a Good Backup Stack Actually Costs

For a typical small business with one server or NAS plus Microsoft 365:

  • Synology DS423+ NAS with 4x4TB drives: ~$800 one-time
  • Veeam Community Edition (up to 10 workloads): Free
  • Wasabi cloud storage (500GB–2TB): $4–$16/month
  • Veeam Backup for Microsoft 365 (10 users): ~$5/month
  • Total ongoing: ~$25–$50/month after initial hardware

That is the real number. A proper 3-2-1 backup infrastructure for most small businesses costs less than a single business lunch per day. The companies that get hit by ransomware and lose everything were not unable to afford backups — they simply never made it a priority until the day they needed it.

The question is not whether your business can afford a proper backup strategy. The question is whether your business can afford to not have one.