The 3-2-1 Backup Rule for Melbourne Small Business — Never Lose Your Data Again

The 3-2-1 backup rule is the gold standard of data protection recommended by the Australian Cyber Security Centre: 3 copies of your data, on 2 different types of storage media, with 1 copy stored offsite. This rule has become even more critical in the era of ransomware, where attackers specifically target and destroy backups before encrypting everything else.

Why Most "Backups" Fail When You Need Them

The most common backup failures for Australian small businesses are: backups stored on a drive connected to the same network as everything else — which ransomware encrypts along with your main files; backups that have been quietly failing for months because no one checked them; backups that technically created files but cannot actually be restored in a useful timeframe; and backups that were not made for the specific data that matters most — such as the actual database files used by accounting or practice management software rather than just the surrounding folders.

Implementing 3-2-1 for a Small Business

Copy 1 (local, immediate recovery): An external hard drive backed up automatically each day, kept physically at your office. This is your fastest recovery option for accidental deletion or hardware failure — you can restore files in minutes. Disconnect this drive when not actively backing up to protect it from ransomware. Copy 2 (local, different media or device): A network-attached storage device, a second cloud sync, or a second external hard drive stored separately. This provides redundancy if one local backup fails. Copy 3 (offsite — the critical one): A cloud backup service that stores versioned copies of your data — multiple historical versions going back weeks or months. This is your protection against ransomware, fire, flood, and theft. Choose a service that maintains version history so you can restore files from before a ransomware attack.

Cloud Backup Services Worth Considering

For small businesses, Backblaze Business Backup provides unlimited storage per computer at a low monthly cost. Microsoft Azure Backup and Veeam Cloud Connect integrate well with Windows Server environments. For Microsoft 365 data — email, SharePoint, Teams — a dedicated Microsoft 365 backup solution like Veeam Backup for Microsoft 365 is important, as Microsoft's built-in retention is not equivalent to a proper backup.

Testing Your Backups — The Most Important Step

A backup you have never tested is a backup you cannot trust. Once per quarter, actually restore a test file or folder from your backup to confirm the restoration process works correctly. Many businesses discover during this test that their backup software has been showing errors for months, that the backup destination ran out of space, or that the restoration process takes far longer than they could afford during an incident. IntrusionX can assess and implement your backup strategy — including testing — as part of our Business Essentials package. Contact us for a free assessment.

Backup Retention and Ransomware Recovery

For ransomware recovery, the length of your backup retention period matters as much as having a backup at all. Modern ransomware attacks often involve a "dwell time" — the attacker quietly accesses your network for days or weeks before triggering the encryption. Files may be silently modified or exfiltrated before you are aware of the attack. If your cloud backup only retains seven days of history, and the attacker has been active for ten days, your backup may contain already-compromised files. A 30-day minimum retention period — storing daily snapshots for 30 days — provides a recovery point that predates most attack dwell periods. Many cloud backup services offer 30-day or longer retention at no additional cost.

What to Back Up

Many small businesses back up files on their local computers but overlook cloud data. Microsoft 365 emails and SharePoint data, Google Workspace files and Gmail, accounting software data stored in the cloud, CRM data, and any other business-critical cloud service data should be included in your backup strategy. These services maintain their own internal redundancy and retention, but this is not the same as a proper backup — it will not protect you if you accidentally delete critical data, if a ransomware attack corrupts cloud-synced files, or if your subscription lapses. IntrusionX can help you design and implement a complete backup strategy covering all your data — contact us for a free assessment.