Backing up business data starts with a simple framework: keep at least three copies of your data, store them on two different types of media, and make sure one copy lives off-site. This approach, known as the 3-2-1 rule, has been the foundation of data protection for years. But modern threats like ransomware have pushed that baseline further, and the tools available to small and midsize businesses have never been more accessible. Here’s how to build a backup system that actually protects your company.
Start With the 3-2-1 Rule
The 3-2-1 rule gives you a structure to build on. Your three copies include the original working data plus two backups. The two types of media might be a local hard drive paired with cloud storage, or a network-attached storage device paired with tape. The off-site copy ensures that a fire, flood, or break-in at your office doesn’t wipe out everything at once.
For most businesses today, a stronger version of this rule makes more sense: the 3-2-1-1-0 approach. The extra “1” means keeping at least one backup copy that is immutable or air-gapped, meaning it cannot be changed, deleted, or encrypted by anyone, including ransomware that has infiltrated your network. The “0” means you regularly verify your backups and confirm zero recovery errors. A backup you’ve never tested is a backup you can’t trust.
Define How Much Downtime You Can Afford
Before choosing tools, figure out two numbers that will shape every decision you make. The first is your Recovery Time Objective (RTO), which is the maximum amount of time your business can survive without access to its systems after a disruption. If your e-commerce site goes down, can you tolerate four hours of downtime? Twenty-four hours? A week?
The second is your Recovery Point Objective (RPO), which is how much data you can afford to lose. If your last backup ran at midnight and your server crashes at 5 p.m., you’ve lost 17 hours of work. For a business processing dozens of orders an hour, that’s catastrophic. For a company that updates a few spreadsheets daily, it might be tolerable.
There are no universal standards for these numbers. They depend entirely on your operations. A retail business processing payments may need an RTO of a few hours and an RPO measured in minutes. A consulting firm with mostly static documents might be fine with daily backups and a 24-hour recovery window. Write these targets down. They determine how often you back up, what storage you invest in, and how fast your recovery solution needs to be.
Choose Your Storage: Local, Cloud, or Both
Most businesses end up using a combination of local and cloud storage, and for good reason. Each has strengths that cover the other’s weaknesses.
Local Storage
A network-attached storage (NAS) device or dedicated backup server sitting in your office gives you fast access to your data. Restoring files from a local drive is significantly quicker than downloading hundreds of gigabytes from the cloud, which matters when your RTO is tight. You also get full control over security settings and hardware configuration, and you’re not dependent on an internet connection to access your backups.
The downsides are real, though. You need to purchase the hardware upfront, maintain it over time, and eventually replace it. Scaling up means buying more drives. And a local backup alone fails the off-site requirement: if something destroys your office, it destroys your backup too.
Cloud Storage
Cloud backup services, sometimes called Backup as a Service (BaaS), charge on a pay-as-you-go basis, so you avoid the upfront capital expense of hardware. Scaling is instant. You need more space, you pay for more space. Cloud backups are inherently off-site, giving you geographic separation from your primary data without maintaining a second physical location.
The tradeoffs include less control over uptime (if the provider has an outage, you wait), potential cost creep if your data volume grows faster than expected, and slower restore times for large datasets since everything travels over your internet connection. For businesses with terabytes of data, a full cloud restore can take days.
The Practical Combination
A hybrid approach handles both scenarios well. Keep a local backup for fast day-to-day restores, like when someone accidentally deletes a folder or a single machine fails. Use cloud backup as your off-site copy for disaster recovery. This naturally satisfies the “two different types of media” and “one copy off-site” parts of the 3-2-1 rule.
Protect Backups From Ransomware
Ransomware attacks increasingly target backup files specifically. If an attacker encrypts both your production systems and your backups, you have no way to recover without paying. This is why immutable backups have become essential rather than optional.
An immutable backup is stored in a write-once, read-many (WORM) format. Once the data is written, it cannot be modified, deleted, or encrypted for a defined retention period. Even if someone gains administrative access to your network, the backup remains intact and recoverable. Implementation options include hardened Linux-based backup repositories, cloud object storage with S3-compatible object locks, and physical tape stored off-site.
An air-gapped backup takes this a step further by physically or logically disconnecting the backup from your network. A portable hard drive stored in a safe or a tape cartridge sitting on a shelf cannot be reached by malware. The inconvenience of manual handling is the entire point.
When configuring immutability periods, balance protection against cost. Setting a retention window that’s too short may not give you enough rollback capability if an attack goes undetected for weeks. Setting it too long inflates storage costs. Many businesses find that 30 to 90 days of immutable retention provides a reasonable safety net.
Decide What to Back Up and How Often
Not all business data carries the same weight. Start by categorizing what you have:
- Critical operational data: Customer databases, financial records, active project files, email, and any system your business cannot function without. Back this up frequently, potentially every hour or in near-real-time, depending on your RPO.
- Important but less volatile data: Employee records, contracts, archived projects, and internal documentation. Daily backups are typically sufficient.
- Static or reproducible data: Software installers, marketing templates, publicly available reference material. These may only need weekly backups, or you may decide they don’t need dedicated backup at all.
For your most critical systems, look into incremental or differential backups. A full backup copies everything each time, which is thorough but slow and storage-intensive. An incremental backup copies only the data that changed since the last backup, which is faster and uses less space. Running a full backup weekly with incremental backups throughout the day is a common pattern that balances thoroughness with efficiency.
Don’t forget data that lives outside your own servers. If your team relies on cloud-based tools like email platforms, project management software, or CRM systems, those need backup too. Many cloud providers retain deleted data for only a limited window, and their terms of service often place the responsibility for data protection on you.
Test Your Restores Regularly
A backup that can’t be restored is worthless. Schedule regular test restores, at minimum quarterly, where you actually pull data from your backups and confirm it’s complete and usable. Pick a mix of individual files and full system images. Time how long the restore takes and compare it to your RTO. If it takes 12 hours to restore your server and your business needs to be back online in four, you have a gap to fix before a real emergency forces the issue.
Some backup software can automate this verification, spinning up a virtual copy of your backed-up system and checking that it boots and runs correctly. If your tool supports this, turn it on. Automated testing catches corruption and configuration errors that manual spot-checks can miss.
Know Your Retention Requirements
How long you keep backups isn’t just a storage question. It’s often a legal one. Businesses in regulated industries face specific retention timelines. Healthcare organizations subject to HIPAA must retain compliance documentation, including privacy policies, risk assessments, training records, and audit logs, for six years from the date of creation or last effective date. Medicare providers must keep records for seven years from the date of service. Medical records themselves fall under state law, with retention periods typically ranging from five to ten years.
Financial services, government contractors, and businesses that handle payment card data under PCI DSS all face their own requirements for backup and recovery documentation. Even if your industry isn’t heavily regulated, tax records generally need to be kept for at least three to seven years depending on the type of filing. Build these timelines into your backup retention policies so you’re not scrambling to produce records during an audit or legal dispute.
Document Your Backup Plan
Write down what gets backed up, where the backups are stored, how often they run, who is responsible for monitoring them, and the step-by-step process for restoring data. This document should be accessible to more than one person. If the only employee who knows how your backups work is unavailable during a crisis, the backups might as well not exist.
Include login credentials for backup services (stored securely), contact information for your backup vendor or managed service provider, and the priority order for restoring systems. A clear, written plan turns a chaotic emergency into a manageable process. Review and update it at least once a year, or whenever you add new systems, change providers, or adjust your backup schedule.