TL;DR. The 3-2-1 rule: keep three copies of your data, on two different types of storage, with one copy off-site. In 2026 most UK MSPs have extended it to 3-2-1-1-0 — one immutable copy, zero errors in the last test-restore. It applies to Microsoft 365 data as much as to servers. Native Microsoft retention is not a backup.

What 3-2-1 actually means

The rule came out of the photography world in the 2000s and stuck. Three numbers:

  • 3 copies of your data — the live production copy plus two backups
  • 2 different media or storage types — so a single failure mode (bad disk, bad vendor, bad configuration) doesn't wipe them all out
  • 1 copy off-site — physically separated from your main location

It's deliberately simple because it has to survive being remembered by a small-business owner at 11pm the night ransomware hits.

Why 3-2-1-1-0 is the modern version

Ransomware changed the threat model. Attackers now specifically hunt down backup consoles. The updated rule adds two more numbers:

  • 1 immutable (or offline) copy — a copy that ransomware cannot encrypt or delete, even with stolen admin credentials. Object-lock storage, immutable cloud, or a genuinely air-gapped tape.
  • 0 errors — the last scheduled test-restore completed with zero errors. Unverified backups are assumptions.

The Microsoft Learn Azure Backup overview documents immutable vaults and soft-delete semantics that support this pattern for cloud workloads.

Applying 3-2-1 to Microsoft 365

This is where most UK SMEs get caught out. OneDrive, SharePoint and Exchange Online all have retention and version history — that is not a backup. If a user, an admin, an attacker or a badly scripted sync wipes a library, retention won't save you beyond 93 days, and some scenarios don't hit retention at all.

A compliant 3-2-1 for Microsoft 365 looks like this:

  • Copy 1 — production data in Microsoft 365
  • Copy 2 — daily third-party backup (Keepit, Barracuda, Datto, Veeam for M365, SkyKick) held outside the tenant
  • Copy 3 — weekly offsite archive held by the backup vendor in a second region, with immutability switched on

Third-party M365 backup usually costs £2–£4 per user per month and is the cheapest insurance you can buy against accidental deletion, departed-staff mailbox loss and ransomware propagating through OneDrive sync.

Applying 3-2-1 to on-premise servers

If you still run a physical or virtual server (line-of-business app, CAD, accounting):

  • Copy 1 — live VM/physical
  • Copy 2 — on-site backup appliance or NAS with image-level snapshots
  • Copy 3 — replicated to cloud with immutable storage

Recovery point objective (RPO) — how much data you can afford to lose — usually 1 hour for critical systems. Recovery time objective (RTO) — how long you can afford to be down — usually 4 hours. Those two numbers should be in the written service agreement, not left implied.

Laptops — the awkward case

Most MSPs don't back up laptops, on the theory that "everything's in OneDrive". If your users actually save to OneDrive, that's fine. If they save to the desktop, to random local folders, or run Outlook with a local PST, you've got a gap. Enforce OneDrive Known Folder Move via Intune and the problem goes away.

Test-restore cadence

A backup that hasn't been restored is a guess. Target cadence:

  • Microsoft 365 — monthly test restore of one mailbox + one SharePoint library, documented
  • Servers — quarterly bare-metal or instant-VM test restore to an isolated environment
  • Annually — a full DR drill with at least one critical workload

Common mistakes

  • Backup admin credentials stored in the production AD — ransomware gets both
  • Same vendor for primary storage and backup (one fault = total loss)
  • No immutability — "offsite" cloud backups are still deletable by a compromised admin
  • Retention of 14 days — attackers often dwell for weeks before triggering
  • Never tested — the first restore happens under pressure, in an incident

We build 3-2-1-1-0 into every backup and disaster recovery contract we write, with a monthly restore report you can show an auditor.

FAQ

Is OneDrive a backup?

No. OneDrive and SharePoint are sync services. Delete a file and the deletion propagates everywhere. Native retention will hold deleted items for 93 days at most. A proper third-party backup keeps versioned copies outside your tenant.

How long should backups be kept?

For most UK SMEs, seven years for financial and client records to meet HMRC, SRA and ICO expectations, plus 30 days of frequent operational snapshots for fast restore.

Does the 3-2-1 rule still apply in a cloud-only business?

Yes. Even if you have no on-premise server, you still need three copies, two media (Microsoft 365 plus a third-party backup vendor), and one off-site held outside the Microsoft tenant.

What does a 3-2-1 setup cost?

Third-party M365 backup: £2–£4/user/month. Server backup with immutable cloud replication: £50–£150 per server per month depending on storage volume. Far cheaper than a single ransomware incident.

Syntek Solutions Team

We design and run 3-2-1-1-0 backup for West Sussex SMEs — Microsoft 365, servers and endpoints — with tested restores in writing. Ask for a backup audit.