SEM Devs
← All articles
backupsystem-cloudnassynology

The 3-2-1 backup rule: from theory to practice in SMEs

22 November 20232 min read

Three copies, two different media, one offsite. A thirty-year-old rule still ignored by too many Italian businesses. Here is how we actually deploy it on site.

In the last two years we walked into three clients after a ransomware hit. In two out of three the backup existed. In zero out of three it was usable. The 3-2-1 rule is one of the best-known in IT — and one of the least applied. Worth revisiting with concrete numbers.

What 3-2-1 actually means

  • 3 copies: the original plus at least two backups.
  • 2 different media: not "two disks in the same NAS". Different types — disk, tape, cloud — because failure modes are different.
  • 1 offsite copy: physically far from the office. A flood or a burglary should not reach it.

The modern version adds a 0: zero untested backups. A backup you have never restored is not a backup, it is a wish.

How we deploy it for a 15-person studio

The standard layout for our typical clients (professional studio, small production company, creative agency) is:

  • Copy 1 — production: working data on a Synology NAS in RAID 6 or SHR-2.
  • Copy 2 — local: Btrfs snapshots on the NAS plus a daily backup to a second NAS in another room, ideally on a different power circuit.
  • Copy 3 — offsite: encrypted Hyper Backup to Backblaze B2 or Wasabi. For larger setups we add a third target on LTO-9 tape.

What it really costs

For a studio with 6 TB of active data, in 2024:

  • Primary Synology NAS + disks: ~€3,500
  • Secondary local NAS: ~€2,200
  • B2 cloud at €6/TB/month: ~€430/year
  • Setup, automation and yearly test: ~€1,800 one-off

First year below €9,000. The cost of not having it, after a cryptolocker, starts at €50,000 and grows fast.

The mistakes we see most

  • Backup on the same NAS: if the NAS dies or gets encrypted, every copy dies with it.
  • Cloud with the network admin password: if the attacker owns AD, they own the cloud too.
  • No restore test: one month a year you must do a real restore to a clean machine. Always.
  • No immutability: backups must land on storage that prevents overwrite for N days (Object Lock, Synology WriteOnce).

The 5-minute check

If you are a business owner and you are unsure, ask three questions: where are my backups, who can delete them, and when did we last test them? If even one answer is missing, time to call someone. No panic — but no procrastination either.