Data backup: what good actually looks like

Most “backups” we audit fail in the same way: they exist, they run, and nobody has ever restored from them. A backup you have not tested is a hope.

The 3-2-1-1-0 rule

• 3 copies of data.
• 2 different media.
• 1 off-site copy.
• 1 immutable copy (ransomware-proof).
• 0 errors after a verified restore test.

The original 3-2-1 rule still works, but immutable and verified are the two additions worth taking seriously now.

RPO and RTO, simply

• RPO (Recovery Point Objective): how much data you can afford to lose, measured in time. “We can lose at most 1 hour of orders” → RPO = 1 hour.
• RTO (Recovery Time Objective): how fast you must be back. “Sales must work within 4 hours” → RTO = 4 hours.

These are business decisions, not IT decisions. Set them per system, write them down, then design backup to meet them.

A working example

For a typical mid-sized company:

• Email & files (Microsoft 365): Backup with Veeam M365 or comparable. RPO 24h, RTO 4h.
• Line-of-business app: application-aware snapshot every 4h, immutable copy daily, restore tested quarterly.
• Critical database: transaction-log backup every 15 minutes, full nightly, geo-redundant copy.

Test cadence

• Every month: automated restore test of one random VM.
• Every quarter: restore the line-of-business database into an isolated environment.
• Every year: a full DR exercise that pretends a site is gone.

If you do not have the time or the appetite, we run these tests for clients on a calendar — and we tell you the truth when something fails.