Backup Strategies for Small Businesses — The 3-2-1 Rule That Saves Companies

An ordinary Tuesday that turns into a nightmare

Picture this: You arrive at the office on a Tuesday morning and every file is encrypted. A red screen demands $50,000 in Bitcoin to unlock them. Your accounting, customer database, project files — everything. You call your IT provider and ask about backup. It turns out the backup hasn't been working for three months. Nobody noticed.

This scenario plays out daily at small businesses across Sweden and worldwide. Ransomware attacks against small and medium-sized businesses increased by over 30 percent in 2025 according to multiple industry reports. And those are just the ones that get reported — the real numbers are much higher.

The 3-2-1 rule: Simple but vital

The 3-2-1 rule is the industry standard for backup and has survived for decades for one reason: it works. The principle is straightforward:

Many modern backup solutions add an extra zero: 3-2-1-0, where the zero means zero unverified backups. Every backup should be automatically tested and verified.

Veeam — the industry standard

We recommend Veeam Backup & Replication as the primary backup solution for most environments. Veeam is the market leader for good reasons: it supports physical servers, virtual environments (VMware, Hyper-V), Microsoft 365, and cloud infrastructure in a single solution. The restore capabilities are the best in the industry — you can recover everything from a single file to an entire server in minutes.

For small businesses, Veeam Backup & Replication Community Edition is free for up to 10 workloads. That goes a long way for a company with one server and Microsoft 365 backup needs.

Cloud vs local backup

It's not either/or — you need both. Local backup (to a NAS or external drive) gives you fast recovery. If an employee accidentally deletes a file, it can be back within seconds. Cloud backup (to services like Backblaze B2, Wasabi, or Azure Blob) provides the offsite protection that the 3-2-1 rule demands.

A typical configuration we deploy: Veeam backs up to a local NAS every night and then replicates to cloud storage. The cloud portion typically costs SEK 200-500 per month for a typical small business — a negligible amount compared to the value of the data.

Ransomware without backup: the reality

Without working backup, a ransomware-hit business has three options: pay the ransom (with no guarantee it works), try to recreate data manually (weeks or months of work), or start over from scratch. According to IBM's Cost of a Data Breach Report 2025, it takes an average of 277 days to identify and contain a data breach. For a small business with 10 employees, that can mean hundreds of thousands of SEK in lost productivity — if the business survives at all.

Test your restores — regularly

The most dangerous backup is one that has never been tested. We see it regularly: the backup job reports green for months, but when someone actually tries to restore, the files are corrupt or the backup agent stopped working after an update.

Our recommendation: test a full restore at least once per quarter. Veeam has built-in features for automatic verification (SureBackup) that can run restore tests every night without manual effort. We configure this as standard for all our clients.

Checklist: Do you have working backup?

• 3-2-1 rule — at least three copies, two media types, one offsite
• Microsoft 365 backup — Microsoft does not guarantee they will restore your data
• Automatic verification — the backup job should not just report green, it should be tested
• Quarterly restore test — verify that you can actually restore a full server
• Ransomware protection — immutable backups that cannot be encrypted