Two-Factor Authentication (2FA) for Businesses - A Practical Guide
Two-factor authentication (2FA) for businesses: methods, rollout sequence and common mistakes. A practical guide to protecting email and acc
Read
The 3-2-1 backup strategy means you always keep at least three copies of your data, on two different types of media, with one copy stored at a separate (offsite) location. It is a proven rule that simultaneously protects a company from disk failure, human error, equipment theft and ransomware, because no single incident can destroy every copy at once.
Our solution
Cyber protection for businesses - complete protection for people, data and systems. You do not have to handle it alone; we take care of it for your company. Request a free assessment.
Data loss rarely announces itself. A disk fails in the middle of the workday, an employee accidentally deletes a shared folder, or ransomware encrypts an entire network drive over the weekend. Companies in Mostar and across the region most often realize how much their data is worth only once it is gone. A solid backup strategy is not a luxury reserved for large corporations, but basic hygiene for any serious business, from an accounting office to a manufacturing firm.
What the 3-2-1 rule actually means
The 3-2-1 rule was designed to be easy to remember while still covering the most common data-loss scenarios. It consists of three numerical requirements:
- 3 copies of the data - the original data you work on plus at least two backup copies. If one copy fails, you still have two in reserve.
- 2 different types of media - the copies must not reside on the same type of storage. For example, one on the server's internal disk and another on a NAS device or in the cloud. This prevents the same fault (such as a firmware bug or a bad batch of disks) from affecting every copy.
- 1 copy offsite - at least one copy must be physically separated from the office. This can be a cloud backup or a disk in another building. That way a fire, flood, theft or power surge cannot destroy everything at once.
The strength of this approach lies in the fact that it separates risks. A single disk may fail, but the chance that the local and the offsite backup fail at the same time is negligibly small, provided they are truly independent.
A practical example for a small business
Imagine an accounting office in Mostar with a dozen computers and a single server. A practical application of the 3-2-1 rule looks like this: the original data resides on the server (copy 1), an automatic nightly copy goes to a separate NAS device in the server room (copy 2, a second medium), and a third copy is synchronized every night to the cloud with a trusted provider (copy 3, offsite). If the server fails, the data is restored from the NAS. If a fire breaks out in the office, the data is safe in the cloud.
Why 3-2-1 is still relevant in the ransomware era
Ransomware has changed the rules of the game. Modern attacks do not just encrypt working data; they deliberately seek out and delete accessible backups before triggering the encryption. That is why the classic 3-2-1 is today often extended into the so-called 3-2-1-1-0 rule:
- +1 isolated or immutable copy - at least one copy must be offline (air-gapped) or immutable, so that an attacker cannot delete or encrypt it even with administrative privileges.
- 0 errors during recovery - a backup is only as good as its last successful restore. Recovery must be tested regularly until it runs without errors.
It is precisely the immutable copy that distinguishes a company that survives a ransomware attack from one that pays the ransom or loses its data forever. If an attacker gains domain administrator access, everything that is online and accessible can be compromised, except for whatever is technically impossible to alter.
Types of media and their advantages
The choice of backup media depends on the size of the company, the volume of data and the budget. Here is an overview of the most common options:
| Type of media | Advantages | Disadvantages | Best for |
|---|---|---|---|
| External disk / USB | Cheap, simple, fast for small volumes | Easily lost, prone to mechanical failure, easily wiped by ransomware if permanently connected | Very small businesses, an extra offline copy |
| NAS device | Centralized, automated, RAID redundancy | Located in the same premises, exposed to theft and fire | A local second copy |
| Cloud backup | Offsite by definition, scalable, accessible from anywhere | Dependent on the internet, monthly cost, requires encryption | An offsite copy, fast recovery |
| Tape backups (LTO) | Cheap per GB at large volumes, easy to keep offline | Slow recovery, requires dedicated hardware and maintenance | Large archival data, long-term retention |
The key is to combine at least two types of media with different risk profiles. Two external disks from the same batch are not two types of media, but two identical copies sharing the same weakness.
How often to back up: RPO and RTO
Two concepts determine how often you need to make copies and how quickly you must recover:
RPO - how much data you can afford to lose
RPO (Recovery Point Objective) tells you how far back you can afford to "fall". If you back up once a day, your RPO is up to 24 hours, which means that in the worst case you lose a full day of work. For a company that enters orders every few minutes, losing an entire day may be unacceptable, so it moves to more frequent or continuous copies.
RTO - how quickly you must be operational again
RTO (Recovery Time Objective) tells you how long the company can endure without its systems. If the sales system must be restored within two hours, the backup solution must enable that fast a recovery, which often means a local copy for speed alongside an offsite copy for safety.
Defining RPO and RTO per system helps you avoid spending the same amount of resources on critical and on unimportant data. This is a typical part of the resilience analysis we carry out as part of a broader security review.
The most common backup mistakes
Even companies that have a backup often discover that it does not work just when they need it most. The most common mistakes in practice:
- The backup is never tested. The copy exists, but no one has ever verified whether the system can actually be restored from it. Recovery must be tested regularly, not only at the moment of disaster.
- All copies are online and accessible. If all backups are connected to the network, ransomware reaches them along with the original. An offline or immutable copy is required.
- The backup is not encrypted. A stolen disk or a compromised cloud account means a data leak. Backups must be encrypted at rest.
- There is no monitoring. The backup job quietly fails for weeks and no one notices until a recovery is needed. Alerts for failed copies are essential.
- The wrong data is covered. Backups are made for server files, but not for data in SaaS applications (email, CRM), where many people mistakenly assume the provider automatically covers everything.
Versioning and retention: more than one copy in time
One of the most dangerous misconceptions is that it is enough to have the "latest" copy. The problem is that much damage is not noticed immediately. If a database is quietly corrupting over days, or if ransomware silently encrypts files before it is detected, your latest copy may already contain corrupted data. That is why a good backup strategy always keeps multiple versions over time.
In practice this means setting a retention policy, that is, how many daily, weekly and monthly copies you keep. A common and proven model looks like this:
- Daily copies - kept for the last 7 to 14 days, for quickly reverting recent mistakes.
- Weekly copies - kept for 4 to 8 weeks, for situations discovered with a delay.
- Monthly copies - kept for 6 to 12 months, useful for legal obligations and long-term checks.
This gives you the ability to roll back to a point before the problem arose, rather than only to yesterday's state, which may already have been infected. For companies with accounting and tax obligations in Bosnia and Herzegovina, this kind of retention also helps with legal requirements for retaining business documentation.
A backup is not the same as replication or RAID
A common and costly mistake is to believe that a RAID array or cloud synchronization replaces a backup. These are different things with different purposes:
- RAID protects against the failure of an individual disk, but it does not protect against deletion, ransomware or human error, because it faithfully writes all those changes to every disk.
- Replication and synchronization (for example, a folder that is automatically mirrored) propagate errors instantly. If you delete or infect a file, it is deleted or infected on the other side as well.
- A backup is a time-separated, independent copy from which you can return to a previous, correct state.
In other words, RAID and replication increase availability, but they do not replace a backup. A true backup must be separated in time and inaccessible to immediate overwriting.
How to fit backups into the company's broader security
A backup is the last line of defense, but not the only one. It delivers the best results when it is part of a broader resilience plan that includes access control, network segmentation, timely patching of vulnerabilities and incident monitoring. If you detect an attack in time, you may stop it before encryption even begins.
At NeoBit we help companies in Mostar and the region connect backups with the rest of their security strategy. Through our services and solutions we assess ransomware resilience, test whether a system can truly be restored, and help set up immutable copies. If you want a quick initial assessment of your exposure, fill in the pentest questionnaire, and for a concrete conversation about your situation get in touch via our contact page.
A short action plan
- List which data is critical and where it resides (servers, computers, SaaS applications).
- Set up three copies on two types of media, with one offsite copy.
- Add at least one immutable or offline copy to protect against ransomware.
- Encrypt the backup and enable alerts for failed copies.
- Test recovery at least a few times a year and record the results.
A good backup strategy does not have to be expensive, but it must be well thought out and tested. The difference between a minor inconvenience and the closure of a company often comes down to exactly this: whether the last copy existed and whether the system could be restored from it.
Frequently asked questions
What if I do not have a server, only a few computers?
The 3-2-1 rule applies equally to small businesses. Important data from the computers can be copied to a single NAS or external disk (a second type of media) and additionally to the cloud (an offsite copy). Even for one or two users, a few hours of setup is enough to reduce the risk dramatically.
Isn't a cloud backup alone sufficient?
Cloud only means one copy on one medium, which is not 3-2-1. If the cloud account is compromised, you accidentally delete data, or the provider has an outage, you are left with nothing. The cloud is an excellent offsite copy, but it should be combined with a local copy for speed and independence.
How often should I test data recovery?
For most companies it is reasonable to test recovery at least two to four times a year, and always after a major system change. The test does not have to be a full recovery every time, since the goal is to confirm that the copies are not corrupted and that the recovery procedure actually works.
Does the 3-2-1 strategy protect against ransomware?
Yes, but only if at least one copy is not available for modification, meaning offline (air-gapped) or immutable. If all backups are permanently connected and accessible with administrative privileges, modern ransomware can delete them along with the original. That is why we recommend extending to the 3-2-1-1-0 rule.
Related guides: Cyber security in Bosnia and Herzegovina - a complete guide · Employee security: the weakest link in cyber defense · How to choose a cyber security company - 7 criteria for 2026
