There is a principle in data protection that professional IT teams consider table stakes: the 3-2-1 rule. The majority of Canadian small and medium-sized businesses are not following it.
What the 3-2-1 Rule Means
- 3 copies of your data — the original plus two backups
- 2 different storage media types — not two services from the same parent company
- 1 copy offsite — physically and logically separated from your primary location
The logic is straightforward: no single event can reach all three copies at once.
What Most Canadian Businesses Actually Have
The “we have Dropbox” scenario: Sync services mirror your primary storage in real time. When ransomware encrypts your files, the sync pushes encrypted versions to the cloud within minutes. Sync is not backup.
The external hard drive scenario: The drive is in the same building. If connected, ransomware reaches it. If in a drawer, it hasn’t been tested for restore in months or years.
The “our IT person handles it” scenario: When was the last time a full restore was actually tested? Backup confirmation and backup recovery are not the same thing.
Why the Offsite Copy Is the One Everyone Skips
The offsite copy protects against ransomware, fire, water damage, theft, and power surge — simultaneously. An offsite backup on infrastructure you don’t manage, in a location physically separated from your office, is protected against all of these at once.
The Canadian Layer
True offsite, in the Canadian context, means storage physically located in Canada, owned by a Canadian-incorporated entity, governed exclusively by Canadian law. Data backed up to US-owned cloud infrastructure is subject to the US Cloud Act regardless of where the servers physically sit.
The third copy — the offsite, Canadian, immutable backup — is what most Canadian businesses are missing. It is the one that determines whether a serious incident is recoverable in hours or catastrophic over weeks.