The 3-2-1 backup rule was first articulated by photographer Peter Krogh in 2005 and has survived every storage technology revolution since. The rule states: keep 3 copies of your data, on 2 different media types, with 1 copy off-site. It is the lowest-bar standard that any business holding important data should meet. Most Dubai SMBs we audit at the start of an engagement fail at least one part of it. This guide walks through what 3-2-1 actually means in practice for a 2026 Dubai business, and the stricter 3-2-1-1-0 variant that makes the strategy ransomware-resistant.
What 3-2-1 actually means
- 3 copies - your original (live working data) plus 2 backups. Not 1 backup, not the same file copied twice to the same drive. Three independent copies.
- 2 different media - the backups must be on different kinds of storage. NAS plus cloud is two media. Two external drives is one media. The point is that one technology failure (drive controller bug, ransomware targeting NAS protocols) does not take both copies.
- 1 off-site - one copy lives physically away from the office. Fire and theft are the use cases. Off-site can mean a colleague's house, a second branch, a cloud bucket or a safe deposit box.
What 3-2-1-1-0 adds
The 3-2-1-1-0 variant became the new standard after ransomware (LockBit, BlackCat, REvil, WannaCry) started specifically targeting backup repositories. The extra digits stand for:
- Extra 1 - one copy is offline or immutable. Air-gapped USB, write-once cloud (S3 Object Lock, Backblaze B2 Object Lock), or tape. Ransomware cannot encrypt what it cannot reach.
- 0 - zero errors after restore verification. You actually test restoring and confirm bit-perfect recovery.
Dubai ransomware reality
We have rescued Dubai businesses hit by LockBit, BlackCat and lesser-known ransomware variants every quarter for the last three years. In every single case the attackers had located and encrypted the connected backup target before triggering the main encryption. 3-2-1 alone does not stop this; 3-2-1-1-0 with an immutable copy does.
A real 3-2-1-1-0 setup for a Dubai SMB
Here is the exact stack we deploy for a 10-30 person Dubai SMB that needs ransomware-resistant backup without enterprise pricing:
| Copy | Where | Media type | Immutable? |
|---|---|---|---|
| Copy 1 (live) | Macs and PCs in the office | Local SSD | No - working data |
| Copy 2 | Synology DS923+ in the office, SHR-2 | Spinning NAS drives | Snapshots immutable for 30 days |
| Copy 3 | Backblaze B2 bucket with Object Lock | Cloud object storage | Yes - 60-day immutable |
| Copy 4 (the extra 1) | External USB drive rotated weekly, stored off-site | USB drive | Yes - offline when stored |
| Verification (the 0) | Monthly restore test of 10 random files | n/a | Documented in AMC log |
Real 3-2-1-1-0 stack for a Dubai SMB
Tools we deploy in Dubai
- Synology Hyper Backup or QNAP HBS - the engine that pushes backups from NAS to cloud or external. Free with the NAS.
- Active Backup for Business (Synology) - free Windows endpoint, M365 and VM backup. AMC clients run this on every laptop.
- Time Machine over SMB - the Mac client-side backup, target is the office NAS. Free with macOS.
- Backblaze B2 with Object Lock - the off-site immutable copy. AED 0.073 per GB per month, restore costs are minimal inside region.
- Wasabi Hot Cloud - alternative to B2 with no egress fees, AED 0.092 per GB per month, popular with media businesses.
- Veeam Community Edition - free for up to 10 workloads, used where we need application-aware backup of SQL Server or Exchange.
- Tailscale - we use this for secure NAS-to-NAS replication between Dubai offices or to a director's home as the off-site copy.
What it costs in AED
| Component | One-time | Monthly |
|---|---|---|
| Synology DS923+ + 4 x 8 TB drives | AED 5,300 | - |
| Azizi NAS setup labour | From AED 500 | - |
| UPS (CyberPower 1500VA) | AED 750 | - |
| External USB drives x 2 (8 TB each, weekly rotation) | AED 1,400 | - |
| Backblaze B2 (estimated 1 TB) | - | AED 70-80 |
| Backup AMC (Azizi monitored) | - | From AED 300 |
| 5-year total | AED 7,950+ | AED 22,200 |
3-2-1-1-0 setup AED cost - 10-30 person Dubai SMB
Why most DIY 3-2-1 setups fail
- 1External drives stay plugged in - the moment ransomware lands, the 'off-site' drive encrypted with everything else. Off-site means physically disconnected.
- 2Cloud copy is not immutable - ransomware credentials get stolen along with everything else, attacker deletes the cloud backup. Immutability with Object Lock is non-negotiable.
- 3Backups never tested - we have audited Dubai businesses with 18-month-old Hyper Backup jobs that had silently failed for 14 months. Monthly restore test catches this.
- 4Backup credentials saved in the same place as the data - if your password manager is compromised along with your network, the attacker has your B2 keys too. Backup access creds should be in a separate vault or hardware token.
- 5No documentation - the IT person leaves and nobody knows the restore procedure. Every Azizi AMC client gets a one-page laminated restore runbook.
The Azizi NAS + Data Recovery combo
We are the only Dubai team that both designs and monitors your 3-2-1-1-0 backup, and runs the cleanroom recovery lab in Bur Dubai for when the backup fails. Backups do sometimes fail - drives get dropped, controllers burn out, snapshots corrupt. We handle the design and the rescue under one roof. See /data-recovery-dubai.
When to step up to 4-3-2
The 4-3-2 variant adds a fourth copy and a third media type, typically for regulated industries (healthcare under DHCC, financial services, law firms). It looks like 3-2-1-1-0 plus a tape backup or a second cloud bucket in a different region. For most Dubai SMBs this is overkill - 3-2-1-1-0 with monthly restore tests is enough. For DHCC clinics, DIFC law firms or any business with regulator-imposed retention requirements, 4-3-2 is worth the extra AED 200-400/month.
Documenting the strategy - the runbook
A 3-2-1 strategy that lives only in the head of one IT engineer is fragile. Every Azizi deployment ships with a written, laminated runbook that any team member can follow to perform a restore. The runbook covers the five most likely incident types - accidental deletion, drive failure, NAS-wide failure, ransomware event and fire or theft of the office - with a numbered procedure for each. We test the runbook quarterly by handing it to a team member who has never done a restore before. If they cannot follow it successfully, the runbook gets rewritten.
Common Dubai SMB backup mistakes we see
- Synology installed but Hyper Backup never configured - the NAS holds a working copy but no second copy exists.
- Cloud backup running but encryption key stored in the same M365 account the attacker compromised.
- External USB drive labelled 'backup' but actually been unplugged for 14 months because it kept ejecting itself.
- Backup job failure emails sent to an inbox nobody monitors - we have seen 18 months of silent failures.
- Off-site copy is 'the IT person's home laptop' - which has no redundancy of its own.
- Object Lock never enabled on Backblaze or AWS bucket - ransomware deleted everything in one credential leak.
Get your 3-2-1-1-0 backup designed by Dubai's only recovery-lab-equipped IT team
Free backup assessment - we measure data, audit current setup, design a 3-2-1-1-0 stack matched to your AED budget. From AED 800 for full business backup deployment. Plus the only Dubai team with a cleanroom recovery lab if disaster does strike.
Frequently asked questions
What does the 3-2-1 backup rule mean?
Keep 3 copies of your data, on 2 different media types, with 1 copy off-site. Three copies means the live original plus two backups. Two media means the backups live on different kinds of storage - NAS plus cloud, for instance, not two USB drives. One off-site means physically separated from the office for fire and theft protection. It is the minimum standard for any business holding important data.
What is 3-2-1-1-0 and why do I need it?
3-2-1-1-0 adds two refinements to the original rule: one copy must be offline or immutable (so ransomware cannot reach it), and verification with zero errors (you actually test restores). It became the new standard after ransomware variants like LockBit and BlackCat started specifically targeting backup repositories. For Dubai businesses storing customer data, financial records or creative work, 3-2-1-1-0 is the realistic 2026 minimum.
How much does a 3-2-1-1-0 backup setup cost in Dubai?
For a 10-30 person Dubai SMB - around AED 7,950 one-time (NAS plus drives plus UPS plus rotation drives plus Azizi setup labour from AED 500) plus AED 370-400/month (Backblaze B2 cloud plus Azizi monitored AMC from AED 300/month). Total 5-year cost runs around AED 30,000 all-in, which is dramatically cheaper than recovering from a ransomware event that bypassed a weaker setup.
Which cloud is best for the off-site copy of 3-2-1?
Backblaze B2 with Object Lock is our default recommendation - AED 0.073/GB/month, low egress, mature Object Lock for immutability. Wasabi is the alternative when egress fees matter (media businesses). Synology C2 is fine if you already run Synology hardware. AWS S3 Glacier Deep Archive is the lowest cost for archive-only data but restore is slow and complex. We avoid free-tier cloud entirely for business backup.
How often should I test my backup restores?
Monthly restore tests are the standard - pick 10 random files across different shared folders, restore them, document timestamp and result. Quarterly we do a full bare-metal restore drill on a spare machine to confirm the whole stack works end to end. Yearly we do a fire-drill exercise where the team pretends the office is gone and we restore from off-site only. Every Azizi AMC client gets these tests baked into the monthly visit.
Does Azizi recover data if my 3-2-1 backup itself fails?
Yes. Our cleanroom-grade data recovery lab in Bur Dubai handles failed NAS rebuilds, corrupted Hyper Backup repositories, ransomware-encrypted backup volumes, dropped USB rotation drives and cloud restore failures. We are the only Dubai team that both designs your 3-2-1-1-0 backup and recovers the data when something later goes wrong. Free recovery assessment - see /data-recovery-dubai.
Is 3-2-1 enough for a DIFC law firm or DHCC clinic?
Not quite - regulated industries should run 4-3-2 (four copies, three media, two off-site). The extra copy is typically a long-term archive in S3 Glacier Deep Archive or LTO tape, retained for the regulator's required period (7 years for DIFC financial records, 25 years for some DHCC health data). The extra cost is AED 200-400/month, far cheaper than a non-compliance finding.
Azizi Technologies Team
· Editorial TeamPractical IT and digital marketing guidance from the Azizi Technologies team - an in-house team of certified engineers, SEO specialists, and digital marketers serving Dubai businesses since 2007.
Ready to get the same results we wrote about?
Free 24-hour SEO audit. Transparent AED pricing. Real Dubai client case studies. No sales call required.