Safeguards

The 3-2-1 backup rule

What is the 3-2-1 backup rule?

The 3-2-1 rule is a rule of thumb for backups: keep three copies of your important data, on two different types of storage media, with one copy held away from your premises. A single event such as a fire or a ransomware attack then reaches every copy at once only in rare cases.

The three figures are quickly explained. Three copies means the original you work with every day plus two backups of it. Two types of media means those backups sit on different technology, for example on a network storage device in the building and additionally in cloud storage or on an external drive. One copy off site means that a backup is held at another location, so that a fire, a burst pipe or a break-in at your premises cannot reach it. The rule appears in the data backup guidance published by the German Federal Office for Information Security (IT-Grundschutz module CON.3).

Picture the following arrangement. A network storage device stands in the server room, a backup runs onto it every night, and the matter is considered settled. That backup sits on the same power supply, in the same room and on the same network as the servers. Ransomware, meaning malicious software that encrypts data and demands a ransom, deliberately looks for reachable network drives and encrypts the backup along with everything else. This is why the third copy is kept offline, meaning physically disconnected once the backup run has finished, or on immutable storage, meaning storage that refuses deletion and overwriting for a defined period.

How do you recognise a weak backup? Ask three questions. Where does the second copy physically sit, and who was last there? When was a file last genuinely restored from the backup? How long would a complete restore of your most important server take? If nobody in the company can answer these questions, the backup is an assumption. A backup counts as real only once a restore has demonstrably worked.

The first sensible step is a list of the systems and data without which the business stops: stock management, accounts, mailboxes, the file store, design or planning data, the till system. For each entry note how many copies exist, on what technology they sit, where they sit, and when a restore was last verified. That list exposes the gaps within minutes. Then put a fixed date in the calendar for a restore test and record the result in writing.

The IT-Check examines your IT across eight audit areas and more than 100 checkpoints, and data backup is one of the subjects covered: which systems are backed up, to where, how often, how long the backups are retained, and whether one copy lies beyond the reach of an attack. Data collection on site is read-only, meaning purely observational and without any intervention in running systems.

All terms in the knowledge base

From the term to practice

Where does your business actually stand?

The IT Check reviews your IT across 8 audit areas with more than 100 individual checks and delivers documented findings with a prioritised action plan. From 1,299 € excl. VAT. The first call takes 20 minutes and carries no charge.

Book a first call