• Main
  • News
  • Backups That Actually Work: The 3-2-1 Strategy and Why One Copy Isn't Enough

Backups That Actually Work: The 3-2-1 Strategy and Why One Copy Isn't Enough

"We have backups" — a phrase that in 2025 sounds about like "we have antivirus" in 2010. Reassuring, but guarantees nothing. Because in an era when ransomware attacks hit every 11 seconds, and attackers deliberately destroy backup infrastructure, the question isn't whether you have backup copies. The question is whether you can restore them when everything goes to hell.

Numbers That Sober You Up

Let's start with the unpleasant: 2 out of 3 organizations experienced significant data loss in the past year. These aren't some abstract companies from the news — this is real statistics from 70,000+ technology leaders in the US.

Even worse: even among those who paid ransom after a ransomware attack, only 32% managed to recover data in 2024. For comparison — this figure used to be 54%. Attackers simply stopped returning data even after payment.

And the saddest part: 57% of organizations that survived a ransomware attack recovered less than half their data. Meanwhile, 69% of them were confident they were prepared for an attack before it happened.

Why "One Backup" Is Suicide

Imagine: you back up your work computer to an external drive that sits in the same office. Computer crashes? Backup saves you. Fire in the office? Both burn.

Or another scenario: you store backups with the same cloud provider where production runs. Credentials compromised? The attacker gets access to both production and backups simultaneously.

In 73% of cases, attackers deliberately destroy backup infrastructure before encrypting primary data. They disable backup agents, delete snapshots, modify retention policies, encrypt backup volumes.

This is no longer just an attempt to block access — it's methodical destruction of all means of recovery.

The 3-2-1 Strategy: A Foundation That Works

The 3-2-1 rule was formulated by photographer Peter Krogh and became the gold standard for data protection:

3 — three copies of your data (original + 2 backups) 2 — on two different types of media 1 — one copy stored offsite (outside the main location)

Why does this work? Because it eliminates single points of failure.

Three Copies of Data

Original on the production server. First backup on local NAS or external drive. Second backup in the cloud or another data center.

If one copy is damaged or encrypted — two remain. If two are unavailable — there's always a third.

Two Types of Media

In 2025, this doesn't mean "disk and tape." The modern interpretation is two different devices or platforms. For example:

  • Local SSD + cloud storage
  • NAS + external hard drive
  • On-premises server + remote colocation

The main thing is protection against failure of one technology type or one vendor.

One Copy Offsite

Fire, flood, theft, physical damage to the data center — all destroy local copies. Offsite backup guarantees that even with complete destruction of the main location, data remains accessible.

Research shows: for organizations with uncompromised backups, 46% recover in a week or less, versus 25% of those whose backups were compromised.

Evolution: 3-2-1-1-0 for 2025

The original 3-2-1 rule was created before the ransomware and immutable storage era. In 2025, it remains relevant but insufficient.

Veeam extended the strategy to 3-2-1-1-0:

  • 3 copies of data
  • 2 different types of media
  • 1 offsite copy
  • 1 immutable copy
  • 0 recovery errors (verified backups)

Immutable Backups — Mandatory Requirement

Immutable storage is WORM (Write Once, Read Many). Data can be written once but cannot be changed or deleted until the end of the retention period.

Even with stolen credentials, an attacker cannot destroy an immutable backup. Amazon S3 Object Lock, Azure Immutable Storage, specialized backup appliances — all support immutability.

Why is this critical? Because modern ransomware first searches for and destroys backups, only then encrypts production.

Zero Errors — Test Recovery

Many companies discover too late that their backups are incomplete or corrupted. Recovery testing isn't optional, it's mandatory.

At minimum, quarterly verify:

  • Can you restore data from backup
  • How long does recovery take
  • Is all critical data included
  • Do applications work after recovery

Real Cases: When Backups Fail

Obscura Ransomware: Technical Encryption Failure

November 2025: researchers discovered that Obscura ransomware contains a critical bug — files larger than 1GB are encrypted incorrectly and cannot be decrypted even with the correct key.

Companies paid ransom, received decryption keys, but large files remained forever lost due to a coding flaw in the ransomware itself.

Conclusion: even if you pay, there's no guarantee you'll get data back. Only verified backups provide confidence in recovery.

UK Retailer, April 2025

DragonForce ransomware caused $400 million in damages, putting the company on the brink of bankruptcy. Attackers destroyed all local backups before encryption.

The company recovered only thanks to an offsite copy, which turned out to be the only survivor.

Kaseya: Attack on MSP

One attack on Kaseya affected 1,500+ MSP clients simultaneously. Those with independent offsite backups recovered. The rest lost everything.

Top 5 Backup Strategy Mistakes

1. Relying on Only One Backup

The most common mistake. One copy isn't a backup, it's Russian roulette. Hardware failure, ransomware, accidental deletion — and you're left with nothing.

2. Storing Backups on the Same Network

Network-accessible backup volumes are prime targets for ransomware. In 86% of cases, attackers aim for complete disruption, including wiping all accessible backups.

Air-gapped or immutable storage is critical.

3. Not Testing Recovery

"We have backups" and "we can recover from backups" are different things. Without regular testing, you don't know if your copies work.

4. Using Only Cloud Backup from the Same Provider

Backing up Microsoft 365 in Microsoft environment? One compromised API token — and the attacker gets access to production and backups simultaneously.

Diversify vendors for critical data.

5. Ignoring Encryption and Access Control

Backups must be encrypted both at rest and in transit. Role-based access control, separate credentials for backup systems, MFA — all mandatory.

Practical Implementation in 2025

For Small Business

3 copies:

  • Original on workstations/server
  • Local backup on NAS or external drive
  • Cloud backup (Backblaze, Wasabi, IDrive)

2 media:

  • Local storage (NAS/external SSD)
  • Cloud storage

1 offsite:

  • Automated cloud backup with immutability enabled

Tools: Acronis True Image, Veeam Backup, Datto SIRIS

Cost: $50-500/month depending on volume

For Enterprise

3 copies:

  • Production data
  • Local backup on dedicated appliances
  • Remote backup in another data center + cloud

2 media:

  • On-premises backup appliances
  • Cloud/remote colocation

1 offsite:

  • Immutable cloud storage + air-gapped tape/offline storage

Additional:

  • Snapshot replication
  • CDP (Continuous Data Protection) for critical systems
  • Automated backup verification
  • 24/7 monitoring

Tools: Veeam, Commvault, Rubrik, Cohesity

Checklist: Review Your Backup Strategy

✅ Do you have at least 3 copies of all critical data?

✅ Are copies stored on different devices/platforms?

✅ Is at least one copy physically in a different location?

✅ Do you have an immutable or air-gapped copy?

✅ Are backups encrypted and protected by access controls?

✅ Do you test recovery at least quarterly?

✅ Do you have documented recovery procedures?

✅ Are backup credentials separate from production credentials?

✅ Do you automatically monitor backup success?

✅ Are Recovery Time Objective (RTO) and Recovery Point Objective (RPO) defined for critical systems?

If the answer to even one question is "no" — you have a problem.

Backup Frequency: How Often Is Enough?

Critical data: Continuous or every few hours Important data: Daily Non-critical data: Weekly

But remember: the less frequent the backup, the more data you'll lose during recovery. RPO (Recovery Point Objective) is the maximum acceptable data loss. If your business can't survive losing a day's work — back up more often.

Backup Types: Choose Correctly

Full backup: Complete copy of all data. Slowest, most voluminous, simplest for recovery.

Incremental backup: Only changes since the last backup (of any type) are copied. Fast, saves space, recovery requires backup chain.

Differential backup: Changes since the last full backup are copied. Compromise between full and incremental.

Snapshot: Instant snapshot of system state. Fast, but requires special storage support.

Optimal strategy for most: weekly full + daily incremental + snapshots for critical VMs.

Cloud Backup: Pros and Cons

Pros:

  • Offsite by definition
  • Scalability
  • No capital expenses
  • Geo-redundancy
  • Cloud storage market growing from $161.28B in 2025 to projected $639.40B by 2032

Cons:

  • Egress fees during recovery
  • Dependence on internet channel
  • Vendor lock-in risks
  • Potential compliance issues

48.5% of tech leaders use offsite backups as primary solution. Cloud is growing, but many combine with local copies for quick recovery.

Ransomware-Specific Protection

Canary Files

Lightweight decoy files distributed across endpoints that serve as an early warning system. The first files ransomware will encrypt.

One case: a company detected encryption on Friday at 6 PM, isolated systems, only 3 files were encrypted. Business operated normally on Monday.

Air-Gapped Backups

Physically disconnected from the network. Either offline storage (tape, removable drives), or with network segmentation where access is only possible at specific times.

Immutable Cloud Storage

S3 Object Lock, Azure Blob Immutable Storage — make backups read-only for a specified retention period. Even root credentials cannot delete.

Cost vs Risk

Average cost of data breach in 2025 — $4.4 million. For small business, data loss often means bankruptcy: 26% lose $250K-500K, 13% — more than $500K.

Quality backup strategy for SMB: $500-2000/month. For enterprise: $5000-50,000+/month depending on volume.

Calculate yourself: potential loss vs protection cost.

Compliance and Retention

GDPR, HIPAA, SOC 2, PCI DSS — all require specific backup practices and retention periods.

  • GDPR: Right to deletion vs backup retention — balance needed
  • HIPAA: Encryption, access logs, specific retention periods
  • PCI DSS: Protected storage of payment data
  • SOC 2: Documented backup & recovery procedures, testing

Compliance is one of the top drivers for adoption of reliable backup strategies.

Conclusion: Backups Aren't Insurance, They're a Survival Kit

In 2025, the question isn't whether they'll attack you. The question is when they attack, and can you recover.

The 3-2-1 strategy has worked for two decades because it eliminates single points of failure. 3-2-1-1-0 adapts it to modern threats, adding immutability and verification.

But no strategy works without execution. Automation, monitoring, testing, documentation — all are mandatory conditions.

And remember: 98% of organizations whose data was encrypted managed to recover something. 68% used backups, 56% paid ransom (some did both).

But only those with verified, protected, independent backups recovered fully and without extra costs.

Don't become a statistic. Check your backups right now.