4iT IT Support Sydney | Your Reliable Sydney IT Support Partner

Insights & News

The 3-2-1 Backup Rule and Immutable Backups | 4iT

The 3-2-1 backup rule is a simple standard for keeping data safe: keep three copies of your data, on two different types of storage, with one copy kept off-site. It is the baseline most IT professionals design backups around because it protects against the common ways data is lost at once. These days it is often extended to add an immutable copy, one that cannot be altered or deleted for a set period, which is what defends against ransomware that deliberately targets your backups.

Diagram concept showing three data copies across two storage types with one kept off-site.

Key facts

  • The 3-2-1 rule: three copies of your data, on two different storage types, with one copy off-site.
  • It protects against single points of failure, one device, one location, or one storage type failing does not lose everything.
  • An immutable backup cannot be changed or deleted for a set period, so ransomware cannot encrypt or wipe it.
  • Modern best practice extends 3-2-1 to include at least one immutable or air-gapped copy, sometimes written as 3-2-1-1-0.
  • The rule is about surviving correlated failures: the events most likely to take out several copies at the same time.

What does the 3-2-1 rule mean?

Each number targets a different way of losing data. Three copies means the original plus two backups, so that if one copy fails you still have two, and you are never one failure away from total loss. Two different storage types, for example a local disk and cloud storage, means a fault that affects one kind of media does not take out all your copies at once. One copy off-site means a physical event at your premises, fire, theft, flood, does not destroy every copy in one go.

The logic underneath is about correlated failures: the events that can wipe out several copies simultaneously. Two backups sitting on the same server in the same building are not really two copies for planning purposes, because one power surge, one theft, or one ransomware infection can take both. The 3-2-1 rule deliberately spreads copies across device, media, and location so that no single event reaches all of them. It is not complicated, but it is easy to get wrong by keeping copies that are too close together to count as independent.

What is an immutable backup, and why does it matter now?

An immutable backup is a copy that cannot be modified or deleted for a defined retention period, even by an administrator, even by malware with stolen credentials. Once written, it is locked. That property is the whole point, because modern ransomware does not just encrypt your live data, it hunts for your backups and encrypts or deletes those too, knowing that a business with working backups will simply restore and refuse to pay. Immutability breaks that attack: the criminals can reach the backup but cannot touch it.

This is why the classic 3-2-1 rule has quietly grown a fourth element. A traditional off-site backup protects against fire and theft, but if it is online and writable, a sufficiently determined ransomware attack can still reach it. An immutable or air-gapped copy closes that door. In practice, for the SMEs we support, this is the single most important upgrade to a backup strategy in recent years, because ransomware targeting backups has gone from a rare, sophisticated attack to a routine one. A backup that ransomware can delete is a backup you cannot rely on precisely when you need it most.

How should a small business apply this?

Start by counting your independent copies. Many businesses think they follow 3-2-1 but on inspection have, say, a live server and a backup on a second drive in the same room, which is really one location and two devices one event can destroy together. The fix is usually straightforward: keep the local backup for fast restores, add an off-site copy (typically cloud), and make at least one copy immutable so ransomware cannot reach it.

The good news is this does not have to be complicated or expensive for an SME. The building blocks, local backup, off-site or cloud replication, and immutable retention, are all mature and widely available; the work is in configuring them correctly and then testing that a restore succeeds. That last part is where most setups quietly fail, so applying 3-2-1 properly means not just having the copies but periodically proving you can recover from them. If you are not certain how many truly independent copies of your data you have right now, that uncertainty is itself the thing worth fixing.

Frequently asked questions

What is the 3-2-1 backup rule?

The 3-2-1 rule means keeping three copies of your data, on two different types of storage, with one copy kept off-site. It protects against single points of failure so that one device, one location, or one storage type failing does not lose everything. It is the baseline most IT professionals design backups around.

What is an immutable backup?

An immutable backup is a copy that cannot be changed or deleted for a set retention period, even by an administrator or by malware with stolen credentials. Because modern ransomware targets backups as well as live data, immutability is what stops attackers from encrypting or deleting the very copy you would use to recover.

Is the 3-2-1 rule still relevant?

Yes, but it is now usually extended. The classic three copies, two media types, one off-site still holds, but best practice adds at least one immutable or air-gapped copy to defend against ransomware that targets backups. This extended version is sometimes written as 3-2-1-1-0.

How do I know if my backups follow the 3-2-1 rule?

Count your independent copies. Two backups on the same server in the same room are not really independent, because one event can destroy both. Proper 3-2-1 means copies spread across different devices, storage types, and locations, ideally with one immutable, and a tested restore proving you can recover from them.

If you are not sure how many independent copies of your data you really have, or whether ransomware could reach your backups, we can review it and close the gaps. It is also worth understanding how backup and disaster recovery work together. Call 4iT on 1800 367 448 or see our server backup services.

Brett Muscio

About the author

Brett Muscio is the Director of 4iT Support Pty Ltd, a managed services provider based in Castle Hill, NSW. He works with SME clients across Sydney, Melbourne, and Brisbane on backup and disaster recovery, immutable backups, and cybersecurity, with on-site support across the Sydney metro area and remote delivery nationally. Connect on LinkedIn.

Recent Posts

Scroll to Top