3-2-1-1-0 Backup Strategy Explained 2026 | North Star
HomeInsightsBackup

Backup Strategy 2026: The 3-2-1-1-0 Rule Explained

The 3-2-1 backup rule was solid advice for a decade. Then ransomware operators figured out that most offsite backups were reachable from the same compromised credentials that encrypted the primary data. A backup your attacker can delete is not a backup, it's a false sense of security. The updated rule is 3-2-1-1-0, and the extra two digits change everything about how backup strategy works.

Overview

The Old Rule, and Why It's No Longer Enough

The original 3-2-1 rule: keep 3 copies of your data, on 2 different media types, with 1 copy offsite. Good guidance, and still foundational. The problem is that "offsite" was typically a cloud backup target or an external drive stored at a manager's home, both of which were accessible using the same admin credentials that got compromised in a ransomware attack.

Modern ransomware operators spend days or weeks inside a network before detonating. They locate and destroy backup repositories as part of the attack to maximise pressure for ransom payment. If your backup target is reachable from an account that can be compromised, it is part of your attack surface.

Overview

The New Rule: 3-2-1-1-0 Explained

NumberMeaning
3Three copies of your data
2On two different storage types (e.g., local disk + cloud)
1One copy offsite
1One copy immutable or air-gapped
0Zero errors verified, tested restores, not assumed

The second 1 is the material addition. An immutable copy cannot be modified or deleted for a defined retention period, even by an administrator. An air-gapped copy is simply not connected to anything that can reach it via the network.

The 0 is the discipline, it means you have actually tested that your backup restores successfully, not just that it says it backed up.

Overview

Immutable Storage: What It Actually Means

"Immutable" is a specific technical term that's being misused in marketing. Genuine immutability means:

  • The data cannot be overwritten or deleted for the configured retention period.
  • This restriction applies to the backup service account, to domain admins, and to the storage admin, everyone.
  • Object lock (S3 or compatible) is the most common implementation. Appliance-based write-once storage is another.

If an attacker who has obtained domain admin credentials can also delete your backup repository, that backup is not immutable. Confirm this specifically with your backup provider or IT team. "Immutable" in a product name does not necessarily mean immutable in the technical sense.

Overview

Air-Gapped vs. Immutable: When to Use Each

Both achieve the goal of protecting backups from attacker access. The implementation differs:

  • Air-gapped, the backup media is physically disconnected from any network. Tape rotation is the classic implementation. Still valid for businesses with strict data sovereignty requirements or very long retention periods where tape cost is advantageous.
  • Immutable cloud storage, connected to the internet but cryptographically protected against modification. Most modern stacks use this approach because it's operationally simpler than tape rotation.

Many BC SMBs use both: immutable cloud for fast recovery windows (30 - 90 days), tape or cold storage for long-term archive (1 - 7 years). The two serve different purposes.

Overview

Verification Is the Work

A backup that hasn't been tested is an assumption, not a safety net. Verification requirements:

  • Monthly, automated restore test of a representative sample of data. Documented success/failure.
  • Quarterly, full system restore test: boot a server from backup in an isolated environment, verify it operates correctly.
  • Annually, tabletop DR exercise with leadership. Walk through the scenario: ransomware at 8am on a Monday. Who does what? How long does recovery take? What's offline for how long?

Document every test. The documentation is what you produce when a cyber insurer or client asks whether your backups work.

Overview

Common Gaps We Find in BC SMB Environments

  • Backups configured but never tested for restore. Common result: backup jobs report success but the restore fails due to configuration drift.
  • Cloud backups using the same Azure AD / Entra credentials as the rest of the environment. One compromised admin account deletes everything.
  • Retention periods too short. Ransomware is sometimes dormant for 30+ days before detonating, a 14-day retention means you may restore encrypted files.
  • RTO and RPO targets written down but never actually measured against real restore times.

Frequently Asked Questions

What's the difference between RTO and RPO? RTO (Recovery Time Objective) is how long you can afford to be down. RPO (Recovery Point Objective) is how much data loss is acceptable, i.e., how far back can your backup be. A four-hour RPO means you're willing to lose up to four hours of transactions. Set these numbers based on your actual business, then test whether your backup system can meet them.

Does Microsoft 365 need to be backed up separately? Yes. Microsoft's service agreement covers their infrastructure, not your data. M365 data should be backed up using a dedicated cloud-to-cloud backup service with its own immutable retention. This is a common gap.

Talk to a Prince George-based IT team about verifying your backup strategy, call 672-983-1174 or book a free assessment at northstarit.ca.

Want this in your inbox?

We send a short monthly note with one cybersecurity or IT topic that BC business owners should know about. No sales pitch.

Get the monthly note Read more Insights