Ransomware attacks and hardware failures can be disastrous. Implementing the 3-2-1 backup rule helps protect your company. It reduces risk from a single failure point by spreading three copies across two media types, including one off-site. But deploying the 3-2-1 rule in cloud storage requires additional security measures.

Below, we’ll explore how the 3-2-1 backup strategy and the enhanced 3-2-1-1-0 rule work. Use these best practices and tips to create your small business backup strategy and recovery plan.

What is the 3-2-1 backup rule? 

The 3-2-1 backup rule calls for three copies of your data (the original plus two backups) stored on two different types of media (such as cloud storage and an external drive), with one backup file kept off-site. This strategy prevents a single failure from causing chaos. For example, backing up data to an external drive and a cloud service protects you from site-specific disasters, like fires or floods.

Using the 3-2-1 backup rule in cloud storage involves:

  • 3 copies: Create one primary backup and two copies, including a cloud backup
  • 2 media types: Save one copy to an external drive and another on a provider’s server.
  • 1 off-site backup: Keep one file in a different location, like your cloud or data center servers.

Why 3-2-1 still matters for small businesses 

According to the Cybersecurity and Infrastructure Security Agency (CISA), “ransomware attacks hit a new target every 14 seconds.” Without a small business backup strategy, downtime and data loss can shut down operations. The Center for Internet Security (CIS) said, “You must operate under the assumption that it’s not a matter of if you will be attacked but when.” Learning about data backups and modernizing your approach for today’s threats can ensure business continuity.  

3-2-1-1-0: modernizing 3-2-1 for ransomware 

Extending the 3-2-1 rule to 3-2-1-1-0 protects your company from ransomware attacks that use double extortion, which involves encryption and data exfiltration. 

Here’s what the +1 and 0 mean:

  • 1 requires an immutable backup. This can be a cloud backup with write-once, read many (WORM) or object lock enabled, or an offline, air-gapped copy that can’t access the internet, be altered, or be deleted by unauthorized users.  
  • 0 means error-free restorations. This step includes validating backup files and restoration processes to make sure you can recover critical business data within your ideal time frame. 
You must operate under the assumption that it’s not a matter of if you will be attacked but when. Center for Internet Security

How to implement the 3-2-1 rule in cloud storage

Put a 3-2-1 backup and recovery strategy into practice using on-site and backup-as-a-service (BaaS) solutions. 

Follow these steps to implement the 3-2-1 backup rule in the cloud:

  • Select critical data to back up: Complete a risk assessment and impact analysis (available via Ready.gov) to assess risks and decide which information you need to keep your business running. 
  • Choose backup tools: Pick an external drive or network-attached storage (NAS) system and a cloud backup service provider.
  • Make one cloud copy tamper-proof. Turn on immutability (object lock or WORM), so your cloud backups can’t be edited or deleted until the end of your retention window. 
  • Keep snapshots or older versions. Enable file history or snapshots to restore a previous version if your current copy is corrupted. 
  • Enable encryption and role-based access. Pick a cloud service that offers a separate login for backups and automatic encryption at rest and in transit. 
  • Run cloud backup testing and recovery drills. Practice restoring files at least quarterly to consistently meet your recovery point objective (RPO) and recovery time objective (RTO).

Backup software recommendations

The best data backup solutions are easy to set up and use, and are affordable and secure. Look for vendors offering object lock or WORM, automatic encryption in transit and at rest, and extended version histories to support your retention policy. 

Consider these small business backup software options:

  • CrashPlan Small Business: Back up multiple endpoints and external drives with a CrashPlan Small Business solution. It offers unlimited storage and file versioning, continuous backups every 15 minutes, and 90-day deleted file retention.
  • IDrive Business: Keep server, NAS, and multiple devices backed up with IDrive Business. It helps small businesses comply with legal and federal regulations, provides optional private-key encryption, and offers snapshots for point-in-time recovery.
  • Backblaze: Activate your 3-2-1-1-0 strategy using Backblaze computer backup and cloud storage options. Backup solutions offer a one-year version history and a dedicated restore app, while B2 cloud storage provides object lock with WORM access.

Avoid common mistakes in small business backups 

Data loss can occur if your cloud backup strategy doesn’t meet the 3-2-1 backup rule standards. Review your backup process and recovery plan to ensure you can respond to a cyberattack or hardware failure.

Here are common small business backup mistakes to avoid:

  • Relying on one backup location: The 3-2-1 rule keeps one copy in a separate physical location from others, so if one is at the office, another should be in a secure cloud backup service or a drive kept off-site.
  • Treating Google Workspace or Microsoft 365 as your backup solution: These support your retention policies, but aren’t full, immutable backups. You still need offline or unchangeable storage. 
  • Running backups without testing restores: Complete a backup verification quarterly to ensure it meets your RPO and RTO objectives.
  • Keeping too short a file history: Malware can hide in your system for weeks, so a 30-day default may not be long enough. Aim for 90 days or more. 
  • Not having an air-gapped or tamper-proof copy: A ransomware attack can delete or encrypt everything if every backup is connected to your office network.    

3-2-1 backup strategy best practices

A comprehensive backup and recovery strategy is vital to a business continuity plan. A proactive stance identifies and prevents threats while ensuring you can recover quickly after an attack.

Backup best practices include:

  • Control account access: Use the principle of least privilege and require a second form of identification (two-factor authentication) for all company accounts.
  • Automate backups: Manual backups are prone to user error, whereas automated backups ensure you have the latest versions stored securely.
  • Reduce attack surfaces: Protect your network with a small business firewall and proactive monitoring tools. 
  • Test your backup copies: Backups fail and data gets corrupted, making data verification and restore testing essential.

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.

CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.

Brought to you by
Enter the FedEx Super Bowl LX Sweepstakes
Register now* for a chance to win a trip for two to Super Bowl LX!* The rush of excitement. The roar of fans. The thrill of the ultimate game-day experience. You and your guest could be there, cheering your team on from the stands.
*NO PURCHASE NECESSARY. See fedex.com/nflsweeps for rules and regulations.
Learn More
a football in a stadium
Published