Skip to content

The 3-2-1 Backup Rule: What It Is and How to Implement It

Updated

If there's one piece of backup advice that has stood the test of time, it's the 3-2-1 rule. First proposed by photographer Peter Krogh in the early 2000s, this simple framework has become the gold standard for data protection — used by everyone from freelancers to Fortune 500 companies and government agencies.

For UK businesses, following the 3-2-1 rule is one of the most effective ways to protect against data loss from hardware failure, ransomware, accidental deletion, or disaster. Here's how it works and how to put it into practice.

What Is the 3-2-1 Backup Rule?

The rule is straightforward:

  • 3 — Keep at least three copies of your data (the original plus two backups)
  • 2 — Store the copies on at least two different types of media (e.g., local server + cloud, or NAS + external drive)
  • 1 — Keep at least one copy off-site (physically separate from your primary location)

The logic is simple: the more independent copies you have, stored in different places and on different media, the less likely it is that a single event will destroy all of them.

Why 3-2-1 Works

Each element of the rule addresses a different risk:

Three Copies

Having just one backup means a single point of failure. If both your original and your backup fail at the same time — which does happen (e.g., a ransomware attack that encrypts mapped drives, or a fire that destroys everything on-site) — you've lost everything. A third copy dramatically reduces that probability.

Two Different Media Types

Different storage media have different failure modes. A hard drive can suffer mechanical failure. A RAID array can lose multiple disks in a cascade. Cloud storage can suffer an outage or account compromise. By spreading your copies across different media types, you avoid correlated failures.

One Off-Site Copy

If all your backups are in the same building, a single physical event (fire, flood, theft, power surge) can destroy everything. An off-site copy — whether in a different office, a data centre, or the cloud — ensures you can recover even after a site-level disaster.

3-2-1 in Practice: A UK SME Example

Here's how a typical 20-person UK business might implement 3-2-1:

  1. Copy 1 (original) — Data lives on the company file server or in Microsoft 365 (SharePoint, OneDrive, Exchange).
  2. Copy 2 (local backup) — A NAS device in the server room runs nightly backups of the file server. For M365 data, a backup agent pulls data to local encrypted storage.
  3. Copy 3 (off-site / cloud backup) — A cloud backup service automatically replicates data to a UK-based data centre every night.

This setup means:

  • If the file server fails → restore from the local NAS (fast)
  • If the office floods and destroys both server and NAS → restore from the cloud (slower, but complete)
  • If ransomware encrypts the server and the NAS → restore from the cloud (the off-site copy is isolated from the attack)

The Modern Update: 3-2-1-1-0

As threats have evolved, the industry has extended the rule:

  • 3 copies
  • 2 different media types
  • 1 off-site copy
  • 1 immutable or air-gapped copy (cannot be modified or deleted, even by an admin — critical for ransomware protection)
  • 0 errors — verified through regular restore testing

Immutable backups are increasingly important. Modern ransomware specifically targets backup files. An immutable copy — stored with write-once, read-many (WORM) technology or on air-gapped media — cannot be encrypted or deleted by an attacker, even if they compromise your admin credentials.

Choosing Your Storage Media

Local / On-Site Options

  • NAS (Network Attached Storage) — affordable, easy to manage, supports automated backup schedules. Ideal for small businesses.
  • External hard drives — very cheap, but manual, slow, and easy to forget. Not recommended as a primary backup method.
  • Tape — still used in larger organisations for long-term archival. Reliable and cost-effective for huge data volumes but slow to restore.
  • On-premises server — a dedicated backup server with RAID for redundancy.

Off-Site / Cloud Options

  • Cloud backup services — Veeam, Acronis, Datto, Backblaze, and others offer automated, encrypted backup to UK data centres. Scalable and hands-off.
  • Azure Blob Storage / AWS S3 — for businesses with in-house IT skills, cloud object storage with lifecycle policies provides cost-effective archival.
  • Managed backup — your IT provider manages the entire backup infrastructure, including monitoring, testing, and restores.

Implementing 3-2-1 Step by Step

  1. Audit your data — identify all critical data: file servers, email, databases, SaaS applications, endpoint devices.
  2. Define your RPO — how much data can you afford to lose? This determines backup frequency.
  3. Choose your local backup solution — NAS, backup server, or agent-based software.
  4. Choose your off-site/cloud backup solution — cloud backup service, managed provider, or replicated storage.
  5. Automate everything — manual backups get forgotten. Every backup should run on a schedule without human intervention.
  6. Encrypt your backups — both in transit and at rest. If a backup device is stolen, encryption prevents data exposure.
  7. Test restores regularly — run a full restore test at least quarterly to verify your backups actually work.
  8. Monitor and alert — set up alerts for failed backups so issues are caught immediately, not weeks later.

Common 3-2-1 Mistakes

  • Keeping all copies on the same physical device — two partitions on the same hard drive is not two copies
  • Never testing restores — a backup you've never restored is a backup you can't trust
  • Forgetting cloud data — Microsoft 365 and other SaaS platforms don't back up your data for you (more on this in our M365 backup guide)
  • Using USB drives as your only backup — they get lost, forgotten, and they're not encrypted by default
  • No immutable copy — without an immutable or air-gapped backup, ransomware can encrypt all three copies

Get Expert Help With Your Backup Strategy

Implementing 3-2-1 properly requires choosing the right tools, configuring them correctly, and monitoring them continuously. If you'd rather hand this to the experts, a managed IT provider can design, deploy, and manage your entire backup infrastructure. Get a free IT quote from trusted UK providers.

Need IT Support?

Implement a bulletproof 3-2-1 backup strategy with expert guidance.

Get a Free IT Quote

Other articles in Backup & Disaster Recovery

Disaster Recovery Plan Template for Small Business UKDoes Microsoft 365 Back Up Your Data? Why You Need Third-Party BackupHow Often Should You Back Up Business Data? RPO ExplainedWhat Is Business Data Backup? A Plain-English Guide

©Connection Technologies 2026. All Rights Reserved.

Connection Technologies Limited is authorised and regulated by the Financial Conduct Authority, reference FRN 958225

Registered office: Fareham Innovation Centre, Merlin House, 4 Meteor Way, Fareham, Lee-on-the-Solent, PO13 9FU.

Registered in England and Wales, Company No. 11630924

Connect with Us

Linkedin
Sitemap