The 3-2-1 backup rule is a strategy to ensure your data is recoverable in case of data loss incidents. It recommends having at least:

• Three copies of your business-critical data
• Two copies stored locally on-site in different media or devices
• One copy off-site

The rule was conceptualized by US photographer Peter Krogh. After initially impacting the photography world, Krogh's idea was quickly adopted by other technology disciplines. It's a great way to evaluate and manage data risks. Speaking about the rule, Peter Krogh recently said, “With so much of our life and livelihood stored in digital form, and with the threats of malware increasing, it's important for everyone to have a framework for assessing vulnerabilities.”

There are two chief reasons why the 3-2-1 backup rule caught on so quickly and achieved universal success. First, it doesn't need any specific technology for implementation. Second, it can be used to combat nearly any data loss incident.

The 3-2-1 backup strategy helps minimize the disruption caused by a single instance of failure, like when a device gets stolen or a drive encounters an error. If a natural disaster results in data loss on all on-site backups, you can still retrieve your mission-critical data from your off-site copy.

Why is the 3-2-1 backup rule important?

Data is the foundation of many businesses. Not having access to your mission-critical data could result in downtime, financial losses, reputational damage and other serious problems.

With ransomware attacks increasing worldwide, it's important to have strong and secure backup policies that add an extra layer of protection for your organization. The 3-2-1 backup strategy does just that. It increases your chances of recovering from data disasters and minimizing downtime by requiring you to maintain an off-site backup. This wasn't a common practice before the rule gained prominence. However, now it is because the 3-2-1 backup rule greatly increased the data protection capabilities of all companies that implemented it.

New alternatives to the 3-2-1 rule

Technology is continuously evolving as are the challenges it presents. In a bid to overcome the ever-changing tech challenges, the 3-2-1 rule has evolved to suit different circumstances. For instance, some experts have tried implementing a 3-2-2 strategy. This version recommends having an extra copy off-site — meaning two copies off-site — to boost data recoverability.

Another backup strategy adopts the 4-3-2 backup rule, in which four copies are stored in three places, two of which must be off-site. It recommends storing the data not only in geographically distant locations to protect against data loss due to natural disasters but also in two separate networks so that a copy of your data will be safe and isolated even if hackers gain entry into one of your networks. According to this rule, some of your copies must be immutable, which means they cannot be modified, encrypted or deleted. This adds an extra level of security against ransomware, accidental deletions and any data loss occurring due to human error.

There is also the 3-2-1-1-0 rule in which three copies of your data are maintained in two separate media or on-site locations. One backup must be in an immutable off-site location. An additional backup must be offline or in an air-gap location, which means hackers can't access these even if they succeed in breaching your network.

The 0 in this rule introduces a new recommendation, which pertains to testing. The 3-2-1-1-0 rule suggests that you ensure your backed-up data and recovery solutions must contain no errors (zero errors, in other words). Adopting this strategy means you must monitor and validate your data daily, fix errors and also test your restore methods.

Which of these rules should you adopt?

Any backup strategy is better than no strategy. So, kudos to you for wanting to implement one in the first place and asking what the 3-2-1 backup rule is. Having discussed some of the different strategies, we can conclude that your backup strategy should:

Some of the best practices while implementing a backup rule like 3-2-1 include:

• Back up regularly: So that if and when you're struck by a data disaster, you have copies and recovery files that are updated and your data loss is minimal.
• Choose which data to backup: Some of your data is more important than others. Typically, organizations value customer and financial records, registry files, operating systems, etc. Some industries also require data to be stored for legal and data compliance purposes. Prioritize the data you want to back up so your critical data is safe and protected.
• Automate backup and recovery: This reduces errors, saves time and effort, and again, ensures your backed-up data is updated.
• Test, test, test: Backups fail. Recovery methods fail. Plan for this. Ensure your backup strategy is regularly validated and checked for errors to minimize the risk of failure.
• Continuously improve your strategy: What is the 3-2-1 backup rule, if it's not a basic framework to keep your data safe. It's effective but can be improved upon. Recognize this and improve your backup strategy based on your unique requirements and observations.

Implementing the 3-2-1 backup rule

We've now answered the question “what is the 3-2-1 backup rule?” It is a backup strategy that recommends having at least three copies of your business-critical data — two copies on-site in different devices and at least one copy off-site. This strategy improves your odds of recovering data in case of data loss incidents by maintaining a secure backup away from hackers.

Experts have evolved newer strategies, like the 3-2-2 and the 4-3-2 backup strategies, out of the 3-2-1 backup rule in their attempts to overcome the ever-evolving tech and data protection challenges. You too can do the same — use the 3-2-1 rule as the base of your backup strategy — to meet your security challenges. However, be sure to retain its core idea of keeping a backup copy in a secure location. Maintain off-site and immutable backups to enhance your data protection capabilities and stay ahead of cybercriminals and data loss risks.