The ‘3-2-1′ backup rule and why it’s every business’ best friend

13 May 2022

By Rhys Davies, owner of Five Nines IT Consultancy LTD

It seems like not a day goes by without details of yet another large-scale cyber attack being dissected in the media and the company in question placed under the microscope.  These often-indiscriminate attacks are commonplace and affect all organisations, from FTSE100 companies right down to small charities.  Such is the seriousness of their impact; Cyber security is now at the top of most businesses risk registers and is a regular board level topic.  It is a sad fact that 60% of businesses that suffer a cyber-attack are no longer in existence 6 months later, so what can you do to try and make sure your organisation remains in the 40%?

Without doubt one of the most important components of a business continuity/cyber incident response plan is a robust backup strategy.  The ‘3-2-1′ rule has been in existence for years but has stood the test of time due to its universal approach and ability to recover from nearly any scenario.

So, what is the 3-2-1 rule, we hear you ask?  Put simply it states that you should:

  1. Create 3 copies of data (1 primary and 2 backups)
  2. Keep data on at least 2 types of storage media (local drive, NAS, tape etc)
  3. Store 1 of these off site (secure storage, cloud etc)

It should be noted that the off-site copy should be ‘immutable’ or ‘air-gapped’.  This means that the off-site copy has technology that ensures it cannot be tampered with and therefore retains its integrity.  This stops ransomware from encrypting your critical backup and thereby ensures you can successfully recover from an attack or other disaster.  All major backup providers offer this service when combined with Microsoft Azure or Amazon Web Services (AWS) cloud infrastructure, whilst another alternative could be storing backup tapes at an alternative location.

With cloud storage costs tumbling, we would recommend this as the preferred method of off-site backup.  As of writing, if you are a charity or not for profit, then you are also eligible for an annual £3,500 Azure credit from Microsoft via an application process under their philanthropies programme. This can be used to run any workload in the Microsoft cloud, which includes storage and backup, and many charities are taking advantage of this offer.

However, just as important to your business is the frequency of these backups.  We would recommend as a minimum that you backup your data daily and test your ability to restore successfully every 6 months.  You can then be confident that if the worst happens, you know you can recover your data and get back to what you do best – running your business.


Rhys Davies is the owner of Five Nines IT Consultancy LTD, and is a former IT Director with over 10 years’ experience in senior IT roles in both the public and private sector.  Based in Cardiff, he works at a strategic level with clients across the UK to turn Information Technology threats into opportunities that help businesses achieve their strategic objectives.