The 3-2-1 backup rule, and why most people only have 1

The 3-2-1 rule is the closest thing data protection has to a commandment. Three copies of your data. On two different media. One of them off-site. It is almost fifty years old, it predates the cloud, it predates most of the software you use, and it is still undefeated.

It is also worth reading carefully, because the common failure mode is believing you are doing 3-2-1 when in fact you have one copy of your data and two copies of the same copy.

Why three copies

The point of three copies is redundancy against different failure modes at the same time. A single copy can be lost to a single cause: a drive failure, a house fire, a ransomware encryption, a cloud account closure, a cat knocking a glass of water onto a laptop. Two copies can be lost to a correlated cause — both on the same drive that dies, both in the same building that burns, both in the same cloud account that gets hijacked. Three copies on three different kinds of infrastructure resist correlated failure.

This is the same reason airplanes have three hydraulic systems, not two. Two looks redundant on paper, until a single cut line drains both.

Why two media

“Media” here means kinds of storage, not copies of the same kind. Two external hard drives on the same desk are not two media — they are the same medium with two instances, vulnerable to the same power surge and the same opportunistic burglar.

A reasonable list of distinct media for personal and small-business use:

• The internal SSD of your working computer. This is copy #1, the “live” copy.
• An external hard drive or SSD, plugged in periodically.
• A second computer on the same network (an old laptop, a small NAS).
• Optical media (Blu-ray discs, for truly cold archival). Uncommon now; still has a role for things you intend to keep for decades.
• A cloud backup service. iCloud, Backblaze, Arq to S3 or Backblaze B2, or a similar service.

Two of these is the floor. Mix and match; do not pick two that are the same thing with different labels.

Why one copy off-site

The off-site copy is the copy that survives the scenarios where your house or office does not. A fire, a flood, a burglary, a power surge that kills every powered device in the room, a ransomware payload that pivots across your local network and encrypts every writable share it finds.

“Off-site” does not necessarily mean “far away”. It means administratively and physically separate from the rest of your infrastructure. Common sensible options:

• A cloud backup service.
• An external drive stored at a friend or family member’s house, rotated every month or two.
• A bank safe-deposit box for a drive you only update a couple of times a year (common for tax records and legal documents).
• A small encrypted drive at the office for people whose primary computer is at home, or vice versa.

Immutability: the 3-2-1-1 upgrade

Ransomware changed the math. Modern ransomware crews spend time looking for your backups before they pull the trigger, because the whole business model depends on your inability to restore. If they find a writable backup share, they will encrypt that too.

The modern refinement is sometimes called 3-2-1-1: three copies, two media, one off-site, one of them immutable. Immutable means “cannot be modified or deleted for a defined retention period, even by an administrator with valid credentials”. On cloud storage, this is usually implemented with Object Lock (AWS S3, Backblaze B2, Wasabi). On backup software, it is often a built-in feature labeled “ransomware protection” or similar.

For a person or a small business, the simplest way to get immutability is to use a backup service whose default configuration provides it: Backblaze Computer Backup, Arq pointed at S3 with Object Lock enabled, or a similar setup. You do not need to implement immutability yourself; you need to pick a tool whose defaults provide it.

The thirty-second check nobody does

Backups that have never been restored from are not backups; they are a rumor.

Once a quarter, pick one file in your backup, and actually restore it to your desktop. Not the file you just backed up ten minutes ago — a random file from three months ago. If the restore works, close the restored file and move on with your day. If it does not work, you have just discovered a critical problem while the house is not on fire, which is the best possible time to discover it.

The usual failures are mundane: the password to the encrypted backup has been forgotten; the credentials to the cloud account were rotated and never re-entered in the backup app; the external drive has silent bit-rot on a file nobody opened for a year; the backup job has been erroring for weeks and the notification was in a folder nobody reads.

A concrete setup for a normal person

Enough theory. Here is a layout that satisfies 3-2-1-1 for a typical household, at modest cost:

1. Live working copy on your laptop’s internal SSD.
2. Time Machine (macOS) or File History (Windows) to an external drive that lives on your desk. Plug it in every few days.
3. Backblaze Computer Backup (or similar) running in the background, encrypting files before upload with a key you control. This is your off-site copy, and modern Backblaze tiers provide immutability.
4. Quarterly reminder to restore one random file from Backblaze.

Cost: one external drive ($80) plus a cloud backup subscription ($100 per year). That is the whole thing. It will get you through a stolen laptop, a dead drive, a house fire, and the overwhelming majority of ransomware incidents a household is likely to encounter.

For a solo business, add a second external drive that rotates to a different location — a partner’s house, a parent’s house, a small bank box — updated every month. The harm of losing client files to a single correlated event is larger, so the redundancy is worth the fifteen minutes a month.

The Threats topic covers the specific patterns modern ransomware uses to hunt backups, and how the above setup deliberately works against each of them.