Back That Data Up! The 3-2-1 Rule

Estimated reading time: 8 minutes

A different cloud...

A different cloud…

I haven’t stored an important document on my laptop for years because most of what I do I do on the cloud. Why wouldn’t I? I need my content to be accessible from my laptop and from my work computer at the very least so I need some way to share content without having to carry around flash drives full of stuff I might not need.

This obviously creates some problems, particularly the need for an internet connection to access content, the possibility of someone “eavesdropping” on content in my Dropbox account, and of course there’s always the unlikely scenario of dropbox having their servers ceased or destroyed without warning. In my case I can live with these cons because the pros of having my content instantly available from everywhere and in a safer location than on my laptop outweigh the previously outlined cons.

Understandably though, my case does not reflect everybody else’s. People might have content they don’t want stored on a server which they have no control over, generally for privacy or security reasons. This includes most employees and business owners who might be averse to the idea of having their private and confidential files uploaded to a server they can’t see and touch. Unfortunately, these same people seem to be under the impression that holding all their metaphorical eggs in one basket (i.e. all their files on their personal computer) is the best possible way to deal with their situation. This cannot be farther from the truth.

This year, a swarm of ransomware pushers have been attacking small business owners. Ransomware (such as CryptoWall and TorrentLocker) is a relatively new breed of malicious software that attacks a machine and encrypts all its contents. The owner is then forced to pay money (sometimes in excess of $500) to get their data decrypted. Small business owners are particularly vulnerable to these attacks because a) unlike bigger companies, they often do not back up their data properly and do not have the security mechanisms in place to protect them from these sorts of attacks, and b) unlike personal computer owners, the encrypted data being held hostage is commonly central to their operations and therefore are more likely to pay up.

Protecting yourself from malicious software like ransomware is of utmost importance if the data on your computer is important to you. It’s important to get out of the way that this might seem like overkill to you, but that will change if you ever find yourself looking at an empty hard drive that’s supposed to contain all your business documents.

If protecting your data is essential, you can never be too careful. Today I’d like to share a system with you that will make losing all your data nearly impossible.

THE 3-2-1 RULE

As outlined by TrendMicro in this article about the 3-2-1 rule, if you’re going to back something up you’re going to need:

  • A minimum of 3 copies
  • Stored on 2 different media
  • Of which 1 is off-site

It sounds like a simple rule, but it does take some time to learn how to do it properly, and even more time to get into the habit of following it. The idea is clearly to have as much redundancy as possible, so that if one part fails you will always have something to fall back on. Once you understand how the rule works and implement it into your life or business process, you will never lose your data again, whether it’s a ransomware attack or an accident that burns down your office.

In order to help ease you into the 3-2-1 rule of keeping backups, here’s what each part means and some examples on how you can implement it. Keep in mind that this is an all-or-nothing deal. If you don’t fully implement the 3 parts of the rule, you leave yourself open to some form of attack that could destroy everything you own.

Here we go.


Redundancy is your #1 priority

Redundancy is your #1 priority

We start with the simplest and most often overlooked principle, not to mention the one principle that could save you so many headaches: making more than 1 actual backup of your content. The rule states that you should have at least 2 copies in addition to the original copy of the content. Additionally, it’s important that none of these copies exist on the same machine. It makes little sense for me to copy a document on my desktop and store two versions of it on the same computer (one in my documents and the other on a virtual partition).

The 3 copies must all be in locations that do not have a central point of failure. A good example is having a copy on your computer, another copy on an external hard drive, and another copy in the cloud. If you were to do this, you would instantly satisfy all three aspects of the 3-2-1 rule, but we’ll get into that later. If you don’t want to store anything in the cloud, you can make a copy on a re-writable disc. Take tape backups. Put everything on a local, shared company server.

It bears repeating though that it’s important that none of the copies have a central point of failure. Two copies on the same flash drive does not satisfy the requirement. Neither is three copies on the same external hard drive. And no, just because they’re in different folders doesn’t count.

The idea is to reduce the odds of having all your content wiped together, as a result of one attack or one accident. If you’re going to put everything together, you might as well do nothing.

You need to have as many copies as you can possibly maintain, scattered as far as possible from each other. 3 is a good number to aim for. 4 is better.


Do you know what the lifetime of a hard disk drive is? Well, I didn’t either, but I looked it up for you. Unfortunately for everyone involved, the answer is “Not long enough for you to not have backup from day 1”. Sometimes hard drives fail randomly and without warning, so don’t expect that “you’ll know” when it’s time to get a new one. The only time you’ll know is when you’ve lost everything. Similar statements can be said of flash drives, optical disks, and tape backups.

This is the reason why the second part of the 3-2-1 rule exists: Always store your backups on two different media.

For example, store two backups on hard drives, but the third on a USB drive. Or keep a copy on your computer, but the other two copies stored on tape backups. Ideally, you would have three different media, one for each copy (for example, one internal hard drive, one optical disk, one remote server).

Again, separating the copies on different types of media will help redundancy and will help ensure that there is no central point of failure. Storing two copies on two different internal hard disks connected via RAID will help satisfy the first criteria, but it’s not uncommon to experience failure of the second drive once the first fails. This part of the rule helps avoid such scenarios.


There is such a thing as 'way too off-site'

There is such a thing as ‘way too off-site’

If you’ve gotten this far, this should be a no-brainer. But it’s also the one step you will have the most difficulty getting used to.

Even though you might be keeping 3 different copies on 2 different media, you are susceptible to an attack that you’re the least likely to expect, and one that no anti-virus can protect you from: natural disasters.

What would happen to your meticulously taken copies of client records, if your office were to suddenly catch fire with all your hard drives and USB sticks inside it? What would happen to your family photos, if someone were to break into your home and steal both your laptop and your external hard drive?

So for this part of the rule, you mitigate the risk of a physical attack, by storing the copies in physically different locations, as far from each other as possible.

Here’s the best part: this one sounds much harder than it is. For example, you could take that USB stick from the office and leave it at home. Or you could upload your files to a server in a different city. It’s as simple as that. As long as you’ve got at least one backup in an entirely different location, you’re gonna be fine.


The 3-2-1 rule will make your data as redundant as possible. Get malware on your PC? No problem, just format and plugin your USB stick. Electrical surge fried your external hard drive? No sweat, everything is safe and sound on a cloud backup service.

The ultimate form of the 3-2-1 rule is having 3 copies, all on different media, all in different physical locations.

The one setup I always recommend is this: 1 copy on your computer at work, 1 copy on a USB stick which you take home at the end of your work day, and 1 copy on a cloud service like Dropbox. Maintaining such a setup is almost trivial: download the Dropbox application and setup an auto-sync folder on your computer. All your data and files now go into that folder. This takes care of the local copy and the one on the cloud (as anything you put in the folder is automatically synced). At the end of your work day, copy everything from the local Dropbox folder to a USB stick and take it home.



  1. Ransomware pushers up their game against small businesses
  2. World Backup Day: The 3-2-1 Rule
  3. What is the lifetime of a typical hard disk?

Amante Reale

I'm a freelance writer specializing in tech, gadgets, security, cryptography and cryptocurrency. Warning: I am armed with very strong opinions and I'm not afraid to use them. Hire me!