Skip to content
>_ITDITDWeb Security Platform

Learn

#security basics#backups#ransomware#recovery

Backup essentials: the 3-2-1 rule and a recovery plan that survives ransomware

'I have backups' doesn't mean you can restore. The 3-2-1 rule, an offline/immutable copy ransomware can't encrypt, and the restore test that's what actually makes a backup real.

Published 2026-06-12 Updated 2026-06-12 6 min read

For: anyone in solo or small-team work who keeps "some kind of backup" but wonders "is this actually enough?" No attack steps here — just how to build a backup you can reliably restore from.

This site's view: 'cloud sync' is not a backup

A common assumption is "I sync to OneDrive/Google Drive, so I'm backed up." Not so. Sync replicates the current state, so a file you delete by mistake, or one ransomware encrypts, gets copied to the other side in that state. A backup needs the ability to "rewind time" — versioning that restores an older copy, and an immutable copy that can't be overwritten later. Sync is convenient, but on its own it's a "when one side breaks, both break" setup. Treat it as a different role from backup entirely.

Why "I have a backup" isn't enough

You need backups because the causes of data loss are many — and they arrive together. Hardware failure, deletion by mistake, theft and disaster, and ransomware. One line of defense misses the accidents coming from another direction.

sync ≠ save
it replicates deletions and encryption too
always-on
a connected backup is encrypted with you
3-2-1
redundancy by count, media, and location
restore test
it's a backup only if it restores

Ransomware in particular hunts down the backups themselves. A backup kept right next to the data gets caught up in the same incident. This is the most foundational form of "keep a restorable state" from vulnerability response (→ the practice of vulnerability response).

The basic shape: 3-2-1 (+ offline/immutable)

3 — three copies

original plus two. One fails, the other two still restore.

2 — two media types

e.g. internal drive + external SSD, or NAS + cloud. Don't pool them in one box.

1 — one offsite

another location (cloud / separate site). Fire, theft, flood won't wipe it all.

+ one offline/immutable

not always connected, or non-overwritable. Always keep one copy ransomware can't encrypt.

3-2-1 = three copies, two media types, one offsite. Plus one offline/immutable copy, isolated from ransomware.

How to build it (fill it in order)

1

First, inventory 'what would hurt to lose'

Photos, documents, code, databases, configuration (a safe copy of keys/connection strings) — list what must be restorable. Don't guard everything equally; prioritize what's irreplaceable if lost.
2

Lay it out as 3-2-1

Three copies, split across two media types, one offsite (cloud, etc.). The point of redundancy is not pooling into one device, one place, one medium.
3

Make at least one offline/immutable

The core ransomware defense. Keep one external drive you normally disconnect, or non-overwritable storage (object lock and similar — immutable), so the attacker has no path to encrypt it.
4

Automate it (manual won't last)

People always forget. Use scheduled, automatic backups with versioning (keep daily/weekly older copies) so you never end up with "only the latest exists."
5

Restore-test on a schedule

The most-skipped and most-important step. Actually restore to a different place and confirm it opens. A backup you can't restore is the same as no backup. This is the heart of Tier 3 (detection, recovery) in the baseline checklist.

Ransomware targets backups too

Modern ransomware encrypts not just the main data but any connected backup target it can find (NAS, external drives, mounted cloud). So an "always-connected backup" alone goes down with everything else in an incident. The decisive defense is keeping at least one copy that's offline (physically disconnected) or immutable (overwrite/delete forbidden for a period). Whether you have that copy is what separates paying the ransom from not.

Cloud sync only

  • deletions and encryption are synced as-is
  • can't roll back to an older version (no rewind)
  • always connected = caught up with ransomware
  • you've never checked whether it restores

3-2-1 + immutable + restore test

  • versioning restores a clean older copy
  • an offline/immutable copy isolated from ransomware
  • redundancy across place and media means no total loss
  • periodic tests confirm it really restores

What this site does itself

This site takes its data and documents automatically, to a separate location, across multiple generations, and pairs that with a "rebuildable by design where possible" approach. Data that can be regenerated mechanically (ingested feeds, indexes), for instance, is held on the assumption it can be rebuilt rather than relying on backups — a way of "reducing the backup burden in the first place." On top of that, the irreplaceable things (article bodies, configuration) are kept redundantly, and keeping a restorable state at all times is a premise of operations. When swapping out end-of-support hardware (→ the Windows 10 end-of-support piece), the reason you can migrate with confidence is that a restorable backup exists. Think of backup not as "last-resort insurance" but as a precondition for incident response.

FAQ

QDoes cloud sync (Google Drive, OneDrive) count as a backup?
A

Sync is not a backup. Sync replicates the current state, so a file you deleted by mistake — or one ransomware encrypted — gets copied to the cloud in that broken state. A backup needs the ability to 'rewind time': versioning (restore an older version) and an immutable copy that can't be overwritten. With only sync, when one side breaks, so does the other.

QWhat is the 3-2-1 rule?
A

Keep three copies of your data (the original plus two), store them on two different media types, and keep one of them offsite. It's redundancy so a single device failure, a single-site disaster, or a single mistake doesn't wipe everything. For ransomware, the modern addition is 'at least one offline or immutable copy.'

QWhat helps most against ransomware?
A

Having at least one 'offline' (not always connected) or 'immutable' (can't be overwritten) backup. Ransomware actively hunts for and encrypts backups too, so an always-connected backup goes down with the original. A disconnected or non-overwritable copy lets you restore without paying. Then confirm it actually works with periodic restore tests.