Ransomware

The 3-2-1-1 Backup Rule: How to Create a Backup That Survives Ransomware

20 March 2026·3 min read
The 3-2-1-1 Backup Rule: How to Create a Backup That Survives Ransomware

Many businesses think they are protected from ransomware simply because they "have backups." But when an attack happens, they discover a horrifying truth: the hackers found the backups on the network and encrypted or deleted them before launching the main attack.

Having backups is not enough; your backups must be structured to survive the attacker. That is where the 3-2-1-1 rule comes in.

What is the 3-2-1-1 Rule?

The 3-2-1 rule has been the gold standard in IT for decades, but the modern ransomware threat required an upgrade. Here is the breakdown:

  • 3 Copies of Your Data: You should have the primary production data, plus at least two backup copies.
  • 2 Different Media Types: Don't store everything on the same type of hardware. Use a mix (e.g., local hard drives and cloud storage).
  • 1 Copy Offsite: At least one copy must be physically located away from your primary office in case of fire, flood, or theft (typically a secure cloud provider).

The Crucial Final '1': Immutability

This is the most important step for fighting ransomware.

  • 1 Copy must be Immutable or Air-gapped:
    • Air-gapped means the backup is completely disconnected from the internet and your network (like a tape drive sitting in a safe).
    • Immutable means the data is stored in the cloud in a "read-only" state. The software physically prevents anyone - even your highest-level IT admin with a password - from altering, encrypting, or deleting the files for a specified amount of time.

Why This Architecture Defeats Ransomware

If a hacker breaks into your network, elevated admin privileges let them destroy everything connected to it. But if you have an immutable backup, the hacker is powerless. They can encrypt your live servers, but they absolutely cannot touch your cloud backup.

Restoring with Confidence

When the ransomware demand arrives, you don't even need to consider paying it. You can simply wipe your local machines and restore from the immutable copy. This turns a potential business-ending event into a manageable recovery process.

Don't Wait for a Disaster to Test Your Resiliency

A backup you have never tested isn't a backup - it is a theoretical hope.

Are you confident your current backup architecture can withstand an aggressive ransomware attack? Book a Cubit cyber security assessment today. We will evaluate your disaster recovery capabilities and give you a jargon-free roadmap to ensuring your business can survive the worst-case scenario.

To understand where your business stands, we offer a free initial consultation - get in touch.

Free Download

The 10-Point Security Checklist for Australian SMEs

Based on real findings from 100+ cyber incidents. Check where your business stands.

Get the Free Checklist →

Related articles

Ransomware

What to Do in the First 10 Minutes of a Suspected Cyber Attack

3 min read

Stay sharp

Get practical security tips, monthly.

Plain English. No jargon. No spam. Unsubscribe any time.

Ready to protect your business?

Get a free, no-obligation security assessment quote tailored to your business.

Get a Free Quote →Book a Free 15-Min Call