The 3-2-1 rule is dead. Ransomware killed it. Here's why we now need 3-2-1-1-0 and what those extra numbers mean for protecting your backups from attackers who specifically target them.

The 3-2-1 rule served us well for decades. Three copies of your data, on two different types of media, with one copy offsite. Simple, elegant, effective. But that was before ransomware operators figured out that if they could destroy your backups, you'd have no choice but to pay the ransom.

I've seen it happen over and over. Companies think they're protected because they follow the 3-2-1 rule. Then ransomware hits, and guess what? The backups are gone too. Deleted, encrypted, or locked behind compromised credentials. The traditional 3-2-1 rule has a fatal flaw: all three copies can potentially be accessed by someone who steals your admin credentials.

That's why the rule had to die and be reborn as 3-2-1-1-0. The first extra "1" represents one immutable, air-gapped copy. Immutable means it can't be changed or deleted, even by administrators. Air-gapped means it's isolated in a way that makes it inaccessible to attackers - different credentials, different access controls, systems requiring out-of-band authentication. Even if ransomware operators completely compromise your environment, they can't touch this copy.

The "0" stands for zero failures. Your backups need to work when you need them. This means active monitoring, regular testing, scanning for ransomware in your backup data, and actually practicing recovery before you're in a crisis. Too many organizations discover their backups haven't been working only when they try to restore.

In this episode, Prasanna and I break down each component of 3-2-1-1-0. We explain why Microsoft 365 versioning doesn't count as meeting the 3-2-1 rule (spoiler: those aren't independent copies). We discuss what immutability really means in a cloud-first world. And we talk about why ransomware has become essentially the only reason people restore from backups anymore - hint: it's because we fixed all the hardware reliability problems.

Here's the bottom line: if you're not following the basic 3-2-1 rule, you don't have backups. Period. But if you want backups that will actually save you from a ransomware attack, you need to upgrade to 3-2-1-1-0. The immutable copy isn't a nice-to-have anymore - it's the difference between recovering and paying ransom.
Don't wait until you're staring at encrypted files and deleted backups to figure this out. The 3-2-1 rule is dead. Long live 3-2-1-1-0.

While you're here, Here's some great episodes from this year:
https://www.youtube.com/watch?v=ZZGn5xlYTec
https://www.youtube.com/watch?v=nHz5hGZy0nY&t=2s
https://www.youtube.com/watch?v=ov834MWoBXg&t=2s

This YouTube channel is also available as an audio podcast!
https://www.backupwrapup.com

We also have a blog that I've been running for over 20 years!
https://www.backupcentral.com

I've also written four O'Reilly books! My latest:
https://www.amazon.com/Modern-Data-Protection-Recoverability-Workloads-ebook/dp/B093TQTBC3