Backup strategy guide: the 3-2-1 rule and beyond

Backups are the insurance policy of IT. Everyone agrees they’re important, but the details - what to back up, how often, where to store it, how to test it - are where most organisations fall short. And like insurance, you only discover whether your backup strategy actually works when you need it most.

For South African businesses dealing with ransomware threats, load shedding, infrastructure instability, and increasingly strict data protection requirements under POPIA, a robust backup strategy isn’t just good practice - it’s a business survival requirement.

The 3-2-1 rule explained

The 3-2-1 backup rule has been a cornerstone of data protection for decades, and for good reason - it’s simple, memorable, and effective:

• 3 copies of your data (the original plus two backups)
• 2 different storage media types (e.g., local disk and cloud, or disk and tape)
• 1 copy stored offsite (physically separate from your primary location)

The logic is sound. Three copies protect against individual media failures. Two different media types protect against a failure mode affecting one technology (a firmware bug that corrupts all drives of the same model, for example). One offsite copy protects against site-level disasters - fire, flood, theft, or sustained power loss.

For many years, 3-2-1 was sufficient. But the threat landscape has evolved, and the rule needs extending.

Extending to 3-2-1-1-0

Modern data protection best practice adds two more elements:

• 3 copies of your data
• 2 different media types
• 1 offsite copy
• 1 air-gapped or immutable copy
• 0 errors (verified through regular testing)

The air-gapped or immutable copy

This is the critical addition driven by ransomware. Modern ransomware specifically targets backup systems - attackers know that destroying backups forces victims to pay. If your backups are accessible from the same network as your production systems, they’re at risk.

An air-gapped copy is physically disconnected from your network. This could be tape stored in a vault, removable drives rotated offsite, or a cloud backup stored in an account with completely separate credentials and no network path from your production environment.

An immutable copy uses technology that prevents modification or deletion for a defined retention period. Many cloud backup platforms and modern storage systems support immutability - once written, the data cannot be changed or removed, even by an administrator, until the retention period expires.

For your business continuity and disaster recovery strategy, at least one backup copy must be either air-gapped or immutable. This is non-negotiable in the current threat environment.

Zero errors

The final element - zero errors - addresses the uncomfortable reality that many organisations discover their backups are incomplete, corrupted, or non-functional only when they try to restore. A backup you haven’t tested is a hope, not a strategy.

Zero errors means:

• Backup jobs complete successfully and are monitored
• Restore tests are performed regularly (monthly for critical systems, quarterly for others)
• Restored data is verified for integrity and completeness
• Failures are investigated and resolved, not silently ignored

Types of backups

Understanding backup types helps you design a strategy that balances protection with storage efficiency and recovery speed.

Full backup

A complete copy of all selected data. Provides the fastest and simplest restore but consumes the most storage and takes the longest to run.

Incremental backup

Backs up only the data that has changed since the last backup of any type. Efficient on storage and fast to run, but restoring requires the last full backup plus every incremental since. If any incremental in the chain is corrupted, the restore fails.

Differential backup

Backs up all data changed since the last full backup. Uses more storage than incremental but restores faster - you only need the last full backup and the latest differential. A practical middle ground for many organisations.

Synthetic full backup

The backup software combines the last full backup with subsequent incrementals to create a new full backup without re-reading data from the source. This gives you the restore simplicity of full backups with the efficiency of incrementals.

Most modern backup solutions use a combination of these approaches, running full backups periodically with incrementals between them.

Cloud backup considerations

Cloud backup has become a standard component of most backup strategies, but it comes with specific considerations for South African businesses:

Bandwidth and connectivity

Large initial backups (the “seed”) can take days or weeks over South African internet connections, even on fibre. Some providers offer physical seeding - shipping a drive with your initial data - to overcome this. Ongoing incremental backups are more manageable but still require reliable bandwidth.

Data sovereignty

POPIA requires that personal data transferred outside South Africa receives adequate protection. If your cloud backup stores data in an international data centre, ensure your provider offers contractual guarantees aligned with POPIA requirements. Some providers now offer South African data centre regions, simplifying compliance.

Recovery bandwidth

Backing up to the cloud is one challenge. Restoring from it - potentially terabytes of data over an internet connection - is another. Factor recovery bandwidth into your RTO calculations. For critical systems, consider maintaining a local backup copy for rapid restore alongside the cloud copy for offsite protection.

Cost management

Cloud backup pricing typically includes storage costs and data transfer costs (egress charges for restoring data). Model your costs over time, including growth projections and periodic full restores, to avoid billing surprises.

Integrating cloud backup with your broader infrastructure and cloud architecture strategy ensures a cohesive approach to data protection.

Retention policies

How long you keep backups depends on business requirements, regulatory obligations, and storage costs:

• Operational retention - short-term backups (daily, weekly) for recovering from recent incidents. Typically 30–90 days.
• Compliance retention - POPIA, FICA, Companies Act, and sector-specific regulations may mandate retaining certain data for specific periods (often 5–7 years).
• Legal hold - data relevant to pending or anticipated litigation must be preserved regardless of standard retention schedules.

A tiered retention approach - keeping recent backups readily accessible and moving older backups to cheaper, slower storage - balances availability with cost.

Design your retention policies in writing, review them annually, and ensure your backup system enforces them automatically.

Ransomware-resistant backups

Given the prevalence of ransomware, every backup strategy should specifically address ransomware resilience:

• Immutable storage - use backup targets that support write-once-read-many (WORM) or object lock functionality
• Isolated credentials - backup system accounts should be separate from your Active Directory. If an attacker compromises your domain admin, they shouldn’t be able to delete your backups.
• Network isolation - backup infrastructure should be on a separate network segment with restricted access
• Anomaly detection - modern backup platforms can detect unusual patterns (sudden spike in change rate, mass file encryption) and alert before corrupted data propagates through your backup chain
• Delayed deletion - implement a waiting period before backup deletion requests take effect, providing time to detect and reverse malicious deletions

RTO and RPO: aligning backups with business needs

Two metrics drive your backup design:

• Recovery Time Objective (RTO) - how quickly must systems be restored after an incident? An RTO of 4 hours means your backup solution must be capable of restoring critical systems within 4 hours.
• Recovery Point Objective (RPO) - how much data loss is acceptable? An RPO of 1 hour means you need backups at least every hour. An RPO of zero means you need real-time replication.

Different systems have different RTOs and RPOs:

System type	Typical RTO	Typical RPO
Core business applications (ERP, CRM)	1–4 hours	15 min – 1 hour
Email and collaboration	2–8 hours	1–4 hours
File servers	4–24 hours	4–24 hours
Development/test	24–72 hours	24 hours

Align your backup frequency, technology, and restore capabilities with your business-defined RTOs and RPOs. Overprotecting low-priority systems wastes money. Underprotecting critical systems risks the business.

Testing your backups

Backup testing should be a scheduled, documented, recurring activity - not something you do once and forget about.

A practical testing programme:

1. Automated verification - enable backup verification features in your backup platform (checksum validation, boot verification for VM backups)
2. Monthly file-level restores - pick random files and restore them to verify the backup chain
3. Quarterly system restores - restore a complete system to an isolated environment and verify it functions correctly
4. Annual DR drill - simulate a full disaster scenario and execute your recovery plan end to end, measuring actual RTO and RPO against your targets

Document every test, including failures. Failed tests are valuable - they reveal problems while you still have time to fix them.

Build your backup strategy

A robust backup strategy protects your business from hardware failure, human error, ransomware, natural disasters, and regulatory enforcement action. The investment in getting it right is trivial compared to the cost of data loss.

Get in touch with us to review your current backup strategy, identify gaps, and implement a resilient, tested, cost-effective backup programme that aligns with your business continuity objectives.