The 3-2-1 Backup Strategy: A Complete Guide to Protecting Business Data

Data loss is an event after which 60% of small and medium businesses close within 6 months. This is not an exaggeration — it is a statistic from the National Cyber Security Alliance. Meanwhile, from our audit experience in Moldova, over 40% of companies either do not back up at all or do it incorrectly: to the same physical disk, without testing recovery, without ransomware protection. A backup that has never been tested is not a backup — it is an illusion of safety.The 3-2-1 rule is the gold standard of backup, invented by photographer Peter Krogh but adopted by the entire IT industry. Three means: at least three copies of your data. Two means: on two different storage types (e.g., SSD server + HDD + cloud). One means: at least one copy offsite. This protects against any single event: disk failure, server room fire, ransomware attack, administrator error.But in 2025, the 3-2-1 rule needs an update: 3-2-1-1-0. The additional one means one immutable copy — one that cannot be deleted or encrypted by ransomware. Zero means zero errors in recovery verification. This addresses modern threats where attackers specifically seek out and destroy backups before encrypting primary data.Step one: data classification. Not all data is equally valuable. Define three categories. Critical: customer database, financial transactions, source code — loss is irreplaceable, RPO (acceptable loss) under 1 hour. Important: server configurations, logs, marketing materials — RPO up to 24 hours. Archival: old reports, closed projects — RPO up to 7 days. Different classification = different backup frequency = cost optimization.Step two: define RPO and RTO. RPO (Recovery Point Objective) — how much data can you afford to lose? If RPO = 1 hour, backups must run at least hourly. RTO (Recovery Time Objective) — how quickly must you restore operations? If RTO = 4 hours, you need a tested recovery procedure that fits within 4 hours. These metrics are defined by the business, not the IT department.Step three: tool selection. For file backups, we recommend restic — fast, with deduplication and encryption, supports S3, SFTP, local disks. For PostgreSQL — pg_dump for logical backups (with ability to restore individual tables) and WAL-G for continuous archiving with point-in-time recovery (PITR). For MySQL — mysqldump + binlog for similar PITR. For Kubernetes — Velero for full cluster backup including PersistentVolumes.Step four: automation. Backups that depend on a human eventually stop being performed. Set up cron jobs or systemd timers for automatic execution. Every backup must be logged: start time, end time, size, status. Configure alerts for when a backup fails or takes anomalously long.Step five: offsite storage. A local backup protects against disk failure but not against fire, theft, or ransomware. At least one copy must be offsite. Options: cloud storage (AWS S3, Backblaze B2, Hetzner Storage Box), a second data center, or even physical media at another office. For EU companies: the storage must be in the EU (GDPR compliance).Step six: immutable backups. Modern ransomware attacks first seek and destroy backups, then encrypt data. Protection: Object Lock in S3 (WORM — Write Once Read Many), immutable snapshots in Restic, or air-gapped backups (physically disconnected from the network). This is your last line of defense.Step seven: recovery testing. This is the most important and most neglected step. Every month, perform a test recovery: take the latest backup, restore it to a test server, verify data integrity, measure the time. Document the result. If recovery took 8 hours but RTO = 4 hours — you have a problem. Solve it BEFORE an incident, not during.Step eight: monitoring and reporting. Integrate backup monitoring into your overall observability system. Prometheus metrics: time of last successful backup, backup size, duration, error count. A Grafana dashboard for quick overview. Monthly report for management: were all backups executed, were recovery tests performed, what is the current data storage volume.Database backup specifics. File-level backup of a running database is like photographing a moving train: the result may be inconsistent. Always use tools specific to your DBMS. For PostgreSQL: pg_dump for logical backups (daily) + WAL archiving for continuous backup (RPO = seconds). For MySQL: mysqldump --single-transaction + binlog. For MongoDB: mongodump with --oplog.The cost of inaction vs. the cost of backup. The calculation is straightforward. A typical ransomware attack costs a mid-size company €50,000-€200,000 (including downtime, recovery, ransom, reputation loss). A professional backup system: €500 for setup + €50-100/month for cloud storage. That is 0.1% of potential losses.At WebDirect, we implement backup strategies in 5 business days. Included: strategy design (RPO/RTO for each system), automated scripts, offsite storage, immutable backups, documented test recovery, monitoring and alerting, team training. Cost: from €500. Start with a free IT Health Check to assess the current state of your backups.