Why Modern Backup Strategy Matters (3-2-1-1)

A friend of mine works in IT consulting, mostly on the operational side of things. He was recently called in by a potential client who had started seeing some concerning messages on their computer—clear warning signs that something wasn’t right.

He advised the client to slow down, investigate, and address the issue properly.

The client chose a different path.

They prioritized getting the business back up and running as quickly as possible.

A week later, they were hit with ransomware.

The First Recovery… and the Missed Gap

To his credit, my friend did a lot right during the initial recovery. He took time to ensure the business had a backup strategy in place. For its time, it was solid—aligned with what was considered best practice.

Back then, the gold standard was the 3-2-1 backup rule:

  • 3 copies of your data
  • 2 different storage media
  • 1 copy stored off-site

On paper, that sounds like a strong strategy—and for years, it was.

But there was a critical gap.

What Changed: Attackers Got Smarter

Modern ransomware operators don’t just encrypt your data.

They:

  • Gain access to your environment
  • Move laterally
  • Identify backup systems
  • Delete or corrupt backups before deploying ransomware

Why?

Because if you can restore your data, you don’t need to pay.

The Evolution to 3-2-1-1

That’s why today’s best practice has evolved into 3-2-1-1:

  • 3 copies of your data
  • 2 different storage types
  • 1 off-site copy
  • 1 offline or immutable copy

That last “1” is the difference-maker.

Offline vs. Immutable Backups

To survive modern ransomware, at least one copy of your data must be:

🔒 Offline

Not connected to your network at all

  • Example: tape backups, disconnected storage

🧊 Immutable

Stored in a way that prevents modification or deletion

  • Example: object storage with immutability / retention locks

If an attacker can reach your backups, they can delete your backups.

The Case for “Old” Technology

I’ve always been a fan of tape backups.

That opinion tends to get some eye rolls from other technology folks—but here’s the reality:

Tape, when used correctly, is offline by default.

No network access. No API. No remote deletion.

That makes it inherently resilient to ransomware.

Now, to be fair:

  • Tape libraries (robotic systems) can reduce that isolation
  • Management practices matter

But the core idea holds: offline is powerful.

Why This Matters

On the worst day your business will ever have—when ransomware hits—your backups determine your future.

You are either:

  • Restoring operations and moving forward

or

  • Rebuilding your business from scratch

There is no middle ground.

The Real Question

When everything else fails, it comes down to one simple question:

Do you still have a clean, recoverable copy of your data?

If the answer is no, then the only remaining copy may be in the hands of the attacker.

Final Thought

Backup strategy isn’t just about redundancy anymore—it’s about resilience against an active adversary.

If your backups can be deleted, they are not a reliable safety net.

Make sure your strategy includes that final layer.

Because when you need it, it’s already too late to fix it.