The 3-2-1-1 Backup Rule: Why Small Businesses Need to Upgrade Their Strategy Right Now in 2026

2026 ransomware actively hunts and destroys your backups before attacking. The 3-2-1-1 rule is your last line of defence.

A Warning Story: "We Have a Backup"

In March 2025, an 18-person logistics company in Da Nang was hit by ransomware on a Friday evening. On Monday morning, they found their entire system encrypted.

The IT director was confident: "Don't worry, we have automatic nightly backups."

But when they checked — the backups were encrypted too. Why? The backups were stored on a network drive connected to the main server. The ransomware had been inside the network for 14 days before triggering — plenty of time to find and encrypt the backups.

The result: 5 days of lost operations, over 80M VND in recovery costs, and the loss of their largest partner's trust.

The Classic 3-2-1 Rule and Its Limitations

The 3-2-1 rule dates back to the early 2000s:

3 copies of your data 2 different media types 1 offsite copy

Before sophisticated ransomware, this worked well. But today's ransomware can:

Compromise admin credentials and delete connected cloud backups
Spread via VPN to your second office ("offsite" backup included)
Wait weeks until all backup rotation points are infected

That's why the rule has been upgraded to 3-2-1-1.

The 3-2-1-1 Rule: Adding an Unbreakable Layer

3 total copies of your data 2 different storage types 1 offsite copy 1 immutable copy — cannot be modified or deleted during its retention period

The immutable copy is the critical addition. An immutable backup:

Cannot be overwritten by malware
Cannot be deleted — even by someone with admin rights
Is locked for a defined period (e.g., 30 days, 90 days)
Uses Object Lock (S3-compatible) or WORM (Write Once, Read Many) technology

Implementing 3-2-1-1 for a Real Vietnamese Business

Layer 1 — On-Premises Copy

Purpose: Fast recovery of individual files, short RTO Common solutions:

Synology NAS with Hyper Backup
Windows Server Backup to rotating USB drive
Veeam Backup to internal NAS

Important: This layer should NOT be connected to the network during business hours — only connect when backing up.

Layer 2 — Secondary Device Copy

Purpose: Redundant device, protection from hardware failure Common solutions:

Second NAS at the director's home / other location
Veeam replication to NAS in secondary server room
Rotating external hard drives moved offsite daily

Layer 3 — Immutable Cloud (Most Important)

Purpose: Last line of defence against ransomware Recommended solutions:

Provider	Object Lock	Price (USD/TB/month)	Notes
Wasabi Hot Cloud Storage	✅ Yes	$6.99	No egress fees
Backblaze B2	✅ Yes	$6.00	Free egress for many partners
Viettel Cloud Storage	✅ Yes	Contact	Servers in Vietnam
Amazon S3 Glacier	✅ Yes	$3.50	Slower recovery (good for long-term archiving)

How Object Lock Works

Object Lock operates in two modes:

Governance Mode: Only users with special permissions can delete before the deadline. Suitable for most SMBs.

Compliance Mode: Absolutely no one can delete before the deadline — not even the AWS/Wasabi/Viettel admin team. Suitable for high-compliance requirements.

When ransomware infiltrates and attempts to delete your cloud backup, Object Lock rejects the request. The backup remains safe.

Recommended Backup Schedule

Frequency	Type	Retention	Location
Continuous (every 15 min)	Change snapshot (for critical servers)	24 hours	Internal NAS
Daily	Full incremental backup	30 days	NAS + Immutable Cloud
Weekly	Full backup	3 months	Immutable Cloud
Monthly	Full snapshot	1 year	Immutable Cloud (archive tier)

Backup Testing: The Most Skipped Step

An untested backup is a fake backup. Minimum testing schedule:

Weekly: Check logs — did backup complete without errors?
Monthly: Restore 3–5 random files and verify their content
Quarterly: Restore a complete VM or server to a test environment
Annually: Full disaster recovery simulation

Document every test result. If a test fails — this is information you need to know before a real incident occurs.

Regular recovery drills tell you exactly how long your business needs to recover — not during the incident itself.

Where Does Your Business Stand?

Quick self-assessment:

I have at least 3 copies of my data
Copies are stored on at least 2 different storage types
At least 1 copy is offsite (different physical location)
At least 1 copy is immutable — ransomware cannot delete it
Backups are restore-tested at least quarterly
Backup retention is at least 30 days

If you can't check all of these — that's the gap you need to close before disaster strikes.

Vietify IT Implements 3-2-1-1 for You

We design and manage 3-2-1-1 backup strategies suited to the size and budget of every business in Da Nang.

Book a Free Backup Assessment. We'll review your current configuration and show you exactly which protection layer you're missing — completely free of charge.

Call: 0914 985 772 | vietify.vn/contact

Vietify IT Services — Da Nang's Backup and Disaster Recovery Specialists.