Sales: (877) 516-0218
General: (678) 695-5500

Business Continuity: What Is the 3-2-1 Rule in IT?

Three hands gripping each others' wrists in a triangle

IT Maturity, Cybersecurity

Applying the 3-2-1 rule to your data backup strategy is baseline coverage.

When it comes to having an effective business continuity plan, there are a few non-negotiable rules for dealing with a major tech outage.

First and foremost, you must backup your data. You should have a lot of backups, or as many as possible. 

Second, you should know the recovery point objective (RPO) and recovery time objective (RTO) of those backups. This will help calibrate your expectations and your business continuity plan to the reality of what your backups can restore after an outage. 

Next, make sure your IT organization or managed service provider is following the 3-2-1 rule in order to best preserve your data should an IT disruption occur. 

What Is the 3-2-1 Backup Rule? 

Unfortunately, most businesses can’t afford real time redundancy on all their applications. Thankfully, it’s also largely unnecessary.

The key to an effective backup strategy is understanding your business and it’s unique needs. Tailor your business continuity plan to your business. Then, get your backup strategy to fit that plan. 

This may sound easy enough, but businesses are dynamic. Business continuity plans and backups can quickly fall out of sync. If you follow the 3-2-1 rules of backups, you’ll save yourself a lot of headaches during a tech outage.  

Rule #3 – You need 3 copies of your data.  

Even a small event such as theft, fire, or a disgruntled employee (think: Capital One Breach) can wipe out crucial data. For businesses, having one backup of your data is simply not enough. Frankly, it’s borderline irresponsible.  The first rule of 3-2-1 says that you need at least three copies of your data. The primary source of data and then two backups of that data.  

Rule #2 – Those 2 extra backups should be on different storage media.  

All storage device can and will fail. If you keep your data on an internal hard drive, then store your backup copies using different devices. You can use external hard drives or the cloud. Be sure to get two of those copies somewhere else.  

Rule #1 – Keep 1 backup offsite.

Let’s not forget about natural disasters or critical events that are out of your control. In these instances, it’s important to leverage geographical redundancy. An offsite copy of data is especially critical when recovering from a ransomware attack. 

Logically, the 3-2-1 rule is very understandable. However, a lot of businesses are not applying these 3 rules to their recovery strategy. Get in touch with your IT leader or managed services provider to make sure you’re following the rules. 

After everything is set, don’t forget to test your business continuity plan regularly. 




Join 30K Business & IT Professionals by signing up for our email list to receive updates on IT and Cybersecurity directly in your inbox.