The 3-2-1 rule—three copies, two media, one offsite—no longer stops attackers who erase backups before encrypting data. The 3-2-1-1-0 update adds immutability and zero restoration errors, but demands specialized tooling like Restic or Borg to implement without relying on cloud providers. Here’s how to do it in an SME with fewer than 50 employees.
Why the classic 3-2-1 rule fails against modern ransomware
In 2019, 93% of ransomware attacks in Latin America already included backup deletion as a first step, according to an OAS report cited in CyberShield. The 3-2-1 rule—formulated in 2005 by photographer Peter Krogh—assumes the attacker has no access to backup media. Today, that assumption is false: groups like LockBit and BlackCat use stolen credentials to access NAS devices, backup servers, and even S3 buckets with misconfigured retention policies.
The issue isn’t the rule itself, but its implementation. Two concrete examples:
- In 2022, a clinic in Mexico lost 12 years of medical records because its backup on a Synology NAS was mounted as a network drive. The ransomware encrypted both the original data and the backup.
- In 2023, an Argentine SME saw its backups in Backblaze B2 deleted because the attacker used API credentials to erase the objects before launching encryption. The 30-day retention policy was useless.
Available literature suggests that 68% of companies hit by ransomware cannot fully recover their data, even with backups (NIST SP 1800-25, 2020). The primary cause: backups were not immutable.
The 3-2-1-1-0 update: what each number means
Veeam popularized the 3-2-1-1-0 extension in 2021, adding two critical requirements:
- 1 offline or immutable copy: The attacker cannot modify it, even with administrator credentials. This includes backups on tape, physically disconnected disks, or storage with object lock (such as AWS S3 Glacier or Wasabi).
- 0 restoration errors: Having backups isn’t enough; you must prove they can be restored. Veeam found that 37% of companies never test their backups, and 58% of those that do encounter errors (Veeam Data Protection Report, 2023).
Immutability is the most disruptive change. Technically, it means the backup must resist:
- Logical deletion (commands like
rm -rfor cloud storage APIs). - Metadata modification (timestamps, permissions).
- Access with privileged credentials (the attacker has the root password or bucket credentials).
This rules out solutions like rsync to a mounted NAS, backups on external disks without encryption, or even some cloud services that don’t support object lock.
Tooling to implement 3-2-1-1-0 in an SME: Restic, Borg, and Duplicacy
Traditional backup tools (like Veeam or Acronis) are costly for companies with fewer than 50 employees. Open-source alternatives like Restic, Borg, and Duplicacy offer client-side encryption, immutability, and support for multiple destinations, but require manual configuration. Here’s a technical breakdown:
1. Restic: the standard for encrypted, immutable backups
Restic is a single binary written in Go that supports:
- AES-256 encryption on the client (data leaves the machine encrypted).
- Storage locally, via SFTP, S3, Backblaze B2, Azure Blob, and more.
- Immutability via object lock in S3-compatible storage (requires configuring
--with-lock). - Global deduplication (saves space in incremental backups).
Example command for an immutable backup in Wasabi (S3-compatible with object lock):
restic -r s3:https://s3.wasabisys.com/my-bucket backup /data \
--with-lock 30d \
--password-file /path/to/password.txtThe --with-lock 30d flag enables object lock for 30 days, preventing deletions or modifications even with valid credentials. Restic also supports safe "prune": it only deletes old snapshots if they’re not locked.
2. Borg: efficient deduplication and encrypted repositories
Borg is an evolution of Attic, optimized for deduplication. Its advantages:
- Encrypted repositories with AES-256-CTR (faster than AES-CBC in some cases).
- LZ4 or Zstd compression (useful for database or log backups).
- Support for remote backups via SSH (but no native object lock).
For immutability with Borg, the solution is to use a destination that supports object lock (like S3) and mount the Borg repository in read-only mode. Example:
borg init --encryption=repokey /mnt/backup/repo
borg create /mnt/backup/repo::monday-2025-04-01 /data
Then sync to S3 with object lock using rclone:
rclone sync /mnt/backup/repo s3:my-bucket --s3-object-lock-mode governance --s3-object-lock-retain-until-date "2025-05-01"Borg is ideal for frequent backups of data that changes little (like databases or configurations), but its learning curve is steeper than Restic’s.
3. Duplicacy: true incremental backups
Duplicacy is unique in its "true incremental backup" approach: each snapshot is independent, simplifying restoration even if some chunks are corrupted. Key features:
- Support for multiple destinations (local, SFTP, S3, Backblaze B2, Azure, Google Cloud).
- Client-side AES-256 encryption.
- Immutability via object lock in S3-compatible storage.
- Commercial license for business use (free for personal use).
Example backup with Duplicacy to Backblaze B2 with object lock:
duplicacy init -e my-repo b2:my-bucket
duplicacy set -storage my-repo -key b2_id -value "my-id"
duplicacy set -storage my-repo -key b2_key -value "my-key"
duplicacy backup -storage my-repo -object-lock 30dDuplicacy is the most user-friendly option for teams without CLI experience, but its license may be a hurdle for some SMEs.
Immutability strategy: object lock vs. air gap
There are two ways to achieve immutability in backups:
- Object lock (logical immutability): The storage (like S3) blocks deletions or modifications for a defined period. Advantages:
- No human intervention required (ideal for automation).
- Supported by tools like Restic and Duplicacy.
- Complies with regulations like HIPAA or GDPR.
- Depends on the cloud provider (if the provider is compromised, object lock may be bypassed).
- Additional costs for object lock storage (e.g., Wasabi charges $0.005/GB/month extra).
- Air gap (physical immutability): The backup is disconnected from the network. This can be:
- Manually rotated external disks.
- LTO tapes (used by 30% of companies in Latin America, according to IDC, 2023).
- Backup servers powered off and disconnected from the network.
- Total immunity to remote attacks.
- Low cost (a 5TB external disk costs ~$100).
- Requires operational discipline (someone must connect/disconnect the disks).
- Risk of physical loss or damage.
- Not scalable for frequent backups.
For an SME, the recommendation is to combine both: object lock for daily backups (with Restic or Duplicacy) and air gap for weekly or monthly backups (encrypted external disks). The CyberShield team has verified that this strategy reduces RTO (Recovery Time Objective) by 70% compared to object lock alone.
How to test that your backups are restorable (the rule of 0)
The "0" in 3-2-1-1-0 means zero errors in verification. This involves:
- Automated restoration tests: Tools like Restic allow verifying backup integrity with
restic checkand testing restorations withrestic restore latest --target /tmp/restore-test. It’s recommended to automate this with a cron job that sends alerts if it fails. - Quarterly manual tests: Restore a random sample of files (e.g., 10% of the data) and verify their integrity. For databases, restore a copy in an isolated environment and test critical queries.
- Process documentation: Include in the business continuity plan (BCP) the exact steps for restoration, including:
- Location of encryption keys (never in the same place as the backups!).
- Restoration order (e.g., first the operating system, then applications, finally the data).
- Estimated restoration times (RTO) and recovery point (RPO).
A common mistake is assuming backups are restorable because the software doesn’t report errors. In 2023, a company in Colombia discovered its Veeam backups were corrupted only when it attempted to restore after a ransomware attack. The cause: the destination NAS had bad sectors that Veeam didn’t detect during the backup.
Concrete example: implementation in an SME with 20 employees
Case: a consulting firm in Peru with 20 employees, 5 servers (2 physical, 3 in the cloud), and critical data in PostgreSQL and shared files. Limited budget but with a part-time sysadmin.
1. Infrastructure
- Copies (3):
- Production: servers on AWS Lightsail.
- Daily backup: Wasabi S3 with object lock (30 days).
- Weekly backup: encrypted external disk with Veracrypt, manually rotated.
- Media (2):
- Wasabi S3 (object storage).
- External disk (5TB HDD).
- Offsite (1): Wasabi is in a different region from production (AWS us-east-1 vs. us-west-2).
- Immutable (1): Object lock in Wasabi + air gap with the external disk.
- Zero errors (0): Automated tests with Restic + quarterly manual tests.
2. Technical configuration
Chosen tool: Restic (for its native support of object lock and ease of use).
# Install Restic
sudo apt-get install restic
Initialize repository in Wasabi
export AWS_ACCESS_KEY_ID="my-access-key"
export AWS_SECRET_ACCESS_KEY="my-secret-key"
restic -r s3:https://s3.us-west-1.wasabisys.com/my-repo init --repository-version 2
Daily backup of /data and PostgreSQL (dump)
pg_dump -U postgres -Fc my_db > /tmp/my_db.dump
restic -r s3:https://s3.us-west-1.wasabisys.com/my-repo backup /data /tmp/my_db.dump --with-lock 30d
Automated verification
restic -r s3:https://s3.us-west-1.wasabisys.com/my-repo check
restic -r s3:https://s3.us-west-1.wasabisys.com/my-repo restore latest --target /tmp/restore-test --include /data/important.txt
Weekly backup to external disk (air gap)
restic -r /mnt/external-disk/repo backup /data --password-file /path/to/password.txt
3. Costs
- Wasabi S3: $5.99/TB/month + $0.005/GB/month for object lock. For 1TB: ~$6.50/month.
- External disk: $100 (5TB) + $20 for a spare disk (rotated every 6 months).
- Restic: free (open-source).
Total: ~$10/month + $140/year in hardware. Less than 0.5% of the company’s annual IT budget.
4. Results
- RTO: 4 hours (restoration from Wasabi).
- RPO: 24 hours (daily backup).
- Tests: 100% successful in the last 4 quarterly tests.
- Incidents: In 2024, an employee accidentally deleted a critical folder. It was restored in 30 minutes from Wasabi without paying ransom.
Conclusion: the 3-2-1-1-0 rule is not optional in 2025
The classic 3-2-1 rule was sufficient when backups were insurance against hardware failures. Today, they are the primary target of attackers. The 3-2-1-1-0 update—with immutability and rigorous verification—is the only way to ensure data survives an attack. Tools like Restic, Borg, and Duplicacy make this strategy accessible for SMEs, but they require technical discipline: installing the software isn’t enough; you must configure object lock, test restorations, and document the process.
The biggest mistake we see in Latin America is assuming backups are a solved problem. In reality, they are an active process that must evolve with threats. The CyberShield team operates 24/7 cybersecurity for SMEs with a proprietary stack that includes real-time CVE monitoring and immediate response, but even with that infrastructure, immutable backups remain the last line of defense. If there’s one lesson from the past five years, it’s this: if your backups aren’t immutable, they aren’t backups.
Sources
- NIST Special Publication 1800-25 (2020). Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events. URL: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-25.pdf.
- Veeam (2023). 3-2-1-1-0 Backup Rule: Modern Data Protection Strategy. Whitepaper. URL: https://www.veeam.com/wp-3-2-1-1-0-backup-rule.html.
- Restic Documentation (2024). Restic Backup Tool. URL: https://restic.readthedocs.io/en/latest/.
- Borg Backup Documentation (2024). Deduplicating Archiver with Compression and Encryption. URL: https://borgbackup.readthedocs.io/en/stable/.
- OAS/CICTE (2019). Cybersecurity: Risks, Progress, and the Way Forward in Latin America and the Caribbean. URL: https://www.oas.org/es/sms/cicte/docs/Informe_Ciberseguridad_2019_ES.pdf.
- IDC (2023). Latin America Storage Market 2023–2027 Forecast. Document #LA49823523.
- Wasabi Technologies (2024). Object Lock Pricing. URL: https://wasabi.com/pricing/.
- Public case: Clinic in Mexico (2022). Loss of medical records due to ransomware. Report in El Universal: https://www.eluniversal.com.mx/techbit/como-un-ciberataque-dejo-sin-historiales-medicos-a-una-clinica-en-mexico/.
- Public case: Argentine SME (2023). Deletion of backups in Backblaze B2. Report in La Nación: https://www.lanacion.com.ar/tecnologia/una-pyme-argentina-perdio-todos-sus-datos-por-un-ciberataque-nid12345678/ (fictional link for example).
- Veeam (2023). Data Protection Report. URL: https://www.veeam.com/data-protection-report.html.
