Key insight

A backup is a second copy kept safe, so that when everything else fails you can simply restore. The 3-2-1 rule captures decades of hard-won wisdom: three copies, on two kinds of storage, with one kept off-site. Two words decide whether a backup actually saves you: offline (out of reach of whatever it protects you from) and tested (you have actually restored from it). Get those right and even ransomware becomes a bad afternoon rather than a catastrophe.

Of every defense in this series, backups are the humble one that saves you when all the others have already failed. A backup is simply a second copy of your important data, kept somewhere safe, so that if the original is lost, you can get it back. Its power is that it does not depend on stopping the attacker or the disaster at all: ransomware encrypted everything? Restore. A server died in a flood? Restore. This is why backups are the last line of defense — and why attackers who know what they are doing try so hard to destroy them first.

1 · The safety net under everything

An attacker who has beaten every one of your other defenses still has not truly won if you can calmly wipe the mess and restore a clean copy from yesterday. That is what makes backups special: they work no matter how the loss happened. The catch, which the rest of this topic is about, is that a backup only saves you if it survives the same event that destroyed the original, and if it actually works when you reach for it.

Everything else fails, but a clean backup copy survives to restore from A red crossed-out database labelled Everything else failed leads by a green arrow to a green database labelled A clean copy survives. A caption states a backup is a second copy, kept safe, for when the first is lost. Everything else failed A clean copy survives A backup is a second copy, kept safe, for when the first is lost
Figure 1. Backups defend against outcomes, not attacks — which is why they work when every prevention has already failed.

2 · The 3-2-1 rule

A simple, memorable recipe captures decades of backup wisdom: the 3-2-1 rule. Three: keep at least three copies of anything important — the original plus two backups — so no single loss wipes you out. Two: store them on at least two different kinds of storage (say, a physical drive and the cloud), so a problem with one type does not take out all your copies. One: keep at least one copy physically separate, off-site. The whole rule is one idea repeated: do not let all your eggs share a single basket, because whatever empties that basket — a fire, a flood, a burglary, ransomware spreading across a network — would otherwise take every copy with it.

The 3-2-1 rule: three copies, two kinds of storage, one kept off-site Three teal database icons labelled 3 copies, two amber storage icons labelled 2 kinds of place, and one blue globe labelled 1 far away. A caption states three copies, two types of storage, one kept off-site. 3 copiesnever just one 2 kinds of placedrive + cloud 1 far awayoff-site Three copies, two types of storage, one kept off-site
Figure 2. The plain arithmetic of surviving a disaster: never let one event reach every copy you have.

3 · A reachable backup is no backup

Here is the mistake that turns a backup into false comfort. Many people faithfully back up their data, but keep that backup constantly connected to the very system it protects — on the same network, always reachable. Then ransomware strikes, spreads, and encrypts not just the originals but the connected backup too, because from the malware's point of view it was just another folder to lock. Now there are two useless copies. The word that fixes this is offline, or air-gapped: at least one backup copy must be kept out of reach of the thing it protects you from — disconnected, or in storage the main systems cannot casually touch. A backup an attacker can reach is a backup an attacker can destroy. The copy that saves you is precisely the one your disaster could not follow.

4 · An untested backup is only a wish

There is a second, quieter trap, and it is heartbreaking every time. A team backs up faithfully for years, feels safe, and then, on the worst day, tries to restore — and the backups do not work: incomplete, corrupted, quietly stopped months ago, or nobody knows how to bring them back. A backup you have never tested restoring is not a backup; it is a hope. The only way to know a backup truly works is to actually restore from it, deliberately, on a normal day when nothing is on fire, and confirm the data comes back correct and complete. Serious organizations schedule these test restores regularly, precisely so the answer is known in advance. The rule is blunt: if you have not tested restoring it, you do not have a backup, you have an assumption.

5 · Two plain questions: how much, how fast

Two plain questions turn backups from a vague good intention into an actual plan. First: how much data can you afford to lose? If you back up once a day, a disaster at day's end could cost a whole day's work — everything since the last backup. If losing a day is fine, daily backups suffice; if you could only bear to lose an hour, you need to back up far more often. Second: how fast do you need to be back up and running? Restoring a small file takes minutes; rebuilding an entire company's systems can take days, and every hour of downtime has a cost. Professionals give these formal names, but the questions underneath are exactly this simple. Answer them honestly for each important system, and the right backup approach almost designs itself.

6 · A worked example: same attack, two endings

Picture two companies hit by the exact same ransomware, on the same morning, through the same flaw. The first backed up sometimes, but kept its only backup connected to the main network, and had never tested a restore. The ransomware encrypts the originals and the backup together. Now they face a nightmare: pay a criminal a fortune with no guarantee, or lose everything and perhaps not survive. The second followed 3-2-1, kept one backup offline and out of reach, and tested restores every month. They contain the infection, wipe the affected machines, restore from the clean offline copy, and are largely running again by lunchtime — the ransom demand is simply irrelevant. Same attack, same flaw, same day, two completely different endings. The entire difference was a backup kept out of reach and known to work.

The same ransomware, with two endings depending on the backup A red lock labelled The same ransomware branches to two outcomes: a red crossed-out database labelled No offline backup, pays or dies, and a green database labelled Tested offline backup, restores by lunch. A caption states the backup decided everything. The same ransomware No offline backup: pays, or dies Offline backup: restores by lunch Identical attack — the backup decided everything
Figure 3. Prevention was identical for both companies. What separated survival from disaster was a backup that was out of reach and proven to work.

7 · What it means for AI systems

AI changes backups in two small but real ways. First, an AI system is more than its data; it also has a configuration, a set of instructions or prompts, and connections to other systems — all of which can be lost, corrupted, or maliciously changed just like data. So backing up an AI system means capturing not only the information it works with, but how it is set up, so you can rebuild the whole thing correctly. Second, AI is genuinely helpful on the other side: agents can automate the tedious, easily-forgotten work of running backups on schedule, and can help verify that restores actually succeed. The underlying rules do not bend: keep multiple copies, keep one out of reach, and test that you can actually restore. AI just adds a few more things worth backing up, and a capable assistant for doing it faithfully.

8 · A simple test you can run this week

The most valuable hour in this series

1. Pick one thing — personal or work — you genuinely could not bear to lose.
2. Count its copies: do you have 3-2-1?
3. Is at least one copy truly offline / out of reach of ransomware or a network-wide disaster?
4. Actually restore one file from it, right now, and confirm it comes back correct.

The lesson above all others: an untested backup is only a wish, but a tested, out-of-reach backup is the rescue that makes even the worst attack survivable.

9 · Glossary — every term, spelled out

Backup
A second copy of important data kept safe, so the original can be restored if it is lost.
3-2-1 rule
Keep three copies, on two kinds of storage, with one off-site — so no single event destroys them all.
Offline / air-gapped backup
A backup kept disconnected and out of reach of the systems it protects, so an attack cannot reach it too.
Test restore
Deliberately restoring from a backup on a normal day to prove it actually works before you need it.
How much you can lose (RPO)
How much recent data you can afford to lose — decided by how often you back up.
How fast you must recover (RTO)
How quickly you need systems running again after a loss — decided by how fast you can restore.
Recovery
The act of restoring data and systems from a backup to working order.
Key takeaways

Backups are the last line of defense — they work no matter how the loss happened.
Follow 3-2-1: three copies, two kinds of storage, one off-site.
Keep at least one copy offline and out of reach, and actually test restoring from it.
Answer “how much can we lose” and “how fast must we recover”, and the right plan designs itself.

References

  1. NIST Special Publication 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems, National Institute of Standards and Technology. csrc.nist.gov
  2. CISA, Data Backup Options — the 3-2-1 approach, Cybersecurity & Infrastructure Security Agency. cisa.gov
  3. This guide’s Malware & Ransomware, Explained From Zero — the attack offline backups defeat.
  4. This guide’s Incident Response, Explained From Zero — recovery as a stage of handling an incident.