Backup strategies 3-2-1 and 3-2-1-1-0: how to secure an SME audit-ready

What is the 3-2-1 rule?

The 3-2-1 rule is the minimum formula for data protection established since the 2000s. It requires three copies of every important dataset, stored on two different media types, with at least one copy at a geographically separated site. The original data counts as one of the three copies. Two backup copies plus the original sum to three.

The formula was extended from 2020 onward to the 3-2-1-1-0 rule because ransomware waves and unnoticed bit-rot regularly rendered classic backups worthless. The additional 1 demands an offline copy with air-gap, that is, a medium physically or logically disconnected from the network. The final 0 demands zero verification errors on the last test-restore. A backup that cannot be restored is not a backup.

In Switzerland the Swiss data law angle matters too: backups count as processing under Art. 5 revFADP. The storage location of a backup must therefore meet the same requirements as productive storage. Anyone processing fiduciary client data in CH and EU may not move the backup to the US without review – otherwise there is a third-country transfer that must be documented under Art. 16 revFADP.

Why it matters

In May 2026, three threat classes are real that a classic tape backup from 2015 no longer catches. First, ransomware: current encryption trojans actively look for reachable backup volumes, traverse SMB shares or API tokens onto the backup server, and encrypt the backups too. Anyone without an air-gap copy pays or loses everything.

Second, cloud provider outages: the OVH fire in Strasbourg in 2021 showed that even large providers can fail completely. Anyone backing up with only one provider has no real redundancy. Third, silent data corruption: at modern capacities, hard disks statistically return a flipped bit every 12 TB that ECC does not catch. Without regular checksum verification you never notice that your backup from last May was already corrupted.

For a Swiss fiduciary office, the retention duty under Art. 958f CO comes on top: 10 years of readability for all business records and receipts. Anyone opening a 2021 PDF in five years and finding it broken has a compliance problem that no apology fixes. Auditors do not accept excuses.

How a 3-2-1-1-0 pipeline is built

A production-ready backup setup has five layers: source, local backup, offsite cloud, offline air-gap, verification. Each layer has its own tool choice.

Local backup: on the productive server, a snapshot tool runs daily or hourly to create consistent point-in-time copies. As of May 2026, restic (Go, AES-256-GCM, deduplication), BorgBackup (Python, AES-256-CTR, very mature) and Duplicati (.NET, GUI for SMEs) are the standard open-source options. rsnapshot relies on rsync + hardlinks and is the leanest Linux-server variant. Storage target is usually a second volume or a NAS in the same rack.

Offsite cloud: the second backup copy goes to a cloud storage target. Backblaze B2 in May 2026 costs about USD 6 per TB per month, with no egress trap when using Backblaze-native tools. Hetzner Storage Box sits at EUR 4 per TB per month in the Frankfurt data centre, so EU residency. Infomaniak Swiss Backup is the most expensive but CH-resident option for clients who need data location as a selling point. restic and Borg speak the S3 protocol and address all three targets directly.

Encryption: all backups are encrypted client-side before they go to cloud storage. AES-256-GCM is the May 2026 standard. For tarball-based setups without native encryption, GPG with a key stored in the vault is suitable. The key must be backed up separately – otherwise you back up only data garbage that nobody can read again.

Offline air-gap: once a month, an employee pulls a USB hard disk or LTO tape from the cabinet, connects it, copies the current backup state, and returns the medium to the safe or to the bank. That is the insurance against ransomware that reaches all online backups.

Immutable buckets: Backblaze B2 and AWS S3 support Object Lock in compliance mode. Once written, data cannot be deleted or overwritten for the defined retention period – not even by the root account. That is the second line of defence against ransomware without USB shuffling.

Verification: at least weekly, a restic check or borg check runs and tests the checksums of all blocks. Quarterly, a test restore is run into an isolated environment, aiming to produce a working copy of the productive environment from a backup. Anyone who never tests this has no backup, just Schroedinger data.

Backup implementation in 5 steps

1. 01Inventory and classification: which datasets, which retention duty, which protection class? Separate client movement data, configuration data and pure logs.
2. 02Tool choice: restic for Linux servers with S3 backend, BorgBackup for high maturity, Duplicati for GUI operation on Windows servers, rsnapshot for simple rsync-based setups.
3. 03Choose cloud target: Hetzner Storage Box for EU residency, Backblaze B2 with Object Lock for immutability, Infomaniak Swiss Backup for CH residency, all three with AES-256-GCM encrypted client-side.
4. 04Set up air-gap rotation: monthly fetch a USB disk or LTO tape from the safe, take backup, return to safe. Add a restore runbook every employee can understand.
5. 05Automate verification: weekly restic check via cron, quarterly full restore into isolated environment, keep verification reports for 10 years.

When the full 3-2-1-1-0 setup

The full setup with air-gap and immutable storage is mandatory for every business under retention duty: fiduciary, law firm, medical practice, insurance broker, accounting office. Every online shop with order history and every workshop with a job database also benefits concretely – the question is not whether but when ransomware arrives.

Concretely in Switzerland: a 5-person fiduciary with 200 clients typically produces 50 to 200 GB of movement data per year. That fits with headroom on a 4 TB USB disk rotated monthly. The cloud copy on Hetzner Storage Box at 200 GB costs about EUR 1 per month. Running costs are low, the risk of skipping is high.

Business-model angle: anyone managing client data can use the full setup as a sales argument. Clients and patients in May 2026 increasingly ask about backup and recovery concepts because they themselves read ransomware stories in the press. A clear 3-2-1-1-0 document in the sales talk closes deals that competitors lose with "we have backup already, it is safe".

When a lighter setup is enough

A pure marketing website without database, a static image repository without user content, a local development setup with Git backup via GitHub – for those cases a simple restic-to-B2 or just Git push to an external provider is enough. Air-gap and immutable storage are overkill here and cost time that is missing elsewhere.

A common mistake: some SMEs back up everything with the same strictness. The apprentice database gets the same treatment as client bookkeeping. Result: storage costs double, audit effort eats hours per month, and the actually critical system disappears in the noise. Better: classify by protection class and set up the matching configuration per class.

A second pitfall is the "backup nobody ever restores". If the restore procedure is known only to one person and that person carries the key in their head, that is not a setup but a personnel-risk bet. Document the restore procedure so that a new employee with the runbook in hand can play the backup back.

Trade-offs

FAQ

Related topics

Sources

1. BSI – IT-Grundschutz-Baustein CON.3 Datensicherungskonzept · 2026-02
2. NIST SP 800-209 – Security Guidelines for Storage Infrastructure · 2026-03
3. restic – Backup program documentation and threat model · 2026-04
4. Backblaze B2 – Object Lock and pricing reference · 2026-05
5. Hetzner Storage Box – product pricing page · 2026-05