The classic 3-2-1 rule – 3 copies, 2 on different media, 1 offsite – was optimized for hardware failures and natural disasters in the 1990s. A ransomware attacker would typically break it down like this in 2026:
- 3 copies → all three can be deleted if backup admin authentication is compromised
- 2 different media → "same network" for NAS and file server
- 1 offsite → if cloud sync is enabled, the encrypted file is also synchronized to the offsite
The new rule is 3-2-1-1-0
The modern best practice – adopted by Veeam in 2023, and later by ENISA and NIST – adds two new elements:
- 1 immutable / air-gapped copy – physically or logically separated, read-only
- 0 errors – controlled, documented recovery test (at least quarterly)
What does "immutable" mean in practice?
A backup is immutable if the storage layer is technically unable to modify or delete it within a given time window. It is not a configuration flag (because an admin can override it), but a hardware or hardened OS level guarantee.
With ViVeSecBox, this rests on WORM (write-once-read-many) storage, a hardened operating system, and a hardware TPM root-of-trust chain – so a traditional Windows / Linux admin cannot reach the storage layer, regardless of what rights they have compromised on the corporate network.
"Immutable" is only useful if the attacker still considers it insurmountable. If it can be removed with a quick admin cleanup, then it's just a marketing tag.
Where should a company start if it is modernizing now?
Our practical suggestion: do not replace the entire backup stack at once. Leave the existing system as productive capacity and move the immutable backup of critical systems (ERP, file server, mail) to a hardened device like ViVeSecBox. This can be done in one business day and immediately covers the NIS2 backup compliance minimum.