Skip to main content
Cyber Security Hub

Implementing the 3-2-1 backup strategy

Improve your school’s cyber security resilience and protect data using the 3-2-1 backup strategy.   

The 3-2-1 backup strategy

3-2-1 is a backup strategy that advises keeping multiple, separated backups. This means if an issue, network incident, or natural disaster affects one, at least one other remains.

The 3-2-1 backup strategy recommends having:

  • 3 copies of your data (1 primary and 2 backups)
  • 2 different forms of storage on at least 2 separate devices (for example, on-premise and cloud)
  • 1 off-site backup (such as a separate location or in the cloud)

This is important for safeguarding student data as well as operational continuity and compliance with data protection legislation.

Reducing risks

3-2-1 can help reduce risks from:

  • cyber attacks - permanent off-site backups mean you can recover data without paying a ransom
  • accidental deletion - multiple copies mean you can recover files quickly if they have been accidentally erased
  • server crashes and hardware failure – having more than one backup helps minimise disruption if a backup is not available or corrupted
  • cloud service outages - local backups give you access even if cloud services fail
  • natural disasters (such as fire and floods) - off-site backups can protect data if there is a local disaster

Backup best practice

The National Cyber and Security Centre (NCSC) has a set of “rules” to follow when backing up your data.

Offline rule (disconnect at least one backup)

Keeping one offline backup will make sure at least one back up is not affected if your school is affected by a cyber attack.

You should also:

  • digitally disconnect cloud backups not in use
  • use separate ID and password credentials for cloud backups
  • restrict access so that only devices specifically authorised by your IT support (such as admin workstations) can modify backups

Recovery rule (make sure your backups can be restored)

Schools must confirm their backups are recoverable in case of an attack. When choosing a cloud storage provider, you should make sure that:

  • version history is available so you can restore previous versions of files
  • deleted files can be recovered for a set period after removal
  • regular tests of restoring backups are carried out to ensure data integrity

Regular rule (frequent and tested backups)

The final rule says you should back up data on a regular and agreed upon schedule to minimise data loss. Backups should be:

  • tested frequently to confirm they work as intended
  • automated where possible to ensure consistency

Applying 3-2-1 in a cloud-only environment

If your school relies on a cloud-based system, the NCSC recommends you still follow the 3-2-1 strategy. This helps make sure if one backup is compromised, you still have others. Follow these steps to implement the strategy.

Step 1: identify and back up critical data

Make sure you identify and back up the school’s most critical data, including:

  • student and staff emails
  • files and collaboration documents (OneDrive and SharePoint)
  • records from collaborative tools like chats, shared files and meeting recordings (for example, Microsoft Teams or Google Meets data)
  • school administrative data (for example, MIS integration, financial documents)
  • safeguarding records (which may be stored in secure SharePoint sites, OneDrive, or similar)

Step 2: implement a third-party backup solution

Implement a "Software as a Service" (SaaS) backup provider that meets your needs. Make sure it supports:

  • automated backups (ideally daily or more frequently)
  • granular recovery (individual emails, messages, files)
  • long-term retention (up to 7 years for compliance)
  • immutable storage (protection against ransomware encryption)

Storage options can be either a:

  • cloud-to-cloud backup (such as backing up data to a separate cloud provider)
  • hybrid approach (storing an encrypted backup locally in a secure Network Attached Storage for redundancy)

Step 3: Implement an air-gapped backup

Store one back up in “air-gapped storage” separate from daily operations. “Air-gapped” means data is backed up in a place entirely separate from your network, typically off-site. These have limited accessibility but be reachable when needed.

Options for air-gapped backups include:

  • commercial cloud services with write-once-read-many (WORM) features to ensure ransomware protection
  • physical air-gapped storage (for example, an offline encrypted external drive updated monthly)

Cloud storage backups

Most cloud services have a “shared responsibility model”. This means they make sure their platform is available, but this does not fully protect you from data loss due to accidental deletion, cyber attacks, or compliance issues.

Cloud environments have different challenges from on-site storage, including:

  • limited built-in retention
  • data in the cloud can still be encrypted in ransomware attacks
  • legal and compliance requirements (such as UK GDPR and Ofsted data requirements) may require sensitive records are retained for long periods of time


Page last reviewed
24 June 2026