Immutable Backups for Texas SMBs: The 3-2-1-1-0 Rule in 2026

Ransomware operators in 2026 routinely spend 5–14 days inside a victim environment before triggering encryption (Sophos State of Ransomware 2025). During that dwell time, they enumerate backup infrastructure, harvest backup admin credentials, and either delete backups outright, change retention to one day, or encrypt the backup repository alongside production. A "second copy on a NAS" or "off-site copy in the cloud" is not protection if the same domain credentials grant write/delete access to both.

3 — Three Copies of Data

One production copy plus two backup copies. The two backup copies must be independent — if they share storage, credentials, or replication infrastructure, they count as one for purposes of ransomware resilience.

2 — Two Different Media Types

Spinning disk plus object storage, or local NAS plus cloud, or SSD plus tape. Diversity protects against silent corruption, vendor outage, and supply chain compromise affecting one platform type.

1 — One Off-Site

One copy must be physically removed from the primary site. For most Texas SMBs in 2026, this is cloud object storage (S3, Wasabi, Backblaze B2, Azure Blob).

1 — One Immutable or Air-Gapped Copy (NEW)

This is the addition that defeats modern ransomware. Immutability means the storage layer itself prevents deletion or modification for a specified retention period — even by an authenticated administrator with valid credentials. Object Lock on S3-compatible storage, hardened repositories on Wasabi, or Veeam Hardened Linux Repositories are all valid implementations.

Air-gapping is the alternative: the backup copy is physically or logically disconnected from the network outside of backup windows. Tape rotated to a fireproof safe is the classic example. LTO-9 tape at $80/cartridge for 18TB is still extraordinarily cost-effective for SMB volumes and provides absolute air-gap protection.

0 — Zero Errors on Restore Verification

A backup that has not been test-restored is not a backup — it is a hope. The "0 errors" requirement means automated, scheduled test restores with cryptographic verification that the restored data matches the source. Most modern backup platforms (Veeam SureBackup, Datto Inverse Chain, Acronis Active Protection) include some form of automated restore testing. Use it.

For a typical 50–250 employee Texas business with 5–25TB of production data:

• Primary backup — Veeam Backup & Replication or Datto SIRIS to a local hardened repository (Veeam Hardened Linux Repository on dedicated hardware with immutable XFS).
• Off-site copy — replication to Wasabi, Backblaze B2, or AWS S3 with Object Lock for 30–90 day immutable retention.
• Air-gap copy — for higher-security environments, monthly LTO tape to fireproof safe or Iron Mountain.
• Verification — weekly automated SureBackup restore of critical VMs to an isolated test network.
• Identity isolation — backup admin credentials are not domain accounts. Backup infrastructure does not authenticate to Active Directory. A compromised domain admin cannot delete backups.

The 3-2-1-1-0 rule maps directly to multiple compliance frameworks:

• HIPAA Security Rule §164.308(a)(7) — contingency plan, data backup plan, disaster recovery plan, and emergency mode operation plan
• FTC Safeguards Rule §314.4(d)(2) — written incident response plan including backup/recovery procedures (see our FTC Safeguards Rule coverage)
• NIST 800-171 / CMMC 2.0 Recovery domain — RE.L2-3.8.9 backup of CUI and RE.L2-3.13.16 protect confidentiality of backup data (see our CMMC compliance service)

For a 100-employee Texas business with 10TB of production data, a properly architected 3-2-1-1-0 implementation typically runs $800–$1,800/month all-in (backup software licensing + immutable cloud storage + monitoring + monthly test restore validation). Compare this against the median Texas SMB ransomware recovery cost from our 2026 Benchmark Report — between $310,000 and $1.2 million depending on segment — and the math is decisive.

If you discover an active ransomware incident, our incident response team is on call. Do not pay the ransom before exhausting recovery options. See our guide: Ransomware: The First 72 Hours.

• Houston managed IT
• The Woodlands managed IT
• Sugar Land managed IT
• Galveston managed IT
• Katy managed IT