We're hearing about 3-2-1-1-0 lately, what's the difference vs 3-2-1?

3-2-1-1-0 is the modern extension: 3 copies, 2 media, 1 offsite, 1 immutable or air-gapped, 0 errors in restore tests. The extra 1 covers ransomware, the 0 covers the 'we had backup but it didn't work' scenario.

Try this first

1. 1The extra 1 (immutable or air-gapped) is the key addition. In practice: S3 Object Lock on an offsite cloud tier, a Veeam hardened repo, or physically disconnected tape/USB off the network.
2. 2The 0 (zero errors on verification) means every backup job needs to be verified, not just 'completed'. Veeam SureBackup, NAKIVO Recovery Verification or a homegrown restore-test script give that.
3. 3Audit your current setup against each digit: do you really have 3 copies including production, or 2 (prod + 1 backup)? Truly on 2 media types, or all on disk? Is offsite really offsite or just a 2nd NAS in the same fire compartment?
4. 4Pick a mechanism for the extra 1 that's physically or logically disconnected from production. If ransomware reaches your NAS via AD, the immutable layer must be independent of that.
5. 5Schedule quarterly restore tests that hit every layer: 1 file from local, 1 system from offsite, 1 set from immutable. Log which failed and why.
6. 6Document for management: which threats 3-2-1-1-0 covers (ransomware, fire, ex-employee, user error) and which it doesn't (massive provider-wide outage).

None of the above fits?

Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.