Skip to content
← All posts
· 2 min read·Emre Yurtbay

Backup strategy for SMBs – the 3-2-1 rule done right

Why most backups fail when it counts and how to do it better with the 3-2-1 rule – explained for small businesses.

BackupData protectionRansomwareSMBIT security

The uncomfortable truth: most companies have a backup — but many don't know whether anything can actually be restored from it in an emergency. Yet that is exactly what decides whether an incident is an annoyance or an existential question.

The 3-2-1 rule

A proven, simple standard:

  • 3 copies of your data (the original plus two backups)
  • 2 different media/locations (not both on the same machine)
  • 1 copy off-site (another location or the cloud)

This protects against the typical cases: hardware failure, user error, theft, fire.

Why 3-2-1 alone is no longer enough

Ransomware actively encrypts reachable backups too. Hence the modern extension 3-2-1-1-0:

  • 1 copy offline or immutable (air-gapped) — so attackers can't encrypt it along with everything else
  • 0 errors in a regularly tested restore

The last point is the most important — and the one most often missing.

A backup that has never been restored isn't a backup

It's a hope. Only a successful test restore proves the backup works, is complete, and is available within an acceptable time. Schedule that test as a fixed task — not "when there's time".

Two terms you should know

  • RPO (Recovery Point Objective): how much data may be lost at most? A daily backup = up to one day of loss.
  • RTO (Recovery Time Objective): how long may recovery take until the business runs again?

These two numbers determine which solution you actually need — not the other way around.

Pragmatic implementation for an SMB

  1. Define what is business-critical (data, shop, mail, line-of-business software)
  2. Define RPO/RTO roughly — different per system
  3. Automate (manual backups get forgotten)
  4. One copy off-site and one immutable
  5. Test the restore — and log that it worked

Conclusion

Backup is not insurance you take out and forget. It's a process that must be proven regularly. The effort for that is small — measured against a day of downtime.

Want to know whether your backup would hold up in an emergency? In a free initial consultation we'll go through your situation concretely.

Discuss your project