PratikYedek
All posts
SMB·8 dk read

SMB backup guide: what is the 3-2-1 strategy and how to apply it?

How to apply the 3-2-1 backup rule at SMB scale: cost, RPO/RTO targets and KVKK/GDPR alignment with practical examples.

For most SMBs, backup often stays at the "copy to a USB once a week" level. Yet a single ransomware attack or disk failure can wipe out years of customer and invoice data overnight. The 3-2-1 strategy is the most widely accepted, practical baseline.

What is 3-2-1?

  • 3 copies: original + 2 backups
  • 2 different media: local disk + cloud (or 2 distinct media types)
  • 1 off-site copy

This rule is recommended as "minimum safe backup" by the US National Archives (NARA) and many security frameworks.

A practical SMB scenario

Imagine an 8-person architecture firm with:

  • Accounting software (Logo Tiger, Mikro, etc.)
  • AutoCAD and project files (50-200 GB)
  • Email archive (Outlook PST or IMAP)
  • Contract PDFs + KVKK consent records

3-2-1 in action

Copy Medium Location Frequency
1 (original) Workstation Office Real-time
2 NAS or local server Office Hourly
3 Cloud (PratikYedek) Turkey data center Every 6 hours

💡 PratikYedek tip: Hosted SaaS plans offer automatic snapshots with 5-minute RPO via WAL+PITR. No manual scheduling.

RPO and RTO targets

Two terms not to confuse:

  • RPO (Recovery Point Objective): How much data loss is acceptable? "How far back can I restore?"
  • RTO (Recovery Time Objective): How long until the system is up again? "When does it work again?"

Reasonable SMB targets:

  • RPO: 1-6 hours — Hourly or 6-hourly incremental
  • RTO: 4-24 hours — Half-day restore scenario

PratikYedek hosted plans meet these defaults.

Mapping to KVKK § 12 (Türkiye)

KVKK § 12 (Turkey's GDPR-equivalent) requires data controllers to "take all necessary technical and administrative measures." The KVKK Authority's official Data Security Guide explicitly lists backups as a technical measure:

"Backing up data, defining backup frequency, securely storing backups..."

A business that implements 3-2-1 naturally meets this. An off-site copy also satisfies the "separate secure environment" requirement under § 6 for sensitive data (health, legal).

Common mistakes

  1. Single cloud provider dependency — Google Drive alone is not enough. Local + cloud is mandatory.
  2. No encryption — Unencrypted off-site copies violate KVKK § 12 in case of theft or leak.
  3. No restore drill — Assuming "backup is done" without ever testing recovery is the #1 mistake. Monthly restore drills are essential.
  4. No versioning — A single "latest backup" gets encrypted by ransomware too. Snapshot chains (7 daily + 4 weekly + 12 monthly) are required.

How PratikYedek meets these standards

  • ✅ End-to-end AES-256-GCM encryption — server never sees plaintext
  • ✅ 3-2-1 ready: Hosted (Türkiye) + BYOS (Google Drive/OneDrive) + local desktop copy
  • ✅ WAL+PITR snapshot chain, automatic monthly restore drill
  • ✅ KVKK § 12 + § 11 (deletion + portability) in one panel

Start free 30-day Early Access — No credit card, cancel anytime.

Related articles

Türkçe versiyonu: Türkçe oku →

Try PratikYedek free for 30 days

KVKK-compliant backup with end-to-end encryption. No credit card required.

Start free trial