According to IBM, the average cost of a data breach for small business in 2025 exceeded $3.3 million. 60% of small businesses that experience a serious data loss close within 6 months. Yet 73% of companies have an inadequate backup strategy or none at all. Backup is not a technical detail — it is business security.
The 3-2-1 rule: the golden standard of backup
The 3-2-1 rule is a simple, decades-proven methodology:
3 — keep at least 3 copies of data (1 primary + 2 backups)
2 — store copies on 2 different types of media (e.g., local disk + cloud)
1 — 1 copy must be stored offsite (away from the primary location)
The extended version — the 3-2-1-1-0 rule: additionally 1 copy is fully isolated (air-gapped, not connected to any network) and 0 errors during backup integrity verification.
Types of backups
Full Backup
Everything is copied — all files, the entire database. Takes the most space and time, but restoration is simplest — only one recovery point needed. Recommended schedule: weekly or monthly.
Incremental Backup
Only changes since the last backup of any type are copied. Minimum size and time, but restoration is more complex — you need to apply the full backup + all incrementals in sequence. Recommended schedule: daily or several times a day.
Differential Backup
All changes since the last full backup are copied. A compromise between full and incremental: larger than incremental but simpler restoration — only the full + the latest differential are needed.
Backup tools
restic: modern and secure
restic is an open-source backup tool with encryption, deduplication, and support for dozens of backends: S3, Backblaze B2, Google Cloud Storage, SFTP, local disk. Easy to automate via cron, supports integrity verification.
rsync: the classic for synchronization
rsync is the simplest tool for synchronizing files between servers or local disks. Doesn't encrypt by itself (used with an SSH tunnel), but extremely efficient for large files thanks to its delta-transfer algorithm.
rclone: the bridge to cloud storage
rclone is "rsync for the cloud." Supports 70+ cloud providers: S3 (AWS, Hetzner, Backblaze), Google Drive, OneDrive, Dropbox, and others. Encrypts data on the fly before upload. Ideal for offsite cloud copies.
Veeam: for Windows and VMware environments
Veeam Backup & Replication is the standard for backing up Windows servers and VMware/Hyper-V virtual machines. A free Community Edition is available for smaller environments (up to 10 VMs).
Cloud storage: where to keep offsite copies
Hetzner Storage Box — affordable option from $3.5/month per 1 TB, data centers in Germany and Finland, SFTP/SMB/FTP
Backblaze B2 — $6/TB/month, S3-compatible API, easy to use with rclone and restic
Amazon S3 with Glacier — unlimited volume, but more complex to set up, $0.023/GB/month storage cost
Wasabi — S3-compatible, $6.99/TB/month with no egress fees
RTO and RPO: the two key metrics
RPO (Recovery Point Objective) — maximum acceptable data loss. If RPO = 1 hour, backups must run hourly. For an e-commerce database, RPO is typically 15–60 minutes.
RTO (Recovery Time Objective) — maximum acceptable recovery time. If RTO = 4 hours, the entire system must be restored within 4 hours of a failure. For critical systems — 1–2 hours.
Restore testing: the most important step
A backup without restore testing is an illusion of safety. Real examples: a company made backups for 3 years, then discovered on restore that archives were corrupted due to a silent disk failure. Or that a backup exists, but recovery would take 48 hours — catastrophic when RTO is 4 hours.
Minimum testing plan: monthly — test restoring one file or DB table; quarterly — full restore on a staging server with RTO measurement. Record results in a log.
Backup automation
Manual backups are not backups — human error guarantees they will eventually be forgotten. Automate via cron on Linux or Task Scheduler on Windows. A restic cron job running nightly at 02:00 with a weekly integrity check on Sundays covers most scenarios.
Investment in a proper backup system — from 2,000 UAH/month (storage + automation). The cost of a lost client database or 3 days of downtime is incomparably higher.