Ransomware incidents consistently rank as the most financially damaging cyber events for Polish SMEs. The 2023 CERT Polska annual report identified ransomware as the leading cause of business disruption incidents among companies with fewer than 250 employees. The primary determinant of recovery cost and downtime is not the sophistication of the attack — it is whether a working, tested backup existed before the incident.
This overview documents the backup architectures most commonly implemented by Polish IT service providers for SME clients, including the conditions under which each approach is appropriate.
The 3-2-1 Backup Rule
The 3-2-1 rule specifies three conditions for a minimum viable backup architecture:
- Three copies of the data — one primary and two backups
- Two different storage media types
- One copy stored offsite
This rule was formalised by US-CERT in the early 2000s and remains the baseline standard referenced in ISO/IEC 27001 implementations. For Polish SMEs, a typical 3-2-1 configuration might consist of: primary data on a local NAS device, a second backup on an external hard drive (rotated weekly), and a third backup to a cloud storage service.
An extended variant, the 3-2-1-1-0 rule, adds two requirements: one immutable backup (air-gapped or write-once) and zero errors in restoration tests. This extension became more widely cited following the growth of ransomware attacks capable of encrypting or deleting connected backup targets.
Backup Frequency and Retention Policies
Recovery Point Objective (RPO) defines how much data a business can afford to lose, expressed as a time window. A business with a 4-hour RPO can tolerate losing up to four hours of work in the worst case. Recovery Time Objective (RTO) defines how quickly systems must be restored before the disruption causes unacceptable business impact.
Typical SME configurations documented in Polish incident response case studies:
- Daily full backup + incremental changes — most common for file servers and database backups. Nightly full backup combined with hourly incrementals.
- Continuous Data Protection (CDP) — replicates changes in near-real-time. Used for business-critical databases, ERP systems, and financial applications. Higher infrastructure cost but RPO measured in seconds rather than hours.
- Snapshot-based backups — supported by modern NAS platforms (Synology, QNAP, TrueNAS). Efficient for virtual machine environments.
Retention periods under Polish law carry specific implications. Data processed under GDPR may not be retained longer than necessary for its original purpose. However, financial records and accounting data carry separate retention obligations under Polish accounting law (ustawa o rachunkowości) — a minimum of five years, with some categories requiring ten years.
Local vs. Cloud Backup
Local Backup (NAS / DAS)
Network Attached Storage devices from Synology, QNAP, and Western Digital are the most common local backup targets in Polish SME environments. They offer high throughput for large backup jobs, are accessible without internet connectivity, and support RAID configurations that protect against disk failure — though RAID is not itself a backup mechanism.
The principal risk with local-only backup is physical co-location: fire, flood, theft, or a ransomware infection with network write access to the backup destination can eliminate both primary and backup data simultaneously. CERT Polska incident reports document multiple cases where backup NAS devices were encrypted alongside production systems because they were permanently mapped as network drives.
Cloud Backup
Cloud backup to platforms such as Backblaze B2, Wasabi, AWS S3 with Object Lock, or Microsoft Azure Backup provides geographic separation without requiring a second physical location. Object Lock (immutable storage) prevents deletion or modification of backup data for a defined retention period — even by an authenticated administrator — which is the primary technical control against ransomware affecting cloud-stored backups.
Polish data sovereignty considerations are relevant for some business categories. Under GDPR, international transfers of personal data require adequacy decisions or standard contractual clauses. For most SME backup use cases, cloud providers offering EU-based storage regions (AWS eu-central-1, Azure West Europe, Google Cloud europe-west3) satisfy residency requirements.
A 2022 study by the Polish Chamber of Information Technology and Telecommunications (PIIT) found that only 31 percent of surveyed SMEs had tested a full backup restoration in the previous 12 months. An untested backup is of uncertain value.
Backup Software for SME Environments
Several backup software categories are widely used by Polish IT service providers for SME clients:
- Veeam Backup & Replication Community Edition — free tier supporting up to 10 workloads, widely used for VMware/Hyper-V environments. The paid tier is common in mid-size SMEs.
- Acronis Cyber Protect — image-based backup with integrated anti-ransomware protection. Particularly common in Polish MSP deployments due to multi-tenant management console.
- Windows Server Backup — built-in, zero-cost, limited retention management. Acceptable baseline for very small deployments.
- Restic (open-source) — command-line backup tool with strong encryption and deduplication. Used in Linux server environments and by technically capable SMEs managing their own infrastructure.
Testing Restore Procedures
A backup that has never been successfully restored is an assumption, not a verified control. Documented SME incidents in Poland have involved organisations that maintained backup processes for years but discovered during a ransomware recovery event that the backup files were corrupt, the software version was incompatible, or access credentials had changed.
Minimum effective test procedures include:
- Monthly verification that backup jobs are completing without errors
- Quarterly file-level restore test from a backup of known age
- Annual full system restore test to an isolated environment
- Documentation of RTO measured during test events
The ENISA SME Data Security Guidelines and the CERT Polska advisory resources both provide Polish-language and English backup guidance referenced in this article.