Backups Are Not a Disaster Recovery Plan: What SMBs Get Wrong About Data Protection

Here is a scenario that plays out more often than anyone in IT would like to admit. A business owner calls on a Monday morning. Ransomware encrypted their server over the weekend. They are calm, because they have backups. Then we start asking questions.

When was your last backup? "It should be nightly." When did you last verify it worked? Silence. Where are the backups stored? "On the external drive connected to the server." The same server that just got encrypted? "...yes."

That conversation is the reason we wrote this article. Having backups and having a disaster recovery plan are two very different things, and the difference only becomes obvious when everything has already gone wrong.

Why Backups Alone Are Not Enough

A backup is a copy of your data at a point in time. A disaster recovery plan is the entire process of getting your business operational again after an incident. The backup is one piece of that plan — an important piece, but not the whole picture.

Here is what a backup alone does not tell you:

• How long will it take to restore your systems to a working state?
• What is the order of priority? Which systems come back first?
• Where will the restored systems run if the original hardware is damaged or compromised?
• Who is responsible for executing the recovery?
• How much data will you lose between the last backup and the incident?

These questions define your Recovery Time Objective (RTO) — how long you can afford to be down — and your Recovery Point Objective (RPO) — how much data you can afford to lose. Every business has different answers, but most small businesses have never asked the questions.

The 3-2-1 Rule

The foundation of any backup strategy is the 3-2-1 rule:

• 3 copies of your data
• 2 different types of storage media
• 1 copy stored offsite

This means your data exists on the original server, on a local backup device, and in a cloud or offsite location. If ransomware encrypts your server and the attached backup drive, the offsite copy survives. If a fire destroys your office, the cloud copy survives.

Many small businesses only have one or two of these three layers. The missing layer is always the one that would have saved them.

Testing Is Not Optional

The most dangerous backup is one that has never been tested. Backup jobs can fail silently — a drive fills up, a permission changes, a software update breaks compatibility. If nobody is checking, those failures accumulate until the day you need that backup and discover it stopped working three months ago.

At minimum, your recovery process should be tested quarterly. That means actually restoring data from the backup and confirming it works — not just checking that the backup job says "completed." For critical systems, monthly testing is better.

Ransomware Has Changed the Rules

Traditional backup strategies were designed for hardware failure and accidental deletion. Ransomware introduced a new challenge: an attacker who deliberately targets your backups.

Modern ransomware will search for and encrypt backup files, delete shadow copies, and even target cloud backup credentials. Protecting against this requires:

• Immutable backups that cannot be modified or deleted once written, even by an administrator
• Air-gapped or isolated backup copies that are not accessible from the main network
• Backup encryption with credentials stored separately from the backed-up systems
• Monitoring and alerting that flags if backup jobs fail or backup data is tampered with

What a Real Disaster Recovery Plan Looks Like

A proper disaster recovery plan is a documented, tested set of procedures that answers every question you would face during an incident. It includes:

• System inventory: What systems do you have, where do they run, and what data do they hold?
• Priority ranking: Which systems must come back first? (Hint: it is usually email, accounting, and whatever drives your core operations.)
• Recovery procedures: Step-by-step instructions for restoring each system, including who does what.
• Communication plan: Who gets notified? Employees, clients, vendors, regulators?
• Roles and responsibilities: Who makes decisions during an incident? Who talks to the insurance company?
• Regular testing: The plan is tested at least annually, and updated when systems change.

Getting Started

Building a disaster recovery plan does not have to be overwhelming. The first step is understanding what you have today and where the gaps are. At Fundy Tech, we start with a backup and recovery assessment that maps your current state and identifies the quickest wins.

If you are not confident that your business could recover from a server failure, a ransomware attack, or even a simple hard drive crash — that is exactly the right time to have this conversation. Call us at 902-334-5872 or visit fundy.tech to schedule a backup review.