Why every growing business needs a Backup and Disaster Recovery plan

As your business grows, so do its risks. When previously IT issues meant minor downtime, they can now spiral into reputation damage, lost sales, or even regulatory trouble. For many SMEs this increases the stress of IT and causes further worries. Some ignore Backup and Disaster Recovery (BDR) because they underestimate just how high the stakes really are, However, others ignore it because it feels like too big an issue to deal with.

Whatever the reason, every growing business needs more than just to cross their fingers and hope. They need a clear, trusted backup and disaster recovery plan.

Here are some simple steps to help you get started.

Backup vs. Disaster Recovery – what’s the difference?

Firstly, let’s explain what each term means, how each element helps you, and how they work together.

• Backup is the act of making a copy of your data and storing it in specific locations, including documents, databases, emails, and systems. But it is simply that – a copy of the data.
• Disaster Recovery (DR) is creating a more detailed plan to ensure that your business systems and infrastructure can be restored if anything happens to them.

They are discussed together because you need both to be ready to go in the event of an IT incident.

The business risk of “backups without a plan”

As shown above, backing up data is necessary, but it’s not sufficient. Here’s why a disaster recovery plan is so important to have, alongside backups:

1- Hidden downtime

Restoring from backup mean you haven’t lost vital data, but to fully restore the data often takes far longer than expected. A recovery plan helps you to structure how to restore your data so that as little time is lost as possible.

2- Ransomware and cyber threats

In our modern, digital world, cyberattacks are becoming increasingly prevalent. If this happens to you, only being able to restore your data won’t get your business back up and running. You need a recovery solution.

3- Regulatory exposure

If you handle sensitive or regulated data, then not being able to recover it quickly, or at all, might result in legal penalties.

4- Real-world cost

A recent government survey found that of the businesses that said that breaches had a cost to them, they reported that the average cost of the most disastrous breach was over £3,500. That is the average cost from self-reported estimates, which the report itself said, “may represent an underestimation of full financial impact.”

5- Real-world example

On 27 June 2017, Maersk was hit by the NotPetya cyberattack, crippling its global network across ports and terminals and causing estimated losses of $250–300 million. IT staff disconnected the entire network to stop the spread and set up a recovery centre near Maidenhead, UK, with help from Deloitte. While most servers had recoverable backups, all domain controllers were wiped—except for one in Ghana that had been offline during a power outage. That single surviving backup proved pivotal in restoring Maersk’s operations and shows the need to keep offline backups as well.

Entra ID – the overlooked risk

For many SMEs, Microsoft Entra ID (formerly Azure Active Directory) is at the heart of daily operations. It manages user logins, email access, Teams, and even links into third-party apps.

The challenge is that Microsoft doesn’t provide a full native backup for Entra ID. While you can recover deleted users or groups in certain cases, if the tenant itself is compromised during a cyberattack or through malicious access, recovery becomes far more complex.

What can this mean for your business?

• Loss of access – staff locked out of email, Teams, and line-of-business apps.

• Delays in recovery – rebuilding policies, groups, and permissions from scratch can take days.

• Wider disruption – because Entra ID integrates with multiple systems, one compromise quickly spreads its impact.

• Compliance risk – identity and access controls are core to security frameworks. Losing them can expose you to regulatory penalties.

That’s why your backup and disaster recovery plan should include Entra ID. By protecting users, groups, and policies, you ensure that recovery restores access as well as data.

At ERGOS, we help clients build plans that don’t just recover files, but recover their ability to keep working.

Setting the right recovery objectives (RTO and RPO)

What recovery looks like will depend on your business and your business’s requirements. Obviously, the goal is to get everything

up and running as if nothing ever happened. But what do you prioritise with your backup and disaster recovery plan?

Two critical business metrics that are often used are:

• Recovery Time Objective (RTO): How long you can afford to be offline. Can your team wait 24 hours, does it need to be back up in six, or even less?
• Recovery Point Objective (RPO): How much recent data loss is tolerable? A few hours’ worth of data? Or maybe a day’s worth?

ERGOS helps clients define these metrics clearly and create plans that will hit the target should anything happen.

The main options for SMEs and what they mean for you

There are a number of ways to approach business continuity and the one you choose will depend on your business requirements.

• Local backups (on-site): this option is the fastest to restore, but it can be vulnerable to physical threats such as fire or theft.
• Cloud backups (off-site): this provides safety from local issues and is more scalable, but the downside is that it can often be slower to restore your data.
• Hybrid (on-site + cloud): here we have the best of both worlds: a quick recovery from a local backup, the added security of an off-site solution should it be needed. ERGOS recommends this approach as it provides both reliability and resilience.
• In-house disaster recovery planning: if you have the capacity internally, then analysing the risks, setting out the priorities and planning for recovery is something you should be doing.
• Disaster Recovery as a Service (DRaaS): another option is to outsource the process completely. In this way, you don’t have to manage it at all and can let professionals manage failover, infrastructure, backup systems, and all of your other requirements.

The right choice will depend on your specific needs, but considerations that will affect your decision include, data volume, your key objective (RTO/RPO as above), and how much complexity you want to manage.

Building your backup and disaster recovery plan

If having a backup and disaster recovery plan is becoming a priority for you, here is a step-by-step approach you can follow.

• Audit your systems
  What systems, data, and workflows do you have? What do you no longer use, and what has become a vital part of the business?

• Tier your systems
  Now, rank them by business impact. What will affect your business, you customers, your staff the most if they are not running? This shows you where to focus your backup and disaster recovery resources.
• Define RTO and RPO
  Assign realistic targets for your recovery plan based on system importance.
• Select your solution
  Based on the results of the points above, pick the solution – local, cloud, hybrid backups, in-house, or DRaaS – that best meets your needs.
• Implement
  All you need to do now is to deploy the plan.
• Test it
  Setting it up is only half the job, regular recovery drills are vital too. As is often said, “the worst time to test a backup is in a crisis”.
• Document and clarify roles
  As with any plan, it needs to be clearly documented and communicated. Make sure responsibilities are defined and explained.

While every business should have this kind of business continuity plan in place, not every business can manage the process themselves. That’s where ERGOS can help. We can take away the stress of creating your backup and disaster recovery plan and give you the peace of mind that you are ready, should the worst happen.

Testing, ownership, and keeping the plan live

From the process framework above, it is often the last two points (Test and Document) that get forgotten, ignored or overlooked by busy companies. Unfortunately, this can invalidate all the hard work put into all the other points. A backup plan is only as good as its maintenance and here are ways that you should maintain yours:

• Test regularly
  Rehearse restores, document any glitches, correct them, and then test again.
• Assign ownership
  Identify who leads the disaster recovery plan in a crisis. Clarity is important here. Actions and ownership must be clearly set out, including fail-over to cloud and fail-back to on-prem systems.
• Keep it current
  As your systems evolve, so must your plan. A current disaster recovery plan must match the processes, systems and priorities of your business today.

What does a sensible SME budget look like?

As with details of your backup and disaster recovery plan, the budget you allocate to it will be specific to your business. It can often feel like a difficult thing to budget for, especially as it is something that you hope to never use.

To help you define how much you should be spending, there are two keys areas that you should consider:

• The cost of having a plan

Here you need to consider what you want your plan to look like, the elements it needs to include and the specifications of those elements.

Considerations will include: your data volume to store and backup; the frequency of backups (RPO) that you need; the speed of recovery (RTO) you need; and what your choice of solution (local, cloud, hybrid, in-house, DRaaS) will look like.

• The cost of not having a plan

Here you have to consider what the cost to you will be if something does go wrong. What are you protecting and can you put a financial number on that?

For this category, you will need to consider elements such as, lost sales, reputational damage, fines, and business productivity. All of these usually far outweigh the cost of a robust backup system.

Backup and Disaster Recovery FAQs

Here are some of the questions that we are asked by businesses just like yours.

• Do I really need disaster recovery if I already have backups in place?

  • Yes. Backups restore data, but DR ensures your business stays running during outages.

• What’s the difference between RTO and RPO, and how do I set them?

  • RTO: How fast systems need to be back online.
  • RPO: How much data you can afford to lose.
    • Set them based on which systems are most critical.

• How much does a backup and disaster recovery plan usually cost for an SME?

  • It depends on your systems and needs, but there are scalable options for SMEs. Contact us for a tailored quote.

• How often should we test our disaster recovery plan?

  • At least once a year, or more often for critical systems

• Can cloud backups alone protect my business from ransomware?

  • No. Cloud backups help, but a full DR plan and security controls are needed to recover quickly.

• What is Disaster Recovery as a Service (DRaaS), and is it right for small businesses?

  • DRaaS is a managed solution that replicates your systems in the cloud. It’s ideal for SMEs that want quick recovery without extra IT overhead.

• How do I know which of my systems are “critical” to recover first?

  • Prioritise systems that keep revenue flowing, support customers, or store essential data.

• What’s the biggest mistake SMEs make when it comes to backup and DR?

  • Not testing their plans until disaster strikes.

• Who should be responsible for owning and updating the disaster recovery runbook?

  • Someone responsible for IT continuity, usually your IT manager or MSP partner.

• How can ERGOS help us put a plan in place without disrupting day-to-day work?

  • We assess your systems, create a plan, and implement it in the background so your team can keep working. Contact us for more information.

Closing Thoughts

As a growing business you are facing growing risks. Downtime to your business from an IT incident is no longer just inconvenient; it can be fatal. But a clear, tested, and well-communicated backup and disaster recovery plan can transform and fear you may have about this happening into control.

By assessing your systems, setting recovery targets, implementing business continuity solutions, and then testing them regularly – supported by the expertise from ERGOS – you will be able to fully recover, should disaster strike.

To get started on your backup and disaster recovery plan, contact ERGOS – we will make sure your business is always ready for what comes next.