Disaster Recovery Planning for Australian SMEs
You’ve heard of disaster recovery planning, but it sounds complicated and expensive. Surely your backups are enough? Surely disasters are unlikely?
Then a server fails, or ransomware encrypts your files, or a physical disaster (fire, flood, building damage) makes your office inaccessible. You realise too late that “having backups” isn’t the same as “being able to recover and keep operating.”
Disaster recovery planning isn’t optional anymore. It’s essential. And it’s far simpler—and more affordable—than most business owners think.
Understanding RTO and RPO
Disaster recovery has two critical metrics. Understanding these makes planning much clearer.
RTO (Recovery Time Objective). This is how long you can afford to be down. For a small office with low time-sensitive operations, maybe 4 hours is acceptable. For a medical practice, 1 hour might be critical. For an e-commerce business, minutes matter. Your RTO drives your recovery approach.
RPO (Recovery Point Objective). This is how much data you can afford to lose. If your RPO is 1 hour, you’re comfortable losing up to 1 hour of work. If it’s 15 minutes, you need backups more frequently. For most businesses, an RPO of 1–4 hours is reasonable.
These aren’t abstract planning concepts. They define actual investment. A 1-hour RTO requires different infrastructure than a 4-hour RTO. An RPO of 15 minutes requires more frequent backups than an RPO of 4 hours.
Start by defining your RTO and RPO for critical systems. For most SMEs:
- Email and accounting systems: RTO 2–4 hours, RPO 1 hour
- Customer databases: RTO 4 hours, RPO 1–2 hours
- Document storage: RTO 4–8 hours, RPO 1–4 hours
Less critical systems (internal wikis, project management tools, non-essential servers) might have RTO of 8+ hours and higher RPO.
Types of Disasters and Recovery Approaches
Hardware failure. A hard drive fails, a server crashes, a critical workstation breaks. Recovery: replace hardware, restore from backup. RTO typically 2–4 hours. This is the most common disaster.
Data loss (accidental deletion, corruption). Someone deletes a critical file, or corruption damages data. Recovery: restore from a recent backup. RTO typically under 1 hour if backups are automated and readily accessible. This requires reliable backups and knowing what you lost.
Ransomware or malware attack. Malicious software encrypts your files or steals data. Recovery: identify the infection, contain it (isolate affected systems), wipe affected computers, restore from clean backups, reboot systems. RTO typically 4–24 hours depending on severity. Critical: your backups must be offline or inaccessible to the attacker, so they can’t encrypt them too.
Cyber breach or data theft. Attackers access your systems and steal data without encrypting. Recovery: identify the breach, secure the systems, notify affected parties (customers if their data was stolen), work with law enforcement. RTO might be hours (systems come back online) but RPO is different—you’ve already lost data. Prevention is more important than recovery here.
Physical disaster. Fire, flood, building damage, or natural disaster makes your office inaccessible. Recovery: move operations to alternate location, recover systems and data from off-site backups, re-establish connectivity. RTO typically 24–48 hours. This requires cloud-based systems, off-site backups, or alternate office space.
Extended outage. Extended internet outage, cloud provider failure, power outage lasting days. Recovery: continue operations through alternate connectivity (mobile hotspot, alternate ISP, work-from-home), access systems through alternate networks. RTO depends on your contingency infrastructure.
Backup Strategies and the 3-2-1 Rule
The foundation of disaster recovery is reliable backups. The industry standard is the 3-2-1 rule:
3 copies of your data. One is your working copy. Two are backups. If your working copy is corrupted or lost, you have two backups to restore from.
On 2 different storage media types. Don’t store all three copies on the same type of storage. Example: working copy on the office server (SSD storage), backup 1 on local backup drive (hard disk), backup 2 in cloud storage. If one storage type fails (cloud provider outage, hard drive failure), you still have backups elsewhere.
One copy off-site or offline. If your office catches fire, all on-site backups are lost. If ransomware encrypts everything, including your office backup drive, you’re still safe if one backup is offline (not connected to your network) or at a different location (cloud storage at a different data centre).
In practice, for most SMEs:
Backup 1 (working location). Cloud backup service (Microsoft 365, OneDrive, Google Workspace, Dropbox, etc.). Automated, continuous, accessible from anywhere. This covers accidental deletion and most hardware failures.
Backup 2 (on-site, different media). Local backup to a network drive or external storage. Daily or more frequent. This is fast for restore if you need to recover quickly.
Backup 3 (offline/off-site). Periodic backup to offline storage (disconnected from network) or a separate cloud account at a different provider. This protects against ransomware or catastrophic on-site disaster.
Total cost: roughly $100–$300/month for most SMEs. The protection is enormous.
Testing Your Disaster Recovery Plan
The most common disaster recovery failure: your plan looks good on paper, but you’ve never actually tested it. When disaster strikes, you discover your backup doesn’t work, you don’t remember the recovery process, or the recovery takes far longer than expected.
Test schedule. Quarterly minimum. Set a calendar reminder. Pick one system and practice recovering it. Simulate the scenario realistically.
What to test:
- Can you restore a file from cloud backup? Can you restore the entire email system?
- How long does recovery actually take? Are you meeting your RTO?
- Does recovered data work? Can you access it? Is it usable?
- Do recovery procedures in your plan actually work, or do they need updating?
Document findings. After each test, document what you learned. Update your recovery procedures if needed. Note how long recovery took. Refine your RTO/RPO assumptions if reality differs.
Communicate results. Share findings with your team. If recovery took 3 hours and your RTO is 2 hours, you need to adjust something. If recovery worked perfectly, that’s valuable confidence.
Most businesses find their first recovery test reveals problems. That’s the point. Better to find problems in testing than in actual disaster.
Building Your Disaster Recovery Plan
Step 1: Inventory critical systems. What systems must be available for your business to function? Probably: email, accounting software, customer database, file storage, any industry-specific software. List them.
Step 2: Define RTO and RPO for each. How long can each be down? How much data loss can you tolerate? Write this down.
Step 3: Document current backup procedures. Do you have backups running? Where are they stored? When was the last test? Write it down. (You might discover you don’t have backups running—this is a critical finding.)
Step 4: Identify gaps. Does your current backup approach meet your RTO/RPO for critical systems? Are backups tested regularly? Is one copy offline? If anything is missing, identify it.
Step 5: Create recovery procedures. For each critical system, document how you’d recover it. What steps? Who does what? How long does it take? Write actual procedures, not vague descriptions.
Step 6: Test and refine. Run a recovery test. Update procedures based on what you learn. Schedule regular retesting.
Step 7: Communicate and train. Key personnel need to know the recovery plan. If the person who handles backups is absent during a disaster, someone else needs to take over. Regular communication ensures people remember.
Cloud-Based Disaster Recovery
For many SMEs, cloud-based systems simplify disaster recovery. If your email is in Microsoft 365, your data is already geographically redundant and backed up by Microsoft. If your accounting is in Xero or MYOB, your data is in the cloud.
This reduces your burden. You don’t need to manage backups for cloud systems—the provider does. But you still need to think through RTO (how long until you can access the cloud system again if there’s an outage?) and RPO (how long ago was your data last synced?).
Hybrid approaches work well: cloud for always-available systems, local/cloud backups for additional data.
Disaster Recovery for Physical Disasters
If your office becomes inaccessible (fire, flood, building damage), you need to continue operations. Options:
Work-from-home capability. If your systems are cloud-based and accessible remotely, your team can work from home. This requires: everyone having a laptop, remote access configured, broadband at home. For many SMEs, this is sufficient.
Alternate office space. Arrange access to an alternate office (another office location, co-working space, temporary rental) where staff can work temporarily while your main office is repaired or rebuilt.
Business continuity plan. Document which functions are critical and must continue, which can temporarily pause. Who needs to work from where? What equipment do they need? How is customer communication handled?
For most SMEs, work-from-home is sufficient because offices are largely optional if systems are cloud-based. The critical piece is: do you have a plan? Have you tested that your team can actually work from home if needed?
Getting Help With Disaster Recovery
Many SMEs benefit from professional help building and maintaining disaster recovery infrastructure. A managed IT provider can:
Assess your critical systems and define appropriate RTO/RPO.
Design a backup and recovery strategy that meets your needs.
Implement backup systems, test them, and maintain them.
Conduct regular recovery tests.
Keep your disaster recovery plan up to date as systems change.
Respond quickly if disaster does strike.
This is far simpler than trying to build this yourself.
Starting Simple
You don’t need a complex disaster recovery plan. Start with the essentials:
Daily automated backups to cloud storage (Microsoft OneDrive, Google Drive, or a cloud backup service).
Weekly local backup to an external drive kept at the office.
Monthly offline backup (backup to a drive, disconnect it from the network, store it off-site).
Quarterly test: restore a file from each backup method and verify it works.
Basic procedure document: who recovers what, how they do it, who to contact if something goes wrong.
This simple plan covers most disasters and costs very little.
The Bottom Line
Disaster recovery isn’t a luxury. It’s essential. It protects your business against the disasters that are statistically likely to happen to you.
A solid plan is simple to build, inexpensive to maintain, and invaluable when needed. Start with understanding your RTO and RPO. Build reliable backups following the 3-2-1 rule. Test regularly. Document procedures. You’re protected.
If you’re uncertain whether your current backup approach meets your needs, we can help assess your disaster recovery readiness. Contact us or call 1300 028 324. We’ll review your current setup and recommend improvements.
