Executive Briefing
From ransomware to natural disasters, learn how to protect your business data with a comprehensive backup and recovery strategy that minimises downtime.
Understanding the Stakes
The cost of data loss and downtime is staggering:
- Average cost of IT downtime: $5,600 per minute (Gartner)
- Only 6% of companies survive long-term after a major data loss event
- Ransomware attacks increased 74% globally in 2024
- Human error causes 29% of data loss incidents
The 3-2-1 Backup Rule
The gold standard for backup strategy remains the 3-2-1 rule, now often extended to 3-2-1-1-0:
- 3 copies of your data (production + 2 backups)
- 2 different storage types (local disk + cloud/tape)
- 1 offsite copy (cloud or physically separate location)
- 1 air-gapped or immutable copy (cannot be encrypted by ransomware)
- 0 errors (verified through regular testing)
What to Back Up
Critical Business Data
Identify your most important data: financial records, customer information, contracts, intellectual property, and operational data. This should be backed up most frequently with the longest retention.
Systems and Applications
Beyond data, consider backing up entire system images. This allows faster recovery by restoring complete servers rather than rebuilding from scratch.
Cloud Services (Microsoft 365)
Many businesses assume Microsoft backs up their data. Microsoft provides infrastructure redundancy, not backup. If you delete a file, user, or mailbox beyond retention periods, it's gone. Third-party Microsoft 365 backup is essential.
Important Note
Critical: Microsoft 365 shared responsibility means you're responsible for your data. Microsoft protects against infrastructure failure; you must protect against accidental deletion, malicious insiders, and ransomware.
Recovery Time and Recovery Point Objectives
- Recovery Time Objective (RTO): How quickly you need systems back online. Can you survive 4 hours? 24 hours? A week?
- Recovery Point Objective (RPO): How much data loss is acceptable. Daily backups mean up to 24 hours of work could be lost. Continuous replication means near-zero loss.
Setting Realistic Objectives
Lower RTO and RPO = higher cost. Balance requirements against budget. Critical systems may need 4-hour RTO and 15-minute RPO. Less critical systems might tolerate 24-72 hour recovery.
Backup Solutions for SMBs
- Veeam: Industry-leading backup for both on-premises and cloud workloads
- Acronis: Backup with integrated cybersecurity features
- Datto: Business continuity platform with instant virtualisation
- Azure Backup: Native cloud backup for Azure VMs and on-premises servers
- Microsoft 365 Backup Solutions: Veeam, Acronis, Barracuda, Afi
Disaster Recovery Planning
- 1Document your systems: Inventory all servers, applications, and dependencies
- 2Define priorities: Which systems must be restored first?
- 3Assign responsibilities: Who does what during a disaster?
- 4Document procedures: Step-by-step recovery instructions
- 5Identify alternative work methods: How will staff work during recovery?
- 6List key contacts: Vendors, IT support, stakeholders
- 7Test regularly: A plan that isn't tested is just documentation
Testing Your Backups
Backups are only valuable if they work. Test recovery regularly:
- Monthly: Restore sample files to verify data integrity
- Quarterly: Full system restore to isolated environment
- Annually: Full disaster recovery simulation
- Document test results and address any issues immediately
How We Researched This Article
This article was compiled using information from authoritative industry sources to ensure accuracy and relevance for Australian businesses.
Sources & References
-
→
Australian Cyber Security Centre - Backups
ACSC Essential Eight guidance on backup strategies
-
→
NIST Cybersecurity Framework
Framework for improving critical infrastructure cybersecurity
-
→
Veeam Data Protection Trends
Annual research on backup and recovery trends
-
→
Gartner Disaster Recovery Research
Industry analyst research on DR best practices
* Information is current as of the publication date. Cybersecurity guidelines and best practices evolve regularly. We recommend verifying current recommendations with the original sources.
Frequently Asked Questions
Frequency depends on how much data loss you can tolerate. Critical systems often need continuous or hourly backups. Standard file servers typically use daily backups. Define your RPO first, then set backup schedules accordingly.
Both is ideal. Local backup provides fast recovery for common issues (accidental deletion, hardware failure). Cloud backup protects against site disasters (fire, flood, theft). The 3-2-1 rule recommends both for comprehensive protection.
Retention periods depend on compliance requirements and business needs. Typical approach: daily backups for 30 days, weekly for 3 months, monthly for 1 year, yearly for 7 years. Some industries have specific legal requirements.
Microsoft provides limited retention (90-day recycle bin, 14-30 day deleted items). They don't provide point-in-time backup or protection against ransomware encrypting your cloud data. Third-party Microsoft 365 backup is strongly recommended.