by The Computing Australia Group | Protect Your Business
with Backup and Recovery
This guide outlines what to back up, how to secure it, and how to recover fast with RTO/RPO goals, the 3-2-1-1-0 rule, and a 90-day action plan.
What “Backup” and “Disaster Recovery” Really Mean
Backup is the creation of safe, restorable copies of your data on a separate medium or service. When a file is deleted, encrypted by ransomware, or corrupted, you can restore from a previous point in time.
Disaster Recovery (DR) is the orchestrated process that gets your systems, applications, and data back online to an acceptable level after an incident-cyber-attack, natural disaster, power failure, major outage, or human error. Backup is one component of DR; DR is the playbook for getting your business running again.
Think of it this way:
- Backup: “We have copies.”
- DR: “We know how fast we can use those copies to be back in business-and we’ve proved it.”
Why a DR Plan Matters (Beyond the Obvious)
1. Protects sensitive customer information
Your databases contain customer contact details, financial records, and contracts. Losing them-or losing control of them-damages relationships and can trigger legal obligations and penalties. A tested DR plan limits exposure and reinstates service swiftly.
2. Preserves your reputation
Incidents happen. What matters is your speed and professionalism in response. If you restore quickly and communicate transparently, customers view you as competent and trustworthy.
3. Reduces executive anxiety
Leadership can focus on growth when they know that if something goes wrong, there’s a step-by-step runbook to restore operations within agreed timeframes.
4. It’s cost-effective
The cost of downtime and data loss almost always exceeds the cost of DR readiness. A modest, well-engineered DR capability can save hundreds of thousands (or more) during a single incident.
Key Concepts: RTO, RPO, and the 3-2-1-1-0 Rule
Recovery Time Objective (RTO)
How long can you afford to be down?
Recovery Point Objective (RPO)
How much data can you afford to lose?
If backups run every 24 hours, your RPO is 24 hours-you could lose up to a day’s work. For critical databases, aim for minutes via continuous data protection (CDP) or frequent snapshots.
The 3-2-1-1-0 Backup Rule
- 3 copies of your data (production + 2 backups)
- 2 different media or storage types (e.g., disk + cloud)
- 1 copy offsite (for site-wide disasters)
- 1 offline/immutable copy (air-gapped or object-lock) to resist ransomware
- 0 backup integrity errors (verified with regular recovery tests)
This rule is pragmatic, affordable, and effective in 2025.
Backup Options: On-Prem, Offsite, Cloud, SaaS, and Immutable
On-Premises Backups (Local Disk/NAS/Tape)
- Pros: Fast local restores; full control; cost-efficient at scale
- Cons: Vulnerable to site disasters and ransomware if not isolated; maintenance overhead
Offsite Backups
- Pros: Protection from local disasters; separation of duties
- Cons: Slower retrieval if bandwidth-limited; requires logistics or solid network links
Cloud Backups (IaaS/Object Storage)
- Pros: Elastic capacity; geographic redundancy; lifecycle policies; object lock/immutability options
- Cons: Ongoing OpEx; careful cost management needed (egress, API calls)
SaaS Application Backups (Microsoft 365, Google Workspace, Salesforce, etc.)
- Reality check: SaaS does not equal backup. Native recycle bins and short retention are not a DR strategy. Use third-party SaaS backup to protect mailboxes, SharePoint/Drive, Teams/Chat, calendars, CRM records, and metadata.
Immutable & Air-Gapped Backups
- Immutable: Data written once and cannot be altered/deleted during a retention window (object lock, WORM).
- Air-gapped: Physically or logically separated, so malware can’t reach it (e.g., tape vaulting, isolated cloud account with no persistent credentials).
Replication, Snapshots, and CDP
- Snapshots: Point-in-time copies (VMs, databases, storage volumes) for fast rollback.
- Replication: Copies data to a secondary site or cloud for warm/hot standby.
- CDP: Near-real-time capture of changes; ultra-low RPOs for critical workloads.
What to Back Up (A Practical Inventory)
Back up data and the things that make data usable:
Core Data
- Databases: ERP, CRM, finance, line-of-business apps (transaction logs + full backups)
- File shares & object stores: Documents, media, design files, legal archives
- Email & collaboration: Mailboxes, Teams/Slack/Chat history, calendars, sites
- SaaS app data & metadata: Records, attachments, configuration
Systems & Configuration
- Virtual machines & images: System state, OS, application binaries
- Infrastructure-as-Code: Terraform, CloudFormation, Helm charts
- Network & security configs: Firewalls, routers, load balancers, WAF rules
- Identity & access: IAM policies, SSO configs, MFA settings, directory exports
Business Records
- Financial: Accounting ledgers, invoices, payroll, BAS/GST records
- Customer & vendor: Contracts, proposals, signed agreements
- HR: Employee records, policies, training attestations
- IP & legal: Designs, code repositories, patents, licences
Don’t Forget Endpoints
- Laptops/desktops of remote and hybrid staff (policy-based, silent backups of critical folders)
- Mobile devices (selective: photos/docs for field teams if business-critical)
Designing Your Disaster Recovery Plan (DRP)
A DRP is a living document and a set of orchestrated processes. Here’s how to build it.
1) Business Impact Analysis (BIA)
Identify the business processes (e.g., order processing, support, payroll) and map them to systems/data. For each, define:
- Maximum tolerable downtime (MTD)
- RTO/RPO
- Dependencies (identity, DNS, networking, third-party APIs)
- Owner (accountable person/role)
2) Risk Assessment
List risk scenarios: ransomware, accidental deletions, database corruption, ISP outage, data centre failure, bushfire/flood, regional cloud outage, insider threat. Rate likelihood and impact to prioritise controls and DR investments.
3) Architecture & Runbooks
Document how you’ll recover:
- Topologies: Primary site, secondary site, cloud region(s)
- Backup policies: Frequencies, retention, encryption, immutability windows
- Recovery runbooks: Step-by-step instructions for each system, including who does what, in what order, with command snippets and screenshots
- Automation: Scripts to restore infrastructure (IaC), redeploy apps, rehydrate data, and update DNS
4) People & Communication
- Roles & responsibilities: Incident Commander, Comms Lead, Tech Leads (Apps, DB, Infra, Security), Vendor Liaison
- Escalation paths: 24×7 contact list, alternates, and time-boxed decision gates
- Stakeholder comms: Pre-approved templates for staff, customers, regulators, and media; status page approach
5) Security Controls for Backups
- Encryption: In transit and at rest; managed keys with strict access
- Segregation of duties: Backup administrators separate from domain admins
- MFA & conditional access: Especially on backup consoles and cloud storage
- Immutable copies: Object lock/WORM; time-bound retention
- Network isolation: Private endpoints, deny-by-default firewalls, no shared credentials
6) Documentation & Accessibility
Store the DRP in multiple places (including an offline copy) so it’s available even when core systems are down.
Testing & Validation: Proving You Can Recover
Backups aren’t tested until you restore them. Build a cadence:
- Quarterly tabletop exercises: Walk through scenarios, decisions, and comms.
- Biannual partial restores: Restore key apps and databases in a sandbox; verify integrity.
- Annual full failover test (or rolling): Prove you can meet RTO/RPO for critical systems.
- Automated test restores: Nightly integrity checks on sample data; verify the “0 errors” in 3-2-1-1-0.
- Post-test reviews: Document lessons, fix runbooks, and track XLA success (experience-level agreements such as “restore email service within 2 hours for 90% of incidents”).
Barriers to Adoption-and How to Overcome Them
Many SMBs cite four common blockers (also seen in cybersecurity practices):
1. No dedicated IT security/DR staff
- Fix: Engage a Managed Service Provider (MSP) for DR design, monitoring, and testing. Start small; scale.
2. Underestimating risk and downtime impact
- Fix: Run a BIA with realistic scenarios. Put dollar values against downtime and data loss.
3. Insufficient planning and vulnerability assessment
- Fix: Create a single, lightweight DRP and iterate. Even a 10-page runbook beats none.
4. Not knowing where to start (perceived complexity)
- Fix: Adopt the 3-2-1-1-0 rule, set RTO/RPO for top 5 systems, schedule a test restore. Momentum follows action.
Security, Compliance & Privacy Considerations
- Australian context: Consider your obligations under the Privacy Act and Notifiable Data Breaches (NDB) scheme if personal information is involved in an incident. Document thresholds and notification workflows in your DRP.
- Retention & legal hold: Align backup retention with legal and industry requirements. Separate backup retention (for recovery) from archive retention (for records).
- Least privilege: Backups are a crown jewel. Lock down who can delete or shorten retention.
- Third-party risk: Validate your vendors’ DR capabilities (SaaS, hosting, MSPs). Request evidence of testing and RTO/RPO guarantees.
- Observability: Log access to backups; send alerts on unusual deletion or policy changes.
Costs, ROI, and a Simple Downtime Calculator
Understanding Cost Components
- One-off: Assessment, initial seeding, configuration, DR runbooks, first tests
- Recurring: Backup software/SaaS, storage (local and cloud), egress during restores, test time, MSP support
- Hidden savings: Fewer incidents escalating, faster audits, reduced cyber insurance premiums
A Simple Model
Let’s estimate the cost of one severe outage:
- Employees impacted: 60
- Average fully-loaded hourly cost: $70
- Downtime hours: 8
- Lost productivity: 60 × $70 × 8 = $33,600
- Revenue impact (missed sales/penalties): $25,000
- Incident response/forensics: $12,000
If a robust DR capability costs $3,000–$7,000/month (typical SMB range; varies widely by scope) and avoids or halves even one such incident, it pays for itself.
90-Day Implementation Roadmap
Days 1–15: Discover & Define
- BIA workshop: Identify critical processes, systems, RTO/RPO.
- Data inventory:</span. What data lives where (on-prem, cloud, SaaS, endpoints)?
- Quick wins: Turn on versioning, block public buckets, enforce MFA on backup consoles.
Days 16–45: Design & Deploy Foundations
- Choose backup tech: Endpoint backup, server/VM backup, database-aware backups, SaaS backup.
- Apply 3-2-1-1-0: Local fast restore + cloud offsite + immutable copy.
- Encrypt & segment: Keys, IAM policies, network isolation for backup storage.
- Draft runbooks: For the top five systems-step-by-step with screenshots.
- Pilot restores: Prove you can meet target RPOs on non-production data.
Days 46–75: Extend & Automate
- Automate schedules: Policy-based backups for new workloads (joiner/mover/leaver for servers, VMs, SaaS).
- SaaS backup: Microsoft 365/Google Workspace/CRM-set retention and test mailbox/site restores.
- Monitoring & alerts: Failed job alerts, anomaly detection (sudden spikes in changes may indicate ransomware).
- Communication templates: Internal, customer, and regulator draft messages.
Days 76–90: Test & Operationalise
- Tabletop exercise: Ransomware and regional cloud outage scenarios.
- Partial failover test: Restore a critical app end-to-end in a sandbox; validate data integrity.
- Review XLAs: Publish RTO/RPO achievements and gaps; update runbooks.
- Schedule cadence: Quarterly table-tops, biannual restores, annual full failover.
Jargon Buster
Cloud-based backups – A service where data and applications of a business are backed up on a remote server.
Disaster Readiness Audit – An audit to determine how efficient a Disaster Recovery Plan is at mitigating, preparing, responding, and recovering from disasters.
