Backup & Disaster Recovery Plan for Small Business: 2026 Step-by-Step

The average cost of an unplanned IT downtime event for a small business is measured in thousands per hour — and that doesn't include the longer-term cost of lost client trust, reputational damage, and the data that sometimes cannot be recovered at all. Despite this, surveys consistently find that fewer than 40% of small businesses have a tested, documented disaster recovery plan. Most assume the backup is working. Most haven't tested it. And many discover the problem only when they actually need it to work.

A backup and disaster recovery plan is not a luxury for enterprises. It's the minimum viable infrastructure for any business that depends on its data and systems to operate — which, in 2026, is every business. This guide walks through the complete process of building a plan that actually works: defining your recovery objectives, choosing the right backup strategy, selecting tools and platforms, and — critically — testing the plan before disaster strikes. We work with businesses worldwide, and the organisations that recover from ransomware, hardware failure, and natural disasters in hours rather than weeks all share one thing: a tested plan built before the event.

Understanding RTO and RPO: The Two Numbers That Drive Everything

Before you choose a single backup tool or cloud provider, you need to define two numbers that will shape every other decision in your disaster recovery plan:

• Recovery Time Objective (RTO): How long can your business operate without access to a given system before the impact is unacceptable? This might be 4 hours for your email system, 2 hours for your point-of-sale system, and 72 hours for your archive file storage. RTO drives how fast your recovery process must work — and therefore how much it will cost to achieve.
• Recovery Point Objective (RPO): How much data can you afford to lose? If you back up nightly and your server fails at 4pm, you lose everything created that day. Is that acceptable? For financial transaction systems, an RPO of 15 minutes might be required. For a marketing assets folder, an RPO of 24 hours might be fine.

Start by listing your 5–10 most critical business systems and assigning a realistic RTO and RPO to each. Don't default to 'as fast as possible' for everything — that drives unnecessary cost. Be honest about the actual business impact of different downtime durations. Your accounting software being down for 4 hours is a problem. Your archive storage being unavailable for 72 hours probably isn't. The difference in recovery cost between those two requirements is substantial.

The 3-2-1 Backup Rule (and the 2026 Update: 3-2-1-1-0)

The 3-2-1 rule has been the foundation of backup strategy for 20 years. It states: keep 3 copies of your data, on 2 different types of storage media, with 1 copy offsite. It remains valid and is the minimum standard for any SMB backup strategy.

In 2026, the updated version — 3-2-1-1-0 — adds two important components driven by the ransomware threat:

• 3 copies of your data (production data + 2 backups)
• 2 different storage media types (e.g., local NAS + cloud)
• 1 offsite copy (separate physical or logical location from production)
• 1 air-gapped or immutable copy (a backup that cannot be modified or deleted by ransomware — cloud providers offer immutable storage options)
• 0 errors in verified backup jobs (every backup job should be monitored and errors immediately investigated — silent backup failures are common and catastrophic)

The immutable copy is the 2026 addition that matters most. Modern ransomware actively targets backup systems, deleting or encrypting backup copies before launching the main attack. An air-gapped or immutable backup (using features like AWS S3 Object Lock, Wasabi Immutable Buckets, or Backblaze Immutability) cannot be touched by ransomware, ensuring at least one clean recovery point regardless of what the attack reaches.

What to Back Up: A Complete Inventory for SMBs

The most common backup gap in small businesses is incomplete scope — backing up some systems but not others, or backing up files but not the configurations and credentials needed to restore operations.

Critical data to back up

• Business files and documents: Shared drives, file servers, SharePoint/OneDrive, Google Drive content. Don't assume cloud sync is the same as backup — sync propagates deletions and ransomware encryption immediately.
• Email and calendars: Microsoft 365 and Google Workspace have limited native backup capabilities. Third-party tools like Veeam Backup for Microsoft 365, Spanning, or Backupify are required for proper email backup.
• Databases: CRM, accounting software, ERP, and any custom application databases. These are often mission-critical but frequently overlooked in SMB backup plans.
• Website and web applications: Your website hosting, databases behind your site, and any web application data. Many website backups are not tested for full restore capability.
• Virtual machines and server images: Full system image backups of servers enable bare-metal recovery — restoring a complete server to new hardware rather than reinstalling and reconfiguring from scratch.

What people forget to back up

• SaaS application data (CRM records, project management data, design tool assets)
• Device-level data on laptops and mobile devices outside corporate sync
• System configurations, scripts, and documentation needed to rebuild infrastructure
• Cloud storage not covered by Microsoft 365 or Google Workspace backup

Backup Tools and Platforms for SMBs in 2026

The backup market has consolidated around a set of well-tested platforms suitable for SMBs. Here are the most widely deployed options by category:

Endpoint and server backup

• Veeam Backup and Replication: The enterprise standard for VM and server backup. Excellent for SMBs with on-premise or hybrid infrastructure. Strong Microsoft 365 and cloud integration.
• Acronis Cyber Protect: Combines backup with endpoint security and ransomware protection. Good all-in-one option for SMBs without dedicated security tooling.
• Datto SIRIS: Purpose-built for SMBs, with built-in business continuity features (ability to virtualise a failed server from the backup appliance while you restore). Popular with managed service providers.

Cloud and SaaS backup

• Veeam Backup for Microsoft 365: The leading solution for backing up Exchange Online, SharePoint Online, OneDrive, and Teams data.
• Backupify / Spanning: Google Workspace and Microsoft 365 backup with easy restore and compliance reporting. Strong options for SMBs preferring a fully managed SaaS backup solution.

Cloud storage for backup destinations

• Backblaze B2: Low-cost, S3-compatible object storage with immutability features. Popular for SMB backup destinations.
• Wasabi: Predictable flat-rate pricing with no egress fees. Immutable bucket support. Strong alternative to AWS S3 for SMBs sensitive to unpredictable cloud storage bills.
• AWS S3 / Azure Blob Storage: Enterprise-grade object storage with deep compliance and immutability options. More configuration required but maximum flexibility.

Building Your Disaster Recovery Runbook

A backup without a recovery procedure is an incomplete plan. A disaster recovery runbook is a documented, step-by-step guide that tells your team exactly what to do when a specific failure scenario occurs. It should be written in plain language, stored in multiple locations (including offline), and usable by someone who was not involved in designing the original infrastructure.

What a runbook should contain

1. Scenario description: What type of failure does this runbook address? Ransomware attack, server hardware failure, office fire, cloud provider outage?
2. Responsible parties: Who does what? Names, roles, and contact information. Include an escalation path if the primary contact is unavailable.
3. Step-by-step recovery procedure: In sequence, numbered steps. Include login credentials vault locations, system access procedures, and verification steps at each stage.
4. Recovery time target: The RTO for this scenario and which systems are restored in what order of priority.
5. Communication plan: Who notifies clients, vendors, and staff? What do you say? A pre-drafted communication template avoids delays and inconsistencies during the chaos of an actual incident.
6. Post-recovery checklist: Steps to take after systems are restored — scanning for remaining threats, changing credentials, documenting lessons learned, notifying any regulatory bodies if data was breached.

Store your runbook in at least three places: a printed copy in a secure physical location, an encrypted copy in cloud storage accessible without your primary systems being operational, and a copy with your IT support provider or managed service partner.

Testing Your Backup and Recovery Plan

A backup plan that has never been tested is not a plan — it's a hope. Backup failures are common, and they fail silently: corrupted backup files, incomplete snapshots, misconfigured retention policies, and authentication failures that prevent restore are all discovered at the worst possible time unless tested proactively.

Testing schedule

• Monthly: Verify that all scheduled backup jobs completed successfully with no errors. Check backup storage utilisation and retention policy compliance. This should be automated with alert notifications — don't do it manually.
• Quarterly: Perform a test restore of individual files and database records from backup. Confirm the restore process works as documented and the restored data is intact.
• Annually: Conduct a full disaster recovery simulation — a tabletop exercise or a live test where you actually attempt to restore a critical system from backup to a test environment. This is the only way to validate your RTO and RPO targets against reality.

Document every test: what you tested, the results, any failures encountered, and what was corrected. This documentation satisfies auditors, insurers, and clients who ask about your data protection practices. It also creates a history of your backup programme's maturity that is valuable during due diligence processes.

For help designing or auditing your backup and disaster recovery programme, our IT consultation services include full BDR assessments. Also see our guide on ransomware protection for small business for the threat context that makes tested recovery plans essential.

Frequently Asked Questions

Is cloud sync (OneDrive, Google Drive) the same as a backup?

No — and this is one of the most dangerous misconceptions in SMB IT. Cloud sync replicates your files to the cloud, but it also immediately replicates deletions and ransomware encryption. If ransomware encrypts your files, the encrypted versions sync to the cloud within minutes. A real backup maintains historical versions with a retention window long enough that you can restore from before the ransomware event. Use dedicated backup tools in addition to sync.

How long should I retain backups?

A common retention policy for SMBs: daily backups retained for 30 days, weekly backups retained for 12 months, and monthly backups retained for 7 years (for compliance with most financial and legal records requirements). Adjust based on your industry's specific regulatory requirements. Ransomware attacks are sometimes not detected for 30 to 90 days, so retaining backups for at least 90 days significantly improves your recovery options.

What is the difference between backup and disaster recovery?

Backup is the process of copying and storing data so it can be restored if lost. Disaster recovery is the broader plan for restoring business operations after a significant disruptive event — including the documented procedures, communication plans, failover systems, and tested runbooks needed to get back to operational status within your RTO. Backup is one component of disaster recovery, not a substitute for the full plan.

How do I protect backups from ransomware?

Three practices together provide strong ransomware protection for backups: immutable backup storage (backup files that cannot be modified or deleted for a defined retention period), offline or air-gapped backups (a copy with no live network connection that ransomware cannot reach), and separate access credentials for backup systems (different from your production environment so that a compromised admin account cannot access backups).

Do I need cyber insurance in addition to a backup plan?

Yes — a backup plan and cyber insurance complement each other. Backup covers data recovery. Cyber insurance covers the broader costs of an incident: business interruption losses, forensic investigation, legal liability if client data was breached, regulatory notification requirements, and sometimes ransom negotiation. Insurers increasingly require evidence of a tested backup and recovery plan as a condition of coverage, so having a documented programme also reduces your premium.