What happens if your server room floods? If ransomware encrypts every file? If a fire destroys your office? These scenarios aren't hypothetical โ they happen to businesses every week. The difference between a minor setback and a catastrophic loss often comes down to one thing: whether you have a disaster recovery plan.
In this article we explain what disaster recovery is, why it's essential for every business and how you can create a solid plan in 5 concrete steps.
What is disaster recovery?
Disaster recovery (DR) is the process of restoring your IT systems, data and operations after a disruptive event. This can be anything from hardware failure and human error to ransomware attacks and natural disasters.
A disaster recovery plan is a documented set of procedures that describes:
- Which systems and data are critical
- How quickly they need to be restored
- How they will be restored
- Who is responsible for what
- How the plan is tested and maintained
Disaster recovery is a subset of your broader business continuity plan (BCP). While BCP covers the entire business โ people, processes, communication โ DR focuses specifically on your IT infrastructure and data.
Why is a disaster recovery plan essential?
The cost of downtime
Downtime is expensive. Research consistently shows that the average cost of IT downtime for SMBs is between โฌ5,000 and โฌ20,000 per hour. This includes:
- Lost revenue โ Customers can't order, employees can't work
- Lost productivity โ Every employee sitting idle costs money
- Recovery costs โ Emergency IT support, data recovery, replacement hardware
- Reputational damage โ Customers lose trust, competitors gain ground
- Compliance penalties โ GDPR, NIS2 and sector regulations require timely recovery
Ransomware is a real threat
Ransomware attacks on SMBs increased dramatically in recent years. The average ransom demand is now over โฌ200,000, and paying doesn't guarantee recovery. Without a proper DR plan and working backups, you may have no way to recover your data at all.
Compliance requires it
Regulations like GDPR, NIS2, ISO 27001 and NEN 7510 all require organisations to have business continuity and disaster recovery measures in place. A documented and tested DR plan isn't optional โ it's a requirement.
Step 1: Inventory your critical systems and data
Before you can plan recovery, you need to know what you're recovering. Create a complete inventory of:
Systems and applications
| System | Function | Users affected | Criticality |
|---|---|---|---|
| Email (Microsoft 365) | Communication | All | Critical |
| ERP system | Business processes | Finance, operations | Critical |
| CRM | Customer management | Sales, support | High |
| File storage | Documents, data | All | Critical |
| Website | Customer-facing | External | Medium |
| Phone system | Communication | All | High |
| Workstations | Daily work | All | Critical |
Data classification
Categorise your data by sensitivity and importance:
- Critical โ Cannot function without it (financial records, customer data, operational data)
- Important โ Needed for daily operations but can survive a short outage (project files, templates)
- Standard โ Historical data, archives (can be restored over days rather than hours)
Dependencies
Map the dependencies between systems. If your ERP system depends on a database server which depends on Active Directory, you need to restore them in the right order.
Step 2: Define RPO and RTO
Two critical metrics drive your entire disaster recovery plan:
Recovery Point Objective (RPO)
RPO answers the question: How much data can you afford to lose?
If your RPO is 4 hours, you need backups at least every 4 hours. If your RPO is zero, you need real-time replication.
| RPO | Meaning | Backup frequency needed |
|---|---|---|
| 0 (zero) | No data loss acceptable | Real-time replication |
| 1 hour | Max 1 hour of work lost | Hourly snapshots |
| 4 hours | Max 4 hours of work lost | 4-hourly backups |
| 24 hours | Max 1 day of work lost | Daily backups |
Recovery Time Objective (RTO)
RTO answers the question: How quickly do you need systems back online?
If your RTO is 4 hours, your team and technology need to be able to restore operations within 4 hours of an incident.
| RTO | Meaning | Infrastructure needed |
|---|---|---|
| Minutes | Near-instant failover | Hot standby, replication |
| 1-4 hours | Fast recovery | Pre-configured recovery environment |
| 4-24 hours | Same-day recovery | Cloud backups with restore procedures |
| 1-3 days | Multi-day recovery | Offsite backups, manual rebuild |
Setting realistic RPO and RTO
Be honest about what your business actually needs versus what would be ideal. Zero RPO and instant RTO are technically possible but extremely expensive. For most SMBs, a realistic target is:
- RPO: 4-24 hours (daily backups for most data, more frequent for critical systems)
- RTO: 4-8 hours (systems operational within half a working day)
At Virtual Computing, our cloud workstations include daily backups with tested recovery procedures, giving most clients an RPO of 24 hours and an RTO of 2-4 hours.
Step 3: Design your backup strategy (3-2-1 rule)
The 3-2-1 backup rule is the gold standard for data protection:
- 3 copies of your data (the original plus 2 backups)
- 2 different storage types (e.g. local disk and cloud)
- 1 copy offsite (physically separate from your primary location)
Backup types
| Type | Description | Speed | Storage |
|---|---|---|---|
| Full backup | Complete copy of all data | Slow to create, fast to restore | Most storage |
| Incremental | Only changes since last backup | Fast to create, slower to restore | Least storage |
| Differential | Changes since last full backup | Moderate | Moderate storage |
A common strategy combines these: weekly full backup with daily incremental backups.
Cloud backup vs on-premise backup
| Factor | Cloud backup | On-premise backup |
|---|---|---|
| Cost | Predictable monthly fee | Upfront hardware investment |
| Scalability | Virtually unlimited | Limited by hardware |
| Physical safety | Geographically separated | Same location risk |
| Recovery speed | Depends on bandwidth | Fast local restore |
| Management | Provider manages infrastructure | You manage hardware |
Our recommendation: Use cloud backup as your primary offsite copy and complement it with local backup for fast restore of large datasets. When your workstations and data already run in the cloud โ as with our online workstation โ your data is inherently offsite and backed up automatically.
Microsoft 365 backup โ don't forget it
A common misconception is that Microsoft backs up your Microsoft 365 data. While Microsoft ensures platform availability, they do not guarantee recovery of your deleted or corrupted data. Their retention policies are limited and not designed for disaster recovery.
- Exchange Online (email, calendar, contacts)
- SharePoint Online and OneDrive
- Microsoft Teams (chats, files, channels)
At Virtual Computing, M365 backup is included in our managed IT services.
Step 4: Document recovery procedures
A disaster recovery plan is only useful if people can follow it under pressure. Document clear, step-by-step procedures for each scenario.
What to document for each critical system
- System description โ What it does, where it runs, who depends on it
- Recovery priority โ Order of restoration based on criticality
- Backup location โ Where backups are stored and how to access them
- Recovery procedure โ Step-by-step instructions including:
- Contact information โ IT team, MSP, software vendors, internet provider
- Escalation path โ Who to call if recovery takes longer than expected
Common disaster scenarios to plan for
- Server disk failure โ Restore from backup to replacement hardware or cloud
- Network equipment failure โ Replacement device with documented configuration
- Isolate affected systems immediately
- Assess scope of encryption
- Restore from clean backups (verify backups aren't also encrypted)
- Report to authorities and follow incident response plan
- Activate offsite backups
- Deploy cloud-based workstations for continuity
- Communicate with employees about temporary procedures
- Check recycle bin and version history first
- Restore individual files or folders from backup
- Document what was lost and restored
Keep a physical copy
Store a printed copy of your DR plan in a secure offsite location. If your entire IT environment is down, you can't access a digital-only plan.
Step 5: Test, test, test
A disaster recovery plan that hasn't been tested is a theory, not a plan. Regular testing reveals gaps, outdated procedures and unrealistic assumptions.
Types of DR tests
| Test type | Effort | Realism | Frequency |
|---|---|---|---|
| Tabletop exercise | Low โ walk through scenarios verbally | Low | Quarterly |
| Partial test | Medium โ restore a single system | Medium | Semi-annually |
| Full simulation | High โ simulate complete disaster | High | Annually |
What to verify during testing
- Can you access your backups?
- Do backups actually contain the expected data?
- Can you restore within your target RTO?
- Do recovery procedures work as documented?
- Does everyone know their role?
- Are contact details up to date?
- Are credentials for recovery accessible?
After each test
- Document what worked and what didn't
- Update procedures based on findings
- Re-test any failed components
- Update the plan with any infrastructure changes
The role of your MSP in disaster recovery
A managed service provider plays a crucial role in disaster recovery:
- Design โ Helping you set appropriate RPO/RTO targets and design the backup architecture
- Implementation โ Setting up and configuring backup solutions
- Monitoring โ Verifying backups complete successfully every day
- Testing โ Conducting regular recovery tests
- Recovery โ Executing the recovery when disaster strikes
- Documentation โ Maintaining up-to-date recovery procedures
At Virtual Computing, disaster recovery is an integral part of our managed IT services. Our cloud infrastructure means your data is automatically backed up, geographically separated and recoverable โ often within hours rather than days.
Frequently asked questions
How often should I update my disaster recovery plan?
At minimum annually, or whenever there are significant changes to your IT environment โ new systems, new locations, organisational changes. After every test, update the plan with lessons learned.
What's the difference between backup and disaster recovery?
Backup is the process of copying data. Disaster recovery is the complete plan for restoring operations โ backup is one component of it. A good DR plan also covers hardware, network, applications, communication and people.
How much does disaster recovery cost?
Costs depend on your RPO/RTO requirements. Basic cloud backup for an SMB costs โฌ5-โฌ15 per user per month. A full DR solution with rapid failover can cost significantly more. At Virtual Computing, backup and basic DR are included in our managed workstation packages.
Do I need disaster recovery if everything is in the cloud?
Yes. Cloud providers ensure infrastructure availability, but they don't protect against accidental deletion, ransomware that syncs to cloud storage, or misconfiguration. You still need backups and a recovery plan.
What about cyber insurance?
Cyber insurance can cover financial losses from incidents, but insurers increasingly require a documented DR plan as a condition for coverage. Having a solid plan can also lower your premiums.
Can I handle disaster recovery myself?
Technically yes, but it requires expertise, tools and time that most SMBs don't have. The consequences of a failed recovery are severe. Most organisations benefit from working with a specialist IT partner who manages this professionally.
How long should I retain backups?
This depends on regulatory requirements and business needs. Common retention periods: daily backups for 30 days, monthly backups for 12 months, annual backups for 3-7 years. GDPR and industry regulations may impose specific requirements.
Don't wait for disaster to strike
Creating a disaster recovery plan isn't exciting work. But when disaster strikes โ and statistically, it will โ it's the difference between a brief disruption and an existential threat to your business.
Start today. Inventory your critical systems. Define your RPO and RTO. Implement the 3-2-1 backup rule. Document your procedures. And test them regularly.
Need help? Virtual Computing helps SMBs design, implement and manage disaster recovery solutions as part of our complete IT management services. With ISO 27001 and NEN 7510 certification and 24/7 monitoring, we ensure your business can recover quickly from any disruption.
Get in touch for a free assessment of your current DR readiness, or become a client and let us protect your business.
Related services
Written by
Related articles
How do you create a secure cloud workspace?
Creating a secure cloud workspace requires a layered approach that starts with the foundation: identity management and access control.
SecurityWhy network security is essential
Working online is the norm today, but it also comes with risks. Hackers and cybercriminals prey on unsecured networks.
SecuritySecure cloud working with M365
Secure cloud working for SMBs in 5 steps. Learn how your SMB can work securely and efficiently with Microsoft 365 in the cloud.