A Guide to IT Disaster Recovery

A guide to IT disaster recovery for small and medium-sized businesses (SMBs)

The digitalization of modern business has been drastic. In the space of a few decades, business have adopted IT systems to handle their communications (with customers and employees alike), transactions, and storage and exchange of company information.

Despite the benefits modern technology has brought us, it can also breed a host of new problems and potential threats that businesses have to deal with. What happens when events out of our control prevent us from accessing the tools we need to work? How do we protect confidential business information when storing it in the cloud?

To remain productive and ready to react to any bumps in the road, IT professionals need to introduce IT Disaster Recovery and Business Continuity policies. The guide covers everything you need to know about introducing a sound SMB disaster recovery plan (DRP), and how platforms like ShareFile can help. The guide includes:

  • Why your business needs an IT disaster recovery plan
  • The benefits it will bring, and the drawbacks you’ll be able to minimize
  • What should be in your IT disaster recovery plan
  • The tools you’ll need to develop it

We surveyed 500 small and medium-sized business IT decision makers, and spoke to a number of IT experts, to get their thoughts on the importance of an effective IT disaster recovery plan.

What is disaster recovery and business continuity?

IT disaster recovery and business continuity are similar in objectives but are far from the same thing. When either is referred to during this guide, we mean the following:

Business Continuity: This is a business-wide review and implementation plan that ensures the continuation of critical business functions in the event of a disruption.

IT Disaster Recovery: Contained within a business continuity plan, the IT disaster recovery plan maintains and recovers a business’s hardware, applications, and data when their information technology stops working.

For the purpose of this guide, we’ll be focused on the IT disaster recovery plan, but consider it as part of your entire business continuity policy.

Why you need a disaster recovery plan?

Technology offers many business benefits, but when it breaks it can have serious repercussions for those of us who are heavily reliant on tech for normal operations.

Darren Gallop from Securicy summarized the importance of developing a disaster recovery plan no matter how big your company is:

“It is important for businesses to understand that no matter how small they are and how much they do to protect their assets; a disaster is inevitable at some point. When that time comes, you want to be well equipped to minimize fallout and return things to normal as quick as possible.”

Depending on the type of disruption, the repercussions can cover one of many areas:

  • Employees unable to communicate with each other
  • Employees unable to access their files
  • Employees unable to gain access to the company office
  • Inability for customers to access your website
  • Inability of customers to communicate with you
  • Inability for you to communicate with your customers
  • Total loss of company or customer data

These can lead to a reduction in employee productivity, the ability for customers to buy/use your product or service, or the level of trust your customers have in you. Ultimately, these will all lead to a revenue hit for your company.

What’s encouraging is the level of awareness SMBs have with regards to a disaster recovery plan.

In our survey, 96% said they consider their IT disaster recovery plan to be a priority for their business over the coming year. Given just one in five businesses said they didn’t have a policy in place, SMBs are beginning to understand how relevant the subject is.

The cost of NOT having a disaster recovery strategy

Disaster recovery plans are put in place to guard against a number of potential catastrophes:

  • Cyber attack
  • Office fire/physical damage to company property
  • Server failure
  • Physical loss of data
  • Failure of software tools

After a bit of research in each of these topics, you begin to understand how important safeguards against them can be. Ray McKenzie, the founder of Red Beach Advisors, said:

“Companies that do not have disaster recovery or business continuity plans have an increased risk of loss of revenue, customers, data, and trust. All of which can be crippling to companies. Risk management is key, and all companies should have plans in place to avert disasters or interruption to business and service functions.”

During our survey, just 3% of businesses said they do not experience any downtime on a year-by-year basis. On average, our SMBs said they experience nearly 62 hours of downtime each year. Reflecting on this potential cost, you can begin to gauge how important it is for small businesses to remain operational.

Our research suggests downtime costs SMBs an average of $77,989 every single year. When divided by the average 62 hours of downtime businesses experience, the real cost of every hour of disruption is revealed to be $1,278 per hour of downtime. Small businesses must have a plan in place that keeps downtime to an absolute minimum. 

And that’s only one potential pitfall of IT Disaster Recovery. Cyber-security is becoming increasingly more relevant to small and medium-sized businesses.

Moreover, hackers and malicious actors looking to access sensitive data for fraudulent means are targeting smaller businesses. While the rewards may not be as significant, the apparent low levels of security lead to a potentially greater chance of their efforts succeeding.

In 2018, IBM estimated the cost of just one stolen record containing sensitive and confidential information to be $148 – a figure that is rising every year. If your company holds tens or even hundreds of thousands of names, addresses, and other information about its customers, the cost of a breach can quickly escalate.

We asked our respondents how much a variety of threats and potential pitfalls had cost their companies over the last five years. 

Depending on the location and practices of your business, these disasters can vary in their impact. Nearly one in three (29%) SMBs said server failures had cost their business more than $50,000 over the last five years. Similarly, the physical loss of data (25%), natural disaster (24%), and cyber-attack (24%) are all significant threats to every business’s bottom line.

When designing your IT disaster recovery plan, each of the above needs to be acutely and thoroughly addressed.

Building a SMB IT disaster recovery plan

Before you begin, Keri Lindenmuth from KDG outlined who should be involved in the process:

“A policy should be planned by a leader from every business department, from IT to executive to legal to marketing and PR. This ensures all basics of response, from internal to public-facing, are covered.”

To establish what you need to include in your disaster recovery plan, you first need to ask yourself:

“What applications and data are mission critical for our business to function and succeed?”

Create a list of everything that falls under this category — this is everything you’ll be looking to protect within your disaster recovery plan. For most companies, it will likely contain most of the following:

  • Email (or any communications system)
  • IT infrastructure and systems management
  • Web serving and internet content/video
  • Business intelligence/analytics applications
  • Collaborative content applications
  • CRM/front-office applications
  • Mobile/social applications
  • Transaction processing applications

Once you’ve drawn up this list, there are a number of things to consider for each component:

Threats and vulnerabilities

Carry out a risk assessment of each application and tool. Within this, consider are their respective threats and vulnerabilities. Ask what could bring it down, and what steps are needed to ensure it’s back operational as quickly as possible?

Recovery time objective (RTO)

An RTO is the maximum tolerable length of time that a piece of your technology can be disrupted.

Measured in seconds, minutes, hours or days, the RTO of a given computer, system, network or application is dependent on how much revenue your company will lose out on if that piece of tech were to fail.

Depending on its importance, your RTOs may vary significantly. For example, a web server keeping an online retailers’ website live is imperative to maintaining revenue, resulting in a low RTO. An example of a high RTO might be a broken laptop. Laptops and computers can be replaced immediately (if the company has enough tech) with a backup, and the damage of one breaking down is likely to be limited, leaving the RTO of the broken device to be in days rather than hours or minutes.

Recovery point objective (RPO)

Related to the RTO is the RPO. This is a period of time that files must be recovered from a backup in order for normal operations to resume. For example, if your network fails, how far back can your last backup have been made to incur the least amount of disruption?

Once you’ve deciphered this, combine it with your RTO figure. This allows you to prioritize, allocate resources, create benchmarks and choose the right tools and procedures to ensure you never exceed your RTO and/or RPO.

When it comes to finally putting your findings and considerations into a plan, it’s better to break it down into relevant sub-categories.

Goals of the plan

As a means of setting out what your plan hopes to achieve, create a series of goals that allows your business to get up to speed with the purpose and intent of an IT disaster recovery plan.


This is where you can house all the findings from your initial research. Break it down by each category of technology, before including:

  • The risks and vulnerabilities
  • The estimated cost to the business if it were to fail
  • The previous processes for securing and recovering this piece of tech
  • Any previous instances of downtime

Access and responsibilities

List the members of the organization who have developed the disaster recovery plan, and outline who is responsible for its implementation going forward.

Considering how your plan can cover everything from fortifying an office to backing up files in the cloud, chances are you’ll require the input and management of everyone from your office manager to your CTO. Outlining who is responsible for each aspect can help employees recognize who they should go to for help when implementing the plan. Also, consider how these might change when out of company hours, or if that particular person can’t be reached.

It’s not just in-house contacts that need to be included here either. You’ll be relying on many external, third-party products to keep your service operational. If one of them fails, you’ll need a contact for that business too.

Action steps

Action steps should come in the form of a detailed point-by-point guide that explains exactly how to implement the recovery plan at the correct level of disaster. For each disaster, break down the steps to allow for simple initiation. Include: 

Plan initiation

  • Which member of senior management and members of the disaster recovery team to notify, and how you can contact them
  • How to determine the degree of the disaster
  • What the right level of the recovery plan to implement is, depending on the degree of the disaster
  • How to monitor/measure progress
  •  How to notify relevant users/customers of disruption

Disaster log

Within the Disaster Log section, you can compare your RTO and RPO with the reality of the disaster. How long did it take to return to normality? What was the level of disruption? What was the cost to the business?

A detailed log will allow you to track, revise, and ultimately improve your disaster recovery plan. Here, you can outline how the team responded to a disaster, allowing the relevant stakeholders to review the process and make any necessary changes.    

Testing is an important part of every small business disaster recovery plan, but one that often gets neglected. Once the plan is in place, it can be easy to move onto other projects, presume it’s complete, or blame a lack of resources for not revisiting it.

However, the technology you’ll be using changes all the time, as do the threats that look to seize your vulnerable data. It’s imperative that you have a policy in place that looks to review the software and hardware you use, to both guard against disaster and return things to normal.

Tread carefully when testing your plan. In order to avoid using live data, set up a test area where you can sift through your systems and try to pick out holes and compromises.

It’s also worth holding periodical training and refresher events for those who will be directly involved in implementing the plan. Instigate a “mock” disaster, allowing everyone to go over their roles and ensure they’re fully competent carrying it out.

Ultimately, when a disaster does occur, learning from it is vital. Use the log to record any extended issues you encountered, and what could be improved in the future.

The greatest test of your IT disaster recovery plan comes when disaster hits. Be sure that each time you need to use it, you’re in the best possible position to recover your data efficiently. 

Investment in the many tools, systems, and applications required to stave off IT Disaster Recovery is vital to the protection of your data.

Referring back to our survey of 500 SMBs, we looked to find out how much they invest in protection against IT disaster and cyber-threats. 

From the list, you can break down the list of priorities SMBs take when looking to reduce both the likelihood and impact of an IT disaster.

In-house expertise

Hiring staff is always going to be a costlier solution than finding external software to do the job, but your chances of minimizing the cost of disaster will increase. That’s likely the explanation for an “in-house IT team” receiving the most investment of any IT disaster prevention method. In fact, a quarter of all SMBs spend over $50,000 each year on their in-house IT team, and just 6% say they don’t invest in this area at all.

Investment in this area safe guards against every type of potential IT disaster. Their skills, and the time they can dedicate to the field, mean your policies and plans will stand the best chance of succeeding.

Cloud backups

The cloud is also going to be one of your most powerful systems in the fight against IT disasters. Having a dedicated, secure external site to house your companies’ files allows the business to continue operations immediately. Many affordable, reputable options exist that allow businesses of all sizes to have a backup of their data in case their main network fails.

That is likely why more than a third of SMBs spend over $10,000 a year on cloud backups (34%), cloud network and file sharing (34%), and virtual servers (35%).

With ShareFile, we provide an intuitive, cost-effective cloud storage solution that’s built from the ground up for small-to-medium sized businesses.

Remote working opportunities

Alongside the security-based benefits you get from the cloud, it also allows your employees to remain productive in the case of an IT disaster. Files stored in the cloud can be accessed from anywhere, so if your office is subject to a disaster, employees can continue their work from elsewhere.

To ensure this is the case, 35% of SMBs spend more than $10,000 a year on laptops for their employees.

Preventing IT disasters

Prevention initiatives are far less costly than curing a disaster, so implementing preventative measures is critical. We asked our 500 SMBs how much they spend annually on applications that will prevent cyber-threats.

Anti-virus software and firewalls are just as important as ever. Just 2% of SMBs say they don’t actively invest in these applications in order to prevent their data from being compromised. You can find solutions that protect your business data from cyber-threats with ShareFile. Using our secure file sharing system will keep personal data away from the hands of those with nefarious motives, and this can extended to your emails with use of ShareFile’s secure email encryption tools.

Make Disaster Recovery an integral part of your IT strategy

To fortify your security, you need to ensure your staff knows that it’s everyone’s responsibility. Run regular cyber-security training events and educate staff on how to correctly share and store files, password protect their computers, and detect when they might be opening an invasive email. Once you create a culture of shared responsibility, the pressure on your IT staff and that of their IT disaster recovery plan will be significantly reduced.  

To learn more about small and medium-business IT Disaster Recovery and Business Continuity, contact ShareFile Sales for a personal demo, pricing information, and additional information tailored to your needs.

Signup for ShareFile Now.