Skip to content
American Owned & Operated
← Back to Blog
· 8 min read · PeachByte

Backups Are Not a Recovery Plan

cybersecurity backup disaster-recovery small-business managed-it

Most small businesses have some kind of backup in place. Maybe an external drive gets rotated every few days. Maybe files sync to Microsoft 365, Google Drive, Dropbox, or a line-of-business cloud app. Maybe a server backup runs every night and sends a green checkmark to someone’s inbox.

That is a good start. It is not the same thing as a recovery plan.

A backup is a copy of data. A recovery plan is the documented, tested process for getting the business operating again when something breaks. The difference matters when a server fails on a Monday morning, a cloud account gets compromised, a laptop with customer files disappears, or ransomware encrypts the shared drive everyone depends on.

In those moments, the business question is not simply whether a backup exists. The question is whether the right systems can be restored in the right order quickly enough to keep payroll, invoicing, customer service, scheduling, and production moving.

Why “we have backups” is not enough

“We back everything up” can mean very different things depending on who says it. Sometimes it means the accounting file is protected. Sometimes it means the office server is protected but Microsoft 365 is not. Sometimes it means files are syncing to the cloud, which helps with access but may not protect against deletion, corruption, or a compromised account.

The details matter. A business that depends on backups should know where the backups live, who receives failure alerts, how long backups are retained, and whether anyone has restored from them recently. It should also know which systems come back first if several things fail at once.

That last point is easy to overlook. During an outage, every department has a good reason to be urgent. The person who needs an old archive restored may be just as loud as the person trying to run payroll. A recovery plan gives the team an agreed order of operations before stress makes the decision for them.

Backups should create confidence. Untested backups create assumptions.

Restore tests are where the truth shows up

A backup report only tells part of the story. A job can show “successful” every night while missing the database that actually runs the shop. A cloud folder can sync corrupted files perfectly. A server image can exist, but require hardware no one has available. A password-protected backup can be technically intact while nobody knows where the password is stored.

That is why restore testing matters. The only way to know whether a backup works is to restore something from it and confirm that the restored system or file is usable.

For a small business, that test does not have to be dramatic. It might be as simple as restoring a sample folder and checking permissions, recovering a deleted mailbox, restoring the accounting database to a test location, or bringing up a server backup in an isolated environment. The important part is that someone verifies the restored data behaves the way the business needs it to behave.

If users cannot log in, if the application cannot open the restored file, if permissions are wrong, or if the restore takes two days longer than expected, the backup system is telling you something useful. It is far better to learn that during a planned test than during a real outage.

The three recovery questions to answer first

Business owners do not need to memorize backup software settings, but they should understand three recovery questions for each critical system.

First, how much data can the business afford to lose? If the last usable backup is from last night, the business may lose today’s work. If the last usable backup is from last week, the impact is much larger. Different systems deserve different answers. A shared marketing folder and an accounting database do not carry the same risk.

Second, how long can the system be down? Phones, email, accounting, production files, scheduling tools, and payment workflows all affect the business differently. Some systems can wait. Others need a faster recovery path.

Third, what comes back first? Restore priority is a business decision, not just a technical one. Payroll may matter more than an archive. A production workstation may matter more than a conference room PC. A shipping system may matter more than a general file share, depending on how the company operates.

If the current backup setup cannot answer those three questions, it is not a recovery plan yet.

Ransomware changed the standard

Old backup habits were built around accidents: a failed hard drive, a deleted folder, a damaged laptop. Those problems still happen, but ransomware changed what small businesses need from recovery planning.

Modern attackers often look for backups before they make noise. They try to delete restore points, compromise administrator accounts, and move through cloud storage using legitimate tools. If backups are reachable from the same accounts and systems that attackers compromise, the recovery path may be at risk too.

That is why a small business recovery plan needs more than a nightly copy. Backups should be separated from the systems they protect. Administrator access should be limited. Backup alerts should go somewhere a real person watches. Restore credentials should not live in the same place as day-to-day user passwords. Critical systems should have a recovery path that does not depend on the compromised environment being healthy.

This is also why backup planning and cybersecurity belong together. Endpoint protection, email security, identity controls, and tested backups all support the same goal: keep one bad event from becoming a company-wide shutdown. It also matters for insurance, because many cyber insurance policies expect basic security and recovery controls to be in place.

Cloud systems still need a recovery plan

Moving work into cloud platforms can make a business more resilient, but it does not remove the need for recovery planning. Microsoft 365, Google Workspace, QuickBooks Online, cloud file storage, and industry-specific applications all change the shape of the problem. They do not make the problem disappear.

Cloud vendors are responsible for keeping their platforms available. Your business is still responsible for access controls, retention settings, user mistakes, and knowing how important data would be recovered. If someone deletes a mailbox, removes files from a shared folder, changes forwarding rules after an account compromise, or syncs bad data across devices, you still need a practical restore path.

The simple question is this: if an important cloud system lost data today, who would restore it, from where, and how long would it take?

If the answer is not clear, that system belongs in the recovery plan.

What a useful recovery plan looks like

A recovery plan does not need to be a hundred-page binder. In most small businesses, a shorter document is more useful because someone can actually follow it under pressure.

The plan should list the systems the business depends on, where their data lives, how each system is backed up, and who receives failure alerts. It should define restore priority, recovery expectations, vendor contacts, and where secure access instructions are stored. It should also record the last successful restore test, including what was restored, how long it took, who performed the test, and what changed afterward.

That last detail is often the missing one. A business may buy backup software, configure jobs, and assume the job is done. The real confidence comes from a written record that proves a restore has been tested recently.

Start with the systems that stop revenue

If the recovery planning conversation feels too broad, start with the systems that would stop revenue first.

For a contractor, that may be email, phones, job files, estimating software, and accounting. For a medical office, it may be scheduling, patient records, phones, and scanned documents. For a manufacturer, it may be production files, shipping, inventory, accounting, and the workstation that talks to a specific machine.

Write down the most important systems, then answer four questions for each one:

  1. Where does the data live?
  2. How is it backed up?
  3. How would it be restored?
  4. How long can the business operate without it?

That exercise usually exposes the first round of gaps. Maybe the server is covered but the cloud app is not. Maybe the data is protected but nobody knows the restore password. Maybe the business can tolerate a day without one system but only an hour without another. Those are the details that turn a vague backup setup into an actual recovery plan.

The practical next step

Pick one important system this week and ask for a restore test. Not a screenshot of a green dashboard. An actual restore.

Recover a folder. Restore a mailbox. Bring up a database in a test location. Validate that permissions, logins, and application access work the way they should. Then write down what happened.

If the restore works, you have more confidence than you had before. If it fails, you found the problem while the business was calm enough to fix it. That is the point of backup and disaster recovery work: not paperwork for its own sake, but a business that can take a hit and keep operating.

This is also the kind of planning that belongs inside a managed IT relationship, not as a one-time task someone remembers during a crisis.

Free IT strategy review

Sixty minutes with a senior engineer. A written assessment of your infrastructure, security, and operations, plus a ranked list of what to fix first.

See the details
← All Posts