A step-by-step guide to backup strategy for small business 

Nick Cavalancia

I’ve been in IT for over 25 years and spend much of my time rubbing elbows with IT pros that specialize in certain parts of the industry. So, when I talk a lot (and I do) about backups, there’s sort of an assumption that the IT pro I’m interacting with has the basics down.  

But, as those of you in SMBs know, it’s never that easy. You have so many hats (including backup) to wear, that you often need a little push in the right direction so that you don’t need to try and reinvent the wheel as it were.

So, what’s the right way to plan out your backup strategy for small business?

I’ve written (and will reference here) a bunch of articles over the past two years about the various hows and whys of backups. But, rather than make you search for each of them, I wanted to consolidate them (alongside some articles on this blog written by other contributors) into a single, practical plan for small business disaster recovery and backup.

I’m going to walk through the steps by posing them as questions that you may (or may not) have considered. That way, if you are well past a given step in your thinking and/or execution, you can jump ahead to the next one.

Why do you even need a backup?

For those of you thinking the question is ludicrous, you can skip down a few lines. But there are some businesses today that are materially larger than a SoHo that still don’t have a backup in place. You need one for a number of reasons.  

  1. 1) You’re not making money if a critical part of your environment is down. 
  2. 2) The expectation by customers today of companies large and small is that you’re always available.
  3. 3) Without a backup, it will take you materially longer to not just rebuild whatever data set/application/system was impacted, but to also put your operations back into a “close to current” state as they were just prior to the “disaster” experienced.

Other articles to read:

Are your clients ready for a major weather event?

"Where did my server go?": How to defend against ransomware

Why can’t I just use a sync tool?

I have a backup of critical files going to a cloud sync provider. But, that’s a single laptop. Sure, you can sync up the important files and folders on your one file server to Google Drive/OneDrive/DropBox/etc., but that sync won’t address the problem of you potentially losing the entire server. Sync tools are great for simple backups of file sets, but they are not a replacement for a true backup that allows your business to recover (and not just some files).

Check out the following article for more on this:

Sync and share solutions; no substitute for Backup 

What kind of backup should I be using?

You’ve got a wide range of options here, as every vendor shouts at the top of their lungs that their way of doing backups is the best.  First off, you need to decide does your business require an ability to restore, an ability to recover or an ability to maintain availability of services? Since I have no idea what your specific needs are, you’ll need to do some soul-searching to determine just how “up and running” your business needs to be. 

Then there’s the issue of where you should store your backups. You can keep them on-premises, in the cloud or use a hybrid mix of both. There are pros and cons for each, but the basic thinking is if you use only one (either on-prem or in the cloud) to store your backups, you’re missing out on the ability to recover from a loss of location or loss of Internet connectivity. By having hybrid-cloud backups, you retain sync’d backups in both locations, increasing your ability to recover from just about any disaster.

What needs to be backed up?

In a word?  Everything. The whole point of disaster recovery for a small business is to provide an ability to recover regardless of the loss incurred. One of the simplest ways to accomplish this is to perform image-level backups, where the entire system (whether physical or virtual) is backed up as a single data set (more on this later).

Given, you may be reading this because you don’t have your backups in proper order, you should at very least be considering the backup of critical servers and services that you know your business can’t be without for very long. 

Which backup method will you use?

Backups can be created using two basic methods – file-level and image-level. File level is perfect for backing up files and folders on your file server. It also can serve as the means to backup a database for a given application. Application-aware backups (those that are already aware of what needs to be backed up for a given application) can simplify file-level backups by intelligently capturing all the relevant data sets needed to recover an application. 

Image-level backups are perfect for when you want to protect an entire system at once. They also give you access to fast recoveries both locally and remotely using a continuous recovery model (where a restore of each backup is performed as the backup is created). 

(Here’s a great recovery map we built a while back that helps you decide.)

What are you protecting against?

One of the challenges (from a technical execution perspective) in defining what needs to be backed up and which method to use is the fact that you can’t really do it without first knowing what the disaster looks like that you’re preparing for.  It’s like packing your clothes into a suitcase without first knowing where you’re going on vacation. It’s important to first define the “disasters” you’ll be protecting your business against so that you can determine what needs to be backed up.  For example, if you’re only worried about files being deleted, performing image-based backups makes no sense. Likewise, if you’re wanting to protect against a complete loss of location, having file-level backups of every server will equate to a MUCH longer recovery period than you’d like. 

What kind of recovery objectives should you set?

For each data set, application or system you wish to recover, you need to establish some parameters around what the recovery of said recovery set needs to look like. There are a few industry staples to assist. The first is your recovery time objective (RTO), which is the amount of time you will take to recover. Next is your recovery point objective (RPO), which represents the target amount of data lost. Last is the maximum tolerable period of disruption (MTPoD), which represents, should you miss your RTO. In other words how long can you go before the business REALLY begins to suffer. 

You need to establish these values for each backup set you wish to recover, beginning with the most critical and working your way down. The reason is that once you determine that your website needs a recovery time of, say, 10 minutes, and a recovery point of only 15 minutes, you may shift your current file-level backups to an image-level continuous recovery scenario. See how this all comes together?

Some other reading on this subject:

What's your RTO/RPO and how do you calculate it? 

3 Tips for Shrinking your RTOs and RPOs

How do you build a small business disaster recovery plan?

The plan itself should start with outlining the various data sets and the disasters you want to protect against. Then dive into each intersection of the two. The detail here should entail first, what data set is being backed up and then the plan to recover. I’ve done these where I literally spelled it out click by click, but you may not have time for that. At a minimum, I’d suggest spelling out the recovery type, the data set to be recovered, dependencies to be aware of (e.g. Active Directory) and any post-restore steps that need to be taken. 

Check out these article for even more DR insight:

Choosing the right disaster recovery solution, part 1: Defining the disasters

Choosing the right disaster recovery solution, part 2: Finding your feature set

Preventing 3 common Disaster Recovery scenarios

5 Questions to ask yourself when planning a disaster recovery scenario

You’re going to test this, right?

At this point, you’re likely a bit overwhelmed already, given all the choices and the work I’m assigning to you to do just to get backups right. And now I want you to test it???

In fact, this is both the hardest part (because who has the time and resources to mock up a disaster and then test recovery?) as well as the most critical (because without testing, your plan isn’t worth the paper it’s written on). Testing, at a minimum, can be a tabletop session with those involved with the recovery process where you walk through the steps together discussing what may go wrong and what to do about it. At a maximum, you’d perform an actual recovery to an alternate server, location, etc. testing out the backups you have, ensuring an ability to recover.

Can you do this yourself? 

It’s worth mentioning that all of this may be well beyond your technical abilities and/or the time you have available to devote to backup strategy, planning and testing. There are tons of IT service providers that offer backups as part of a more comprehensive list of services, and they may be better suited to address these needs.  

Stepping your way to backups

The intent of this short guide is to give you some sense of direction for the steps you can take to establish backups in a way that ensures your business remains productive, no matter the disaster. Elevating your thinking around the backup why, what and how will put your small business in a much better place to proactively take measures to address any kind of loss of data, application or system.