Most Sydney small businesses don't have a written disaster recovery plan. They have an assumption β usually some version of βour IT guy backs things upβ β and a hope that nothing ever goes seriously wrong. When something does go wrong, that assumption tends to collapse quickly.
An IT disaster recovery (DR) plan is the document that tells you exactly how to get your systems back online after an outage, ransomware attack, hardware failure, or accidental data loss. This guide walks through what should be in it, how to build one for a 5β50 staff business, and the mistakes that turn a recovery into a closure.
What an IT Disaster Recovery Plan Actually Is
A disaster recovery plan is a written, tested set of procedures for restoring IT systems and data after a disruptive event. It sits alongside (but is distinct from) a business continuity plan: business continuity is about keeping the business running, DR is the technical playbook for restoring the systems the business runs on.
For a Sydney SMB, a useful DR plan answers these questions in plain English:
- What systems and data do we actually rely on to operate?
- How long can we be without each of them before it seriously hurts?
- Where are our backups, and have we proven they restore?
- Who does what when something goes wrong β and in what order?
- How do we communicate with staff, clients, and suppliers during an outage?
If your current plan can't answer those questions clearly, it isn't a plan β it's a wish list.
Understanding RTO and RPO (The Two Numbers That Matter)
Two technical terms drive every DR decision you'll make. Get these right and the rest of the plan falls into place.
RTO (Recovery Time Objective) β the maximum acceptable time a system can be unavailable before it materially damages the business. If your accounting system is down for four hours, is that fine? Eight hours? Two days? That answer is your RTO.
RPO (Recovery Point Objective) β the maximum acceptable amount of data loss, measured in time. If your file server fails right now and the most recent backup is from 11pm last night, you've lost a full working day of data. Is that acceptable? If not, you need a tighter RPO.
The mistake most SMBs make: assuming βwe have backupsβ means they're protected. A nightly backup gives you an RPO of up to 24 hours and an RTO that depends entirely on how long the restore takes β which most businesses have never measured. If you haven't defined and tested your RTO and RPO, you don't know what you've got.
Setting RTO and RPO for Different Systems
Not every system needs the same level of protection. Tighter recovery objectives cost more, so you tier them based on business impact. Here's a realistic starting point for a Sydney SMB:
| System | Tier | Target RTO | Target RPO |
|---|---|---|---|
| Microsoft 365 (email, Teams, SharePoint) | Critical | 2β4 hours | 15 minutes |
| Accounting / ERP (Xero, MYOB, etc.) | Critical | 4 hours | 1 hour |
| CRM & client database | Critical | 4β8 hours | 1 hour |
| File server / shared drives | Important | 8β24 hours | 4 hours |
| Internal websites / intranet | Standard | 24β48 hours | 24 hours |
| Archived data | Low | 3β5 days | 7 days |
Your numbers will differ. A legal firm working to court deadlines needs faster recovery on document management than a creative agency. Run the conversation with department heads, not just IT.
The Core Components of a DR Plan
A workable DR plan for a Sydney SMB covers six areas. Skip any of them and you'll find the gap at the worst possible moment.
1. Asset and System Inventory
You can't recover what you haven't documented. The inventory should list every server, key SaaS application, network device, line-of-business system, and the data each one holds. Include vendors, support contacts, licence keys, and admin credentials stored in a secure password manager β not a spreadsheet on the file server you're trying to recover.
2. Risk Assessment
Identify the realistic threats: ransomware, hardware failure, accidental deletion, cloud provider outage, fire or flood at your office, a key staff member leaving with admin access. For each, estimate likelihood and impact. This drives where you invest in mitigation.
3. Backup Strategy
The Australian Cyber Security Centre recommends the 3-2-1 rule: three copies of your data, on two different media, with one copy off-site. For a modern SMB this typically means production data, an on-site or cloud backup, and an immutable off-site copy that ransomware can't reach. Microsoft 365 needs its own third-party backup β Microsoft replicates data for service availability, not point-in-time recovery.
4. Recovery Procedures
Step-by-step instructions for restoring each critical system. Who logs in where, with which credentials, to do what. Written so a competent technician who has never seen your environment could follow them. This is the most-skipped part of every DR plan we audit.
5. Roles and Communication
A named incident lead, a deputy, a person responsible for staff communications, a person responsible for client communications, and contact details for your MSP, ISP, and key vendors. Include out-of-hours numbers β disasters rarely happen between 9 and 5.
6. Testing Schedule
An untested plan is a hypothesis. Schedule at least one full restore test per year and quarterly partial tests on critical systems. Document the results and update the plan based on what you learn.
Ransomware: The Scenario You Need to Plan For
Ransomware is now the most common disaster a Sydney SMB will face. The ACSC's annual cyber threat reports consistently show small business as a primary target, and the recovery experience is materially different from a hardware failure.
Three rules shape a ransomware-ready DR plan:
- Immutable backups. Modern ransomware specifically targets backup systems. If your backups can be deleted by an attacker with domain admin credentials, they're not really backups. Look for immutability, air-gapping, or separate authentication.
- Clean rebuild capability. You can't just restore data to compromised infrastructure. Your plan should cover rebuilding servers and endpoints from clean images, not just restoring files.
- Notifiable Data Breaches obligations. Under the Privacy Act, if personal information is likely accessed in a breach you may have 30 days to assess and notify the OAIC and affected individuals. Build this into your incident response.
Not sure if your current backups would survive a ransomware attack? We offer a free disaster recovery assessment for Sydney businesses β we test your actual recovery posture, not just review a spreadsheet.
Book Your Free Assessment βHow to Build the Plan: A Six-Step Process
If you're starting from nothing, here's a realistic sequence for a 10β30 person business. Allow 4β6 weeks elapsed time.
- Business impact analysis. Sit with each department head and document what they use, what they couldn't work without, and what an hour, day, or week of downtime would cost. This sets your RTO and RPO targets.
- Inventory and document. Build the asset register, document admin access, map dependencies between systems (your CRM may rely on Azure AD, for example).
- Gap analysis. Compare your current backups, monitoring, and recovery capability against the targets you set. Identify what needs to change.
- Remediation. Implement the missing pieces β tighter backup frequency, immutable off-site storage, Microsoft 365 backup, endpoint recovery imaging, documentation.
- Write the plan. A practical, scenario-based document. βIf our office is inaccessible, do X. If we're hit by ransomware, do Y.β Keep it short enough that people will actually read it.
- Test and revise. Run a tabletop exercise within 30 days of completing the plan. Do a real restore test within 90 days. Then schedule it on the calendar annually.
Common Mistakes Sydney SMBs Make
Across the DR audits we run, the same gaps appear repeatedly:
- Backups that have never been tested. A backup job that βcompleted successfullyβ in the dashboard tells you nothing about whether the data can actually be restored.
- No backup of Microsoft 365. Most SMBs assume Microsoft handles this. They don't β not for accidental deletion past the retention window, not for ransomware encrypting SharePoint files, and not for compromised mailboxes.
- Single point of failure on credentials. The only person with admin access is on leave, or has left the business, or stored the password in a notebook on their desk.
- Plans that live in one person's head. If your recovery depends on a specific technician being available, you don't have a plan β you have a dependency.
- No off-site or off-network backup. A backup drive sitting next to the server it's backing up burns in the same fire and encrypts in the same ransomware attack.
What a Good DR Plan Costs
For a 10β30 person Sydney business, expect to invest in three areas: backup tooling, off-site storage, and the time to document and test. Cloud backup services for Microsoft 365 typically run $4β$8 per user per month. Server and endpoint backup with immutable cloud storage usually adds $200β$600 per month depending on data volumes. Building the documented plan is a one-off engagement of 20β40 hours of work, then ongoing testing time of perhaps a day per quarter.
Compared to the cost of an unrecoverable ransomware incident β which industry data puts at well over $100,000 AUD on average for an Australian SMB once you include downtime, recovery, and reputational damage β the maths is straightforward.
The Bottom Line
An IT disaster recovery plan is not an IT document β it's a business document that happens to be about IT. It forces you to decide, in advance and in writing, what your business can tolerate when something goes wrong, and what you're willing to invest to make sure you survive it.
The Sydney SMBs that recover well from major incidents are not the ones with the most expensive technology. They're the ones who took the time to document their plan, test it honestly, and update it when things changed. That's the standard worth aiming for β and it's achievable for any business with five or more staff.