Does Your Small Business Have a Disaster Recovery Plan?

Ask most small business owners whether they have a disaster recovery plan and you will get one of two responses: a vague "I think we are covered" or a sheepish "no, we keep meaning to do that." Very few can describe a clear, documented process for what happens when something goes seriously wrong.

A disaster recovery plan (DRP) is a documented set of procedures that tells your team what to do when a significant disruption hits — a cyber attack, a hardware failure, a natural disaster, or anything else that knocks your systems offline. It answers the questions your stressed and panicking team will ask at 7am when they cannot access anything: Who do we call? What do we do first? How long will it take? What can we do in the meantime?

You do not need a 100-page document. A practical, usable DRP for a small business can fit on a few pages. What matters is that it exists, that your team knows where to find it, and that you have actually tested it.

Why Small Businesses Need a Disaster Recovery Plan

Research consistently shows that businesses without a tested recovery plan take significantly longer to recover from incidents than those with one. In some cases, they do not recover at all — around 40% of businesses that experience a major data loss without adequate recovery procedures close within a year.

In the cyber context, the ACSC recommends that all businesses — regardless of size — have documented incident response and recovery procedures. This is also increasingly becoming a requirement for cyber insurance policies in Australia, particularly following the introduction of the Cyber Security Act 2024, which has raised the bar for minimum security standards.

A DRP also reduces the human cost of an incident. When people do not know what to do, they panic, make poor decisions, and inadvertently make things worse. A clear plan creates calm and structure in a stressful situation.

The Difference Between a Disaster Recovery Plan and Business Continuity

These terms are often used interchangeably but refer to different things:

• Disaster Recovery Plan — focuses on restoring your IT systems and data after an incident. How do you get your servers, files, and applications back online?
• Business Continuity Plan (BCP) — focuses on keeping your business operational during and after a disruption. How do you serve customers if your systems are down for a week? Can staff work from home? Can you process orders manually?

For small businesses, these often overlap significantly. You want a plan that addresses both — how to recover your systems, and how to keep operating while recovery happens.

What Your Disaster Recovery Plan Should Cover

1. Contact list and roles

Who does what when something goes wrong? Your DRP should include:

• The person responsible for coordinating the response (typically the business owner or IT manager)
• Contact details for your IT support provider or MSP (Managed Service Provider)
• Contact details for your internet service provider, cloud provider, and any other key technology vendors
• Contact details for your cyber insurer and how to make a claim
• If relevant, contact details for a cyber incident response firm

2. Asset inventory

You cannot recover what you have not documented. Maintain a list of your critical systems and where your data lives:

• Servers (physical or virtual) and what they run
• Cloud services and applications (Microsoft 365, Xero, Shopify, etc.)
• Key business data and where it is stored
• Licences, credentials, and access details (stored securely — a password manager is ideal)

3. Backup details

Document your backup configuration so anyone can execute a recovery, not just the person who set it up:

• What is backed up, when, and how often
• Where the backups are stored (local and cloud)
• How to access the backup system and initiate a restore
• Your Recovery Time Objective (RTO) — how long recovery should take — and Recovery Point Objective (RPO) — how much data you can accept losing

4. Step-by-step recovery procedures

For each major type of incident, document the steps required to recover. Key scenarios to cover:

• Ransomware attack — including isolating infected systems, contacting your incident response team, and initiating recovery from backup
• Hardware failure — replacing failed hardware and restoring from backup
• Cloud service outage — how you operate if Microsoft 365 or another critical cloud service is unavailable
• Physical disaster (fire, flood) — accessing offsite backups and operating remotely

5. Communication plan

Who needs to be told what, and when? Consider:

• Staff — what to do if they cannot access systems, where to get updates
• Customers — particularly if their data may be affected or service is disrupted
• Suppliers and partners
• Regulators — if personal data is involved, the Office of the Australian Information Commissioner (OAIC) may need to be notified under the Notifiable Data Breaches scheme within 72 hours of becoming aware of an eligible breach

6. Interim operating procedures

What can your business do manually while systems are being restored? This might include:

• Processing orders or bookings on paper
• Using personal mobile phones for calls if business phones are down
• Accessing key documents stored offline or in printed form

Practical Tips for Small Business DRP Creation

• Keep it simple. A two-page plan that people can actually use is worth more than a 50-page document nobody reads.
• Store it somewhere accessible offline. Your DRP is useless if it only exists on the server that just went down. Store a printed copy, a copy in personal email, or on a USB drive kept in a secure off-network location.
• Review it annually. Business systems change. New cloud services get added, staff change roles, contact numbers change. Schedule an annual review to keep the plan current.
• Test it. Run a tabletop exercise once a year — walk through a hypothetical scenario with your team and identify gaps in the plan. You do not need to simulate a full disaster; even talking through "what would we do if we could not access our email for a week?" reveals valuable insights.

Free Resources for Australian Businesses

The ACSC provides a free Small Business Cyber Security Guide at cyber.gov.au that includes guidance on creating a basic incident response and recovery plan. The Australian Small Business and Family Enterprise Ombudsman (ASBFEO) also provides resources on business continuity planning.

Key Takeaways

• A disaster recovery plan documents what your team does when something goes wrong — who to call, what steps to take, and how to restore operations
• For small businesses, a practical DRP can be just a few pages — simplicity means it will actually be used
• Cover the key scenarios: ransomware, hardware failure, cloud outage, and physical disaster
• Include your contact list, backup details, recovery steps, and communication plan
• Store your DRP somewhere accessible offline — not just on the systems that might be down
• If personal data is exposed, you may need to notify the OAIC under the Notifiable Data Breaches scheme
• Test your plan with a tabletop exercise at least once a year

A disaster recovery plan is one of the most impactful things you can do for your business resilience. Not sure where your biggest gaps are? Flagged provides a free cyber risk assessment for Australian small businesses — including backup, recovery and incident response — at flagged.com.au.