Business continuity and disaster recovery (BCDR) is how your organization keeps operating—and restores systems—when something breaks hard: ransomware, hardware failure, cloud misconfiguration, fire, or a key vendor outage.
This guide is for owners and operators of small and mid-size organizations who need a practical program, not a binder that dies on a shelf. It expands our shorter pieces on backup & DR basics and ransomware recovery.
Why BCDR matters for SMBs
- Revenue stops when email, payments, or line-of-business systems die
- Ransomware operators specifically target backups
- Cyber insurance questionnaires ask about restore testing
- Customers and contracts may require uptime commitments
RTO, RPO, and plain English
- RPO — how much data loss you can tolerate (time)
- RTO — how fast systems must return
- MTPD / maximum tolerable downtime — when the business is truly in trouble
Write targets for your top systems first (email, finance, production, EHR/CRM). Perfect numbers are less important than honest ones.
Articles: RTO vs RPO explained.
Business continuity vs disaster recovery
- Business continuity — keep critical processes running (people, workarounds, comms)
- Disaster recovery — restore IT systems and data
You need both. Restored servers with no staff process still fail. Perfect process with no data also fails.
Article: BC vs DR.
Backup design that survives ransomware
Classic 3-2-1 thinking still helps: multiple copies, different media/locations, one offline or immutable copy. Modern additions:
- Separate backup admin credentials from daily domain/cloud admin
- Immutable or air-gapped copies where practical
- MFA on backup consoles
- Monitor backup job failures like production incidents
Article: Immutable backups explained.
Cloud SaaS is not “backed up by default”
Microsoft 365 and similar platforms provide resilience and recycle bins—not always a full substitute for independent backup of mail, Teams, and SharePoint when retention, ransomware, or accidental purge matters.
Article: Microsoft 365 backup considerations.
Ransomware-specific planning
Assume attackers will try to delete or encrypt backups and cloud admin accounts. Plan for:
- Containment without destroying evidence needlessly
- Out-of-band leadership communications
- Restore order of systems (identity → security tools → core apps)
- Counsel and insurance contacts ready in advance
Paying ransom is a legal/financial decision, not a technical default. See ransomware recovery basics.
Testing and evidence
Untested backups are rumors. Minimum cadence:
- Quarterly restore of a critical system
- Annual tabletop exercise with leadership
- Document what failed and fix it
Article: How to test backups.
People and decision rights
Who can declare an incident? Who talks to customers? Who authorizes major spend? Write it down before adrenaline decides for you.
90-day BCDR plan
Days 1–30: Inventory critical systems; set draft RTO/RPO; verify backup coverage; enable MFA on backup/cloud admin.
Days 31–60: Fix gaps; add offline/immutable copy if missing; define restore runbooks for top 3 systems.
Days 61–90: Perform restore test; run a 45-minute tabletop; update contacts and insurance docs.
Want this applied to your environment?
Book a free 15-minute review. For a structured risk baseline, use ImpetraInsights™.