| A backup and recovery plan is simply a written plan for how your business copies its important data and gets back up and running if something goes wrong. You do not need to be technical to have one, and every business needs one. This guide explains the essentials in plain language and shows you where to start. |
Most business owners only think hard about their backup and recovery plan the day something goes wrong. A file vanishes, a laptop is stolen, or an email lands saying your systems have been locked, and the first real question becomes: do we have a copy, and can we get it back? If you would rather answer that question before an emergency than during one, this page is for you. There is a lot of technical writing on this subject, much of it aimed at IT professionals. This is not that. It is the plain-language starting point for a business owner or manager who wants to understand what a backup and recovery plan is, why it matters, and what to do first.
By the end you will know the essentials of a good plan and where to go next for the detail. We will link you to more specific guides as we go, so you can dig deeper on any part that matters to your business.
What a Backup and Recovery Plan Actually Is
Strip away the jargon and it is two simple ideas joined together. Backup is making copies of your important data so you still have it if the original is lost. Recovery is the process of getting that data and your systems working again after something goes wrong. The plan is the written record of how both of those happen in your business, and who is responsible for making sure they do.
That is it. A backup and recovery plan does not have to be a thick technical document. For a small business it can be a single page. What matters is that it exists, that someone owns it, and that it has been tested so you know it works before you need it.
If you want the deeper detail on the backup side specifically, our guide to data backup strategy covers how backups are structured and stored. This page stays focused on the plan as a whole.
Why Every NZ Business Needs One
Data loss is not a rare event. It happens through ransomware, accidental deletion, hardware failure, a lost laptop, or a staff member overwriting the wrong file. The question is not whether your business will face one of these, but whether you will be ready when it does.
Picture two businesses hit by the same ransomware attack on the same morning. The first has a tested plan: backups are restored, systems are back by the afternoon, and clients barely notice. The second has no plan: a week later they are still rebuilding from scratch, fielding angry calls, and watching work walk out the door. Same attack, completely different outcome. The difference is almost always whether a plan existed and had been tested beforehand.
There is also a growing compliance reason. Under the Privacy Act 2020, NZ businesses are responsible for protecting the personal information they hold, and cyber insurers increasingly require a documented, tested plan before they will issue or renew cover. A plan is no longer just good practice. It is becoming an expectation.
The Essentials of a Good Plan
A useful plan answers a handful of straightforward questions. You do not need every advanced feature to start. You need these five basics in place and written down.
| The Minimum Every Plan Needs | What It Means in Plain Terms |
| What you are protecting | A simple list of the data and systems your business cannot operate without: email, accounting, customer records, key files. |
| Where the backups go | At least one copy kept somewhere separate from your main systems, so a single failure or attack cannot take both at once. |
| How often it backs up | How much work you can afford to lose decides this. Once a day is a starting point. Critical systems may need more. |
| Who is responsible | One named person who owns the plan and checks it is working. Without an owner, plans quietly stop being maintained. |
| How you get back up | A short, written description of what happens and in what order if something goes wrong, and who to call. |
If your plan covers those five things and someone has checked that the backups actually restore, you are already ahead of many NZ businesses. Everything beyond this is refinement.
Where to Start if You Have Nothing in Place
Starting from zero feels daunting, but the first steps are simple and do not require a big budget.
Step one: list what you cannot lose
Before any technology, write down the data and systems your business genuinely cannot operate without. This list is the foundation of everything else, and it is something you can do today without any technical help.
Step two: check what you already have
Many businesses already have some backup running, often without realising what it does and does not cover. If you use Microsoft 365 or Google Workspace, be aware that these do not fully back up your data the way most people assume. Our cloud backup guide explains exactly what Microsoft does not cover, which surprises most business owners.
Step three: fill the gaps and write it down
Once you know what matters and what you already have, the gaps become clear. Put a backup in place for anything important that is not covered, decide who owns the plan, and write the whole thing down in plain language. A simple document everyone understands beats a sophisticated one nobody can follow.
Step four: test it
An untested backup is just a hope. At least once, actually restore something from your backup to confirm it works. This single step catches the failures that otherwise only surface during a real emergency, when it is too late. For the full recovery side, including how to plan the response itself, see our disaster recovery plan guide, which includes a free template.
Backup, Recovery, Continuity: How They Fit Together
These terms get used interchangeably, which causes confusion. Here is the simple version. Backup is the copies of your data. Recovery is getting back up after an incident. Business continuity is keeping the business running through it. They are layers that build on each other, not competing options.
For most small businesses, a solid backup and recovery plan is the right place to start. As you grow, the broader picture matters more. If you want to understand the distinction in detail, our guide on BCDR versus backup explains where each one fits, and our business continuity plan guide covers keeping operations running through a disruption.
Common Mistakes Businesses Make
Most backup and recovery failures are not caused by exotic technical problems. They come from a handful of simple, avoidable mistakes. Knowing them in advance is the easiest way to make sure your plan holds when it counts.
Assuming a backup exists without checking
The most common mistake is believing data is backed up when it is not. A backup may have been set up years ago and quietly stopped working, or it may only cover part of what matters. Never assume. Confirm what is actually being backed up, how recently, and whether it has been restored successfully. The assumption that everything is handled is exactly what turns a minor incident into a serious one.
Keeping the only backup in the same place as the original
A backup stored on the same server, in the same building, or on a drive that is always connected offers limited protection. Ransomware spreads to connected drives, and a fire, theft, or flood takes everything in one location. A safe plan keeps at least one copy separate from your main systems, whether that is in the cloud or physically offsite, so a single event cannot destroy both the original and the backup at once.
Backing up data but not the ability to use it
Recovering your files is only half the job. If it takes days to rebuild the systems that read those files, your business is still offline. A good plan considers not just the data but how quickly you can get working again, which is why the recovery side matters as much as the backup side. This is the point where many businesses discover their plan was really just a backup, not a recovery plan.
Never testing a restore
This one is worth repeating because it causes so much avoidable damage. A backup that has never been restored is an untested assumption. The first time you find out whether it works should not be during a real emergency. A simple test restore, done occasionally, is the single most reliable way to know your plan will hold.
Setting it up once and forgetting it
A business changes constantly. New software, new staff, new data, new systems. A plan that perfectly matched your business a year ago may now miss the things that matter most. Plans that are never reviewed slowly drift out of date until they protect the wrong things, or nothing at all.
A Simple Rule Worth Knowing
If you remember one principle from this page, make it this one. It is widely used because it is simple and it works, and you do not need to be technical to apply it. It is called the 3-2-1 rule.
Keep three copies of your important data. Store them on two different types of storage, so a single kind of failure cannot affect all of them. And keep one of those copies offsite, away from your main location. That is the whole rule. A modern cloud backup usually handles the offsite copy for you automatically, which is part of why cloud backup has become the practical default for most NZ businesses.
You do not have to implement this perfectly on day one. But if your current setup does not even loosely follow it, for example if every copy of your data lives in the same place, that is the first gap to close. It is a clear, memorable target to aim for as you build your plan up over time.
Keeping the Plan Alive
A plan written once and filed away slowly stops reflecting your business. New systems get added, staff change, and what mattered a year ago may not be what matters now. A good plan is reviewed regularly, at least once a year and whenever something significant changes, so it keeps pace with how your business works.
This is where many businesses fall down. Not in writing the first plan, but in keeping it current and tested. If maintaining it yourself is not realistic, this is one of the most valuable things a managed IT provider takes off your plate.
Not Sure Where Your Business Stands?
Exodesk helps South Island businesses build, test, and maintain backup and recovery plans that actually work when they are needed. From our offices in Christchurch and Dunedin, we make sure your data is protected and your business can recover, without the technical headache.
If you are not sure whether your current backups would survive a real emergency, we offer an honest, no-obligation review of where you stand.
Contact us today to discuss how we can help your business or connect with us on LinkedIn to stay updated with more insights.
Frequently Asked Questions
What is a backup and recovery plan?
A backup and recovery plan is a written plan for how your business copies its important data and restores its systems if something goes wrong. Backup is the copies of your data, recovery is the process of getting back up and running, and the plan records how both happen and who is responsible. It does not need to be technical or lengthy. For a small business it can be a single page, as long as it exists, has an owner, and has been tested.
Do small businesses really need a backup and recovery plan?
Yes, often more than large ones. Small businesses are frequently targeted because attackers assume they are less prepared, and a small business has less financial cushion to absorb weeks of downtime. Data loss through ransomware, accidental deletion, or hardware failure affects businesses of every size. A simple, tested plan is one of the highest-value protections a small NZ business can put in place.
Isn’t my data already backed up by Microsoft 365 or Google?
Not fully, and this surprises most business owners. Microsoft and Google keep their platforms running and secure, but they do not back up your individual files and emails against accidental deletion, malware, or a staff member overwriting something. You remain responsible for protecting and restoring your own data. This is one of the most common gaps we see in NZ businesses that believe they are already covered.
How often should backups happen?
It depends on how much work your business could afford to lose. If losing a day of data would be a serious problem, a daily backup is the minimum and critical systems may need more frequent copies. The simplest way to decide is to ask how much work your team could afford to redo if the most recent backup was all you had. That answer sets your frequency.
How do I know my backup actually works?
By testing it. The only way to be certain a backup works is to restore something from it before you need to in an emergency. An untested backup is a common and dangerous assumption. At least once, restore a file or system from your backup and confirm it comes back correctly. Many businesses only discover their backups were failing at the worst possible moment, during a real incident.
What is the difference between backup, recovery, and business continuity?
Backup is the copies of your data. Recovery is the process of getting your data and systems working again after an incident. Business continuity is the broader practice of keeping your whole business operating through a disruption, including staff, communication, and processes, not just IT. They build on each other. A backup and recovery plan is the right starting point, and business continuity becomes more important as a business grows.
How does Exodesk help with backup and recovery?
Exodesk designs, implements, tests, and maintains backup and recovery plans for South Island businesses from our offices in Christchurch and Dunedin. We make sure the right data is protected, that backups actually restore when needed, and that your plan stays current as your business changes. For businesses without the time or technical capability to manage this in-house, we take it off your plate as part of a managed IT service.
