Backup vs business continuity: why Australian SMEs need both

Backup protects your data. Business continuity planning (BCP) protects your ability to keep operating. They sound similar but they answer different questions: backup answers "can we recover the data," while BCP answers "can we keep serving customers while we recover the data?" For Australian SMEs, the most common gap we see is well-architected backups paired with no business continuity plan, which means the data is safe but the business stops trading for a week during recovery. Both are needed, and neither substitutes for the other.

Key facts

• Backup = data copies stored separately from production for recovery after loss.
• Business continuity planning (BCP) = organisational plan to keep operating during and after a disruption.
• Two key BCP metrics: RTO (Recovery Time Objective) = how quickly you need to be back, and RPO (Recovery Point Objective) = how much data loss is tolerable.
• Most Australian SMEs need RTO of 4-24 hours and RPO of 1-4 hours for core systems; nice-to-haves can be days.
• The 3-2-1 backup rule remains the baseline: 3 copies, 2 different media, 1 offsite.
• Immutable backups are the 2026 baseline against ransomware: backups that cannot be encrypted or deleted by an attacker who has access to production.

What's the difference between backup and business continuity?

Backup is a technical control that produces copies of your data, kept somewhere safe, that can be restored when something goes wrong. Lose a server: restore from backup. Get hit by ransomware: restore from backup. Accidentally delete a critical file: restore from backup. Backup answers a narrow question: can we recover the data?

Business continuity is the broader organisational plan that answers a different question: can we keep operating? When something major goes wrong (ransomware, fire, flood, extended power outage, key supplier failure, pandemic, building lockout), what systems do we need running, in what order, with what minimum staff, from where, and using what alternative methods until the primary systems are restored? BCP includes backup as one component, but it also includes alternative work locations, communication plans, customer notification procedures, supplier alternatives, manual workaround processes, and the order of recovery.

The shorthand we use with clients: backup is your data, business continuity is your business. Both matter. One isn't a substitute for the other.

What does a good backup look like for an Australian SME in 2026?

Modern SME backup follows the 3-2-1-1-0 rule, which extends the classic 3-2-1 with two important additions for the ransomware era.

3 copies of the data. 2 different media types or storage systems. 1 copy offsite, geographically separated from the primary site. 1 copy that's immutable or air-gapped, so an attacker who compromises production can't encrypt or delete it. 0 errors verified by regular restore testing.

For most Australian SMEs we work with across Sydney, Melbourne, and Brisbane, the practical implementation looks like: production data on the primary file server or cloud storage, on-site backup to a Proxmox Backup Server with hardware-based immutability, and off-site replication to a cloud backup target (typically a different cloud or different region from the primary). This satisfies all five components of the 3-2-1-1-0 rule.

The two failure modes we see most often: backups that haven't been tested in 12+ months (and therefore probably don't work), and backups that share credentials or network access with production (and therefore can be encrypted by ransomware that's already inside the network). Quarterly restore tests and credential isolation address both.

What does a good business continuity plan look like?

An effective SME BCP isn't a 200-page document. It's a 10-30 page working document that covers six core areas:

1. Critical functions and dependencies. What does the business actually do, and what systems and people are required for each function? This is harder to articulate than it sounds. Most SMEs realise during the first BCP exercise that they don't have a clear picture of which systems support which revenue-generating activities.

2. Recovery objectives per function. RTO and RPO for each system or capability, prioritised. Email might be RTO 4 hours, RPO 1 hour. The marketing website might be RTO 48 hours, RPO 24 hours. The CRM might be RTO 8 hours, RPO 4 hours. Different functions need different recovery speeds.

3. Scenarios and triggers. What kinds of incidents trigger the BCP, and at what severity? Power outage at the office is different from ransomware affecting all systems. Different scenarios have different responses.

4. Recovery procedures. Step-by-step technical procedures for restoring critical systems, in priority order. Who does what, in what sequence, using what backups, against what RTO. This is where the technical and organisational meet.

5. Communication plans. Who's notified internally and externally, when, by whom, with what message. Customers, regulators (OAIC for personal information breaches, ASD for ransomware payments under the Cyber Security Act 2024), insurers, suppliers. Pre-drafted communications are much better than messages written under pressure.

6. Roles and authority. Who has authority to take systems offline, who authorises payment of ransoms, who talks to media, who signs off on recovery completion. Pre-decided answers save days during incidents.

What are RTO and RPO and how do you set them?

RTO is how long you can tolerate a system being unavailable. RPO is how much data loss you can tolerate. Both are measured in time.

An RTO of 4 hours for email means: if email goes down at 9am Tuesday, it needs to be back by 1pm Tuesday. An RPO of 1 hour for email means: when email is restored, the most recent emails you might lose are from up to one hour before the incident.

RTO and RPO drive backup and infrastructure decisions. RTO of one hour requires hot standby systems and continuous replication. RTO of 24 hours can be achieved with daily backups and a few hours of restore time. RPO of zero requires synchronous replication. RPO of four hours allows for hourly snapshot-based backups.

The right RTO and RPO depend on what each system supports. Customer-facing email and order processing typically have tight RTOs (2-8 hours) and RPOs (1-4 hours). Internal collaboration tools can be looser (24 hours). Reference documents and historical archives can be looser still (3-7 days).

Setting RTO and RPO correctly is the biggest leverage point in BCP. Tighter objectives drive higher cost. Looser objectives drive lower cost but more business pain when an incident hits. The practical exercise is matching objectives to actual business impact rather than aspirational ideals.

What should an Australian SME do about backup and BCP in 2026?

Three priorities, in order.

1. Get backup architecture right first. If your backups can be encrypted by ransomware that compromises production, fix that before doing anything else. Immutable backup target, isolated credentials, tested restore. Without this, BCP is theoretical.

2. Document your critical functions and recovery objectives. This is a 1-2 day exercise for an SME. Walk through what the business does, what supports each function, what RTO and RPO each function requires. The output is the foundation for everything else.

3. Run a tabletop exercise once a year. Simulate an incident (ransomware, regional outage, key supplier failure) and walk the leadership team through the response. The first one will reveal gaps. Subsequent ones get progressively faster and smoother. Most SMEs we've worked with find this the single most valuable BCP activity.

Frequently asked questions

What is the difference between backup and disaster recovery?

Backup is data copies stored separately from production. Disaster recovery (DR) is the broader technical capability to restore systems and resume operations after a major incident, which uses backups but also includes infrastructure, network, and process components. DR is one part of business continuity planning, which adds the organisational and communication dimensions on top of the technical recovery.

What is the 3-2-1 backup rule?

The 3-2-1 backup rule states that you should have three copies of your data, on two different media types or storage systems, with one copy stored offsite. The rule has been extended to 3-2-1-1-0 for the ransomware era: one of the offsite copies should be immutable or air-gapped, and zero errors should be confirmed via regular restore testing.

What's a reasonable RTO for an Australian SME?

It depends on the system. For customer-facing email, payment processing, or order management, RTO of 2-8 hours is typical. For internal collaboration tools (Teams, SharePoint), 24 hours is often acceptable. For reference documents and historical archives, 3-7 days may be acceptable. RTO drives infrastructure cost, so getting it right matters: tighter RTO costs more, looser RTO causes more business pain during incidents.

How often should I test my backups?

Quarterly is the typical SME baseline for restore testing. Critical systems should be tested more often (monthly or after any significant configuration change). The test should be a real restore to a working state, not just a "backup completed successfully" log line. Untested backups have a non-trivial failure rate when finally needed; quarterly testing catches issues before they matter.

Do I need a business continuity plan if I'm a small business?

Yes, scaled to your size. A 10-person SME doesn't need a 200-page BCP. It does need a 10-15 page document covering critical functions, recovery objectives, basic incident scenarios, communication plans, and pre-decided authority for key decisions. The exercise of creating the BCP often reveals gaps that wouldn't otherwise be visible until an actual incident.

If you'd like a hand getting your backup architecture to ransomware-resistant standards, building a practical business continuity plan, or running a tabletop exercise that finds the gaps before an incident does, we can run a backup and BCP review tailored to where your SME sits today.