How to Create a Simple Disaster Recovery Plan for Your Small Business

Jeremy Phillips·February 4, 2026·7 min read·intermediate

A disaster recovery plan documents exactly what to do when something takes your IT systems down, whether that is a ransomware attack, a server failure, a natural disaster, or even an ISP outage. Without a written plan, people panic, forget steps, and waste critical time. With one, you respond with a clear process and get back to business faster.

The good news is that a useful disaster recovery plan does not need to be 50 pages of corporate boilerplate. A practical, three-to-five page document that your team has actually read and tested is far more valuable than a binder collecting dust on a shelf. Set aside two to four hours, follow the steps below, and you will have a working plan by the end.

What You Will Need Before You Start

Gather these items before sitting down to write the plan. Having them in front of you will save time and make the document far more accurate.

  • An inventory of your critical systems and data. This includes email, phone systems, file storage, line-of-business applications, accounting software, and any client-facing systems.
  • Documentation of your current backup setup. Know where backups are stored, how often they run, and who manages them. If Athencia manages your IT, your backup stack already includes Dropsuite for Microsoft 365 data and Slide for on-premises backups, and both are monitored through the Athencia One portal.
  • Contact information for your IT provider, ISP, and key vendors. Collect names, phone numbers, email addresses, and account numbers in advance.
  • A block of focused time. Two to four hours is enough for the initial draft. The plan does not need to be perfect on the first pass; you will revise it after testing.

Why You Need a Written Plan

During a crisis, even smart, experienced people forget steps and make mistakes under pressure. A written disaster recovery plan removes guesswork and assigns clear responsibilities so everyone knows what to do.

Beyond the operational benefits, cyber insurance policies increasingly require a documented incident response or disaster recovery plan. If you file a claim without one, the insurer may deny coverage or reduce the payout. Having a written, tested plan strengthens your position.

Step 1: Identify Your Critical Systems

Start by listing every system your business depends on to operate. Walk through a typical workday and note each tool, service, and data source your team touches. Common examples include:

  • Email and calendar (Microsoft 365, for most Athencia clients)
  • Phone and voicemail system
  • File storage (OneDrive for Business, SharePoint Online, or an on-premises file server)
  • Line-of-business applications (CRM, ERP, project management)
  • Accounting and payroll software
  • Client-facing systems (website, client portal, e-commerce platform)

Once you have the list, rank each system by criticality. Ask yourself: if we could only restore one system first, which would it be? Then the second, and so on. This ranking drives the order of recovery when a real disaster hits.

For each system, document three things: where it is hosted (cloud, on-premises, or SaaS), who manages it (your team, your MSP, or a third-party vendor), and how it is currently backed up. If a system has no backup, flag it immediately. That gap needs to be addressed before the plan is complete.

Step 2: Define Your Recovery Objectives

Two numbers drive your entire disaster recovery strategy: your Recovery Time Objective (RTO) and your Recovery Point Objective (RPO).

RTO (Recovery Time Objective) is how long each system can be down before the business impact becomes unacceptable. For example, you might decide that email can be down for four hours, but your accounting system can tolerate up to 24 hours. These numbers are business decisions, not technical ones. Think about revenue loss, employee productivity, and client impact.

RPO (Recovery Point Objective) is how much data you can afford to lose. If your backups run once per day, you could lose up to 24 hours of work in a worst-case scenario. If that is unacceptable for certain systems, you need more frequent backups for those systems.

These objectives reveal gaps. If your RTO for email is one hour but your current backup would take eight hours to restore, you have a gap that needs a solution. If you use Dropsuite for Microsoft 365 backup, point-in-time recovery of individual mailboxes, files, and SharePoint sites is typically fast enough to meet a four-hour RTO for most small businesses. For on-premises data backed up with Slide, recovery time depends on the volume of data and whether you are restoring to original hardware or replacement equipment.

Step 3: Document Recovery Procedures for Each Scenario

Write out step-by-step instructions for each type of disaster. Be specific enough that someone under stress can follow the steps without guessing. Here are the four most common scenarios for small businesses.

Scenario 1: Ransomware or Cyberattack

  1. Isolate affected systems immediately. Disconnect infected computers from the network by unplugging the Ethernet cable and turning off Wi-Fi. The goal is to stop the infection from spreading.
  2. Contact your MSP or IT provider right away. If Athencia manages your IT, call the emergency support line listed in your contact sheet. Do not attempt to fix ransomware yourself.
  3. Do not pay the ransom. Paying does not guarantee you will get your data back, and it funds further attacks.
  4. Assess the scope of the attack. Work with your IT provider to determine which systems and data are affected.
  5. Restore from clean backups once the infection is fully contained. For Microsoft 365 data, Dropsuite stores backups independently from your Microsoft tenant, so a compromised tenant does not compromise your backup data. For on-premises data, Slide provides the local backup copy for faster restoration.
  6. Report the incident to the FBI's Internet Crime Complaint Center (IC3), your cyber insurance carrier, and any regulatory bodies required by your industry.
  7. Communicate with employees and clients as appropriate. Be transparent about what happened and what you are doing about it.

Scenario 2: Hardware Failure (Server, Computer, Network Equipment)

  1. Identify the failed component. Is it a workstation, a server, a switch, or a firewall?
  2. Activate spare equipment if available. A spare laptop, a backup router, or a standby switch can keep operations running while the failed device is replaced.
  3. Contact your MSP or hardware vendor for replacement. Provide the model, serial number, and warranty information.
  4. Restore data from backup to the replacement device. For workstations, Microsoft Intune (included with Microsoft 365 Business Premium) can push company policies, applications, and settings to a new device quickly, reducing setup time from hours to minutes.
  5. Document the failure for insurance and warranty purposes.

Scenario 3: Internet or ISP Outage

  1. Switch to a backup internet connection if available. This could be a secondary ISP, a cellular failover device, or a dedicated LTE/5G backup line.
  2. If no backup connection is available, set up a mobile hotspot from a phone for critical tasks like email and essential cloud applications.
  3. If the outage will be extended, send employees home to work remotely using their home internet connections. Because Microsoft 365 data lives in the cloud, employees can access email, files, and Teams from any internet connection.
  4. Contact the ISP for an estimated restoration time and document the outage duration for your records.

Scenario 4: Physical Disaster (Fire, Flood, Extended Power Outage)

  1. Ensure employee safety first. People come before data, always.
  2. Assess physical damage to equipment once it is safe to do so.
  3. Activate remote work capabilities. If your team uses Microsoft 365 Business Premium, email, OneDrive, SharePoint, and Teams are all accessible from any device with an internet connection. Employees can work from home while the office is unusable.
  4. Contact your insurance carrier to begin the claims process.
  5. Begin the equipment replacement process with your IT provider.
  6. Restore on-premises data from offsite or cloud backups. This is where the offsite copy in a 3-2-1 backup strategy proves its value. If your local Slide appliance was destroyed in the disaster, the cloud copy of your Microsoft 365 data in Dropsuite remains completely unaffected.

Step 4: Document Key Contacts

Create a contact sheet and include it in the plan. Print a copy and keep it somewhere accessible even if your computers and network are down. Include:

  • IT provider/MSP: Name, phone, email, emergency support line
  • ISP: Account number, support phone number
  • Key software vendors: Support contacts for each critical application
  • Cyber insurance carrier: Policy number, claims phone number, agent contact
  • Company leadership: Names and cell phone numbers for decision-makers
  • Employee notification list: Personal email addresses and cell phone numbers for all employees (you cannot use company email to notify people if company email is down)

Step 5: Assign Roles

Even in a five-person company, define who does what during a disaster. When everyone assumes someone else is handling it, nothing gets handled.

  • Incident commander: The person who makes decisions during the disaster. This is usually the business owner or operations manager. They decide priorities, approve spending, and communicate with leadership.
  • IT lead: Your MSP or internal IT contact who handles the technical recovery work. They coordinate with vendors, execute restore procedures, and report progress to the incident commander.
  • Communications lead: The person who communicates with employees, clients, and vendors during the incident. They send status updates, manage expectations, and handle any public-facing communication.

In a small business, one person may fill multiple roles. That is fine. The important thing is that the roles are defined in writing and everyone knows their responsibilities before a disaster happens.

Step 6: Test the Plan

A plan you have never tested is just a document. You do not know if it works until you walk through it.

Run a tabletop exercise once per year. Gather your team around a table and walk through a scenario verbally. For example: "It is Monday morning and we discover our email has been encrypted by ransomware. Walk me through what we do." Go step by step. You will find gaps, outdated contacts, and unclear procedures every time.

Test a backup restore once per quarter. Pick a random file, email, or folder and actually restore it from backup. Verify the restored data is complete and usable. If your backups are managed through Athencia, you can verify backup health anytime through the Athencia One portal, but a hands-on restore test is still essential.

Update the plan after every test with the lessons you learned. Also update it whenever systems, vendors, or personnel change. A disaster recovery plan is a living document, not a one-time project.

Need Help?

Building a disaster recovery plan is easier with an experienced IT partner. If you want help creating or testing your plan, reach out to Athencia and we will walk through it with you.

Related Articles

How to Migrate Your Office File Server to the Cloud

Practical guide for small businesses moving files from a local server to SharePoint and OneDrive, covering planning, migration, and user training.

7 min read

How to Set Up OneDrive for Business So Your Team Actually Uses It

Practical guide to rolling out OneDrive for Business in a small office, including folder structure, training tips, and common mistakes to avoid.

6 min read

How to Verify Your Backups Are Actually Working: A Monthly Checklist

A practical monthly checklist for small businesses to verify that backups are completing, data is recoverable, and nothing is silently failing.

5 min read

Need Hands-On Help?

Our team can handle this for you. No pressure, just a conversation.

Contact Athencia