In April 2025, Marks & Spencer was hit by a cyberattack that forced it to stop taking online orders from 25 April, with online sales only beginning to resume 46 days later in June. The disruption also caused problems with contactless payments, click-and-collect, and store availability. M&S later said attackers gained access through social engineering involving a third-party contractor, and the incident was widely reported as ransomware.
By November, the company said the attack had caused £324 million in lost sales, while more than £1 billion had been wiped from its market value in the aftermath.
M&S is not a small business. But the failure point was. A single compromised login. A backup and recovery process that could not keep pace with the attack. An assumption, somewhere, that existing defences were enough.
That pattern repeats at every scale. The UK government’s Cyber Security Breaches Survey found that 43% of UK businesses experienced a cyber breach or attack in the past year, equivalent to roughly 612,000 organisations. For small and medium-sized businesses, the triggers are usually more mundane than a sophisticated ransomware gang: a failed update, a dying server, a phishing email that someone clicks at the wrong moment, an internet outage just before payroll needs to run.
The damage, though, is the same. Operations stop. Staff sit idle. Customers go unanswered. Revenue disappears.
Business continuity and disaster recovery is the discipline that determines whether that kind of disruption lasts an hour or a week. For most UK SMEs, it is also the area of IT that gets the least attention until the moment it matters most.
At Computercentric, we have spent more than 20 years helping small businesses across the West Midlands manage exactly this kind of practical risk, through managed IT services, cloud and Microsoft 365 management, backup, cybersecurity, and disaster recovery planning built around how SMEs actually work.
Backup, disaster recovery, and business continuity are not the same thing
These three terms get mixed together constantly, even by IT providers. They solve different problems.
Backup is a copy of your data stored safely so you can retrieve it if the original is deleted, corrupted, or encrypted by ransomware. Think of it as the spare tyre in your boot.
Disaster recovery is the plan and process for restoring your IT systems, applications, email, and files after a serious incident. That is the breakdown service: getting the car back on the road.
Business continuity is broader. It covers how the entire business keeps operating while recovery is happening, including staff, communications, suppliers, customer service, and alternative ways of working. That is the plan to reroute your journey entirely while the car is being fixed.
Backup sits inside disaster recovery. Disaster recovery sits inside business continuity. A business that only has backup is like someone with a spare tyre but no idea how to fit it, no phone signal to call for help, and no plan for how to get their passengers home.
That distinction matters because many SMEs believe they are protected when what they actually have is a backup job running in the background.
The backup may mean the data still exists somewhere. It does not tell you who restores it, what gets restored first, how long it will take, whether the restore is clean, or how your team will keep serving customers while systems are down.
Why this matters more than most small businesses realise
The phrase “disaster recovery” sounds dramatic, as if it only applies to floods, fires, and corporate emergencies. Most SMEs are not brought down by cinematic disasters. They are stopped by ordinary failures that hit at the wrong time.
Phishing remains the most common cause of cyber disruption for UK businesses. In the 2025 government survey, 85% of businesses that suffered a breach said phishing was involved. But IT disruption is not only about hackers. Hardware failure, failed software updates, ageing equipment, network problems, power cuts, and human error account for a huge share of real-world downtime.
For a solicitor, that might mean no access to case files on the morning of a property completion. For a manufacturer, a failed server stopping production planning. For an accountancy practice, email going down during a tax deadline. For any growing business running on Microsoft 365, cloud storage, and remote working, even a few hours offline turns into missed work, delayed responses, stressed staff, and unhappy customers.
Secondary UK research suggests SMEs lose around 19 hours of productivity per year to IT downtime, worth roughly £7,500 per business annually. One UK downtime guide says 92% of businesses take 24 hours or more to recover from a significant outage. Those numbers put a price on the gap between having backup and having a tested recovery plan.
The 2024 CrowdStrike outage proved that disruption does not even require a cyberattack. A faulty software update paralysed thousands of organisations worldwide. Many affected businesses needed manual intervention on every device, and some spent days working through backlogs.
The lesson: recovery time depends less on where the problem started and more on whether you have tested backups, documented steps, spare devices, and someone accountable for getting things back online.
The Microsoft 365 backup gap most SMEs don’t know about
One of the most commercially dangerous misunderstandings in this area is the belief that Microsoft 365 automatically covers backup and recovery.
Microsoft provides platform availability. It keeps the service running. But Microsoft’s own guidance makes clear that customers own their data and share responsibility for business continuity. Native retention in Microsoft 365 typically lasts 30 to 90 days. After that window closes, accidentally deleted emails, corrupted OneDrive files, or data wiped by a departing employee may be gone for good.
That retention window is nowhere near enough for ransomware incidents where the attack may go undetected for weeks, accidental deletions discovered months later, compliance disputes, or GDPR data recovery obligations.
A business can be entirely cloud-based and still be under-protected if nobody has set up a proper third-party backup for Exchange, OneDrive, SharePoint, and Teams.
If email is central to your sales process, if your team works primarily from SharePoint, if customer records live in OneDrive, recovery planning needs to include Microsoft 365 explicitly. Not as an afterthought.
What a real small business plan should actually include
Most SMEs do not need a thick enterprise binder full of flowcharts nobody reads. They need a plan they can actually use under pressure.
A practical business continuity and disaster recovery plan for a small business should answer five questions: what must keep running, what the business can live without for a short time, what data and systems need protecting, who does what during an incident, and how do we know recovery will actually work.
The starting point is a simple business impact analysis. Identify the services your business cannot afford to lose, then work backwards to map the people, systems, data, internet access, devices, and suppliers those services depend on.
From there, set recovery priorities and document what happens when those resources fail.
A solid SME plan covers six areas:
- Critical operations: the key services, deadlines, and customer commitments the business must maintain during disruption, plus the minimum acceptable service level.
- Technology and data: which systems matter most. Email, shared files, line-of-business applications, Microsoft 365, laptops, servers, internet connectivity, and cloud platforms should all be considered properly, not assumed.
- Backup policy: what data is backed up, how often, where backups are stored, how long they are retained, who can access them, and how restore checks are performed. NCSC-backed guidance says backups should be separate from the main environment, ideally off-site or in a suitable cloud service.
- Disaster recovery steps: who can declare an incident, what gets restored first, what supplier contacts are needed, and what the technical recovery sequence looks like for priority systems.
- Continuity arrangements: how the business keeps functioning if the office, systems, or connectivity are unavailable. That could include remote working, alternative communications, spare devices, fallback internet, or temporary customer service workarounds.
- Testing and review: the ICO expects organisations to restore availability and access to personal data in a timely way and to test their measures regularly. The Cabinet Office toolkit for smaller organisations says continuity arrangements should be exercised at least annually, with additional review after major changes.
A plan that has never been tested is not a plan. It is a guess.
Start with business priorities, not with servers
This is where many businesses get recovery wrong. They think in terms of hardware. Which server comes back first? Which switch needs replacing?
The better approach starts with what the business actually needs to keep doing. Payroll may matter before archived files. Customer communication may matter before restoring every shared folder. Access and identity may matter before lower-priority applications.
The Cabinet Office’s own toolkit recommends identifying critical products and services first, then the activities that support them, then the resources those activities depend on. Priority should reflect not just “what broke” but “what will create the biggest operational mess if it stays down.”
For a typical SME, a practical recovery sequence often looks like this: communications and telephony first, then identity and access, then shared files and core business applications, then secondary tools and individual devices.
That is the difference between recovering in hours and losing days.
RTO and RPO explained for business owners
Two terms come up constantly in business continuity and disaster recovery planning because they turn vague reassurances into measurable commitments.
RTO, or Recovery Time Objective, means how quickly a system or service needs to be back up and running before the business impact becomes unacceptable.
RPO, or Recovery Point Objective, means how much recent data the business can afford to lose, measured in time. If your RPO is one hour, you are saying you can tolerate losing the last 60 minutes of work. If your RPO is 15 minutes, your backup frequency needs to match.
A concrete example: if your accounts team can tolerate being offline for four hours but cannot afford to lose more than 30 minutes of invoicing data, your RTO is four hours and your RPO is 30 minutes. Those numbers should not be guessed. They should come from the real operational cost of downtime for each system.
This is also where managed service providers prove whether they are offering resilience or just reassurance. If a provider cannot state your RTO and RPO for key systems, cannot show evidence of tested restores, or talks only about “backup success” rather than recovery outcomes, their disaster recovery capability may be more sales language than substance.
The 3-2-1 backup rule and why it still works
The 3-2-1 rule is one of the simplest and most effective principles in data protection: keep three copies of your data, on two different types of media, with one copy stored off-site.
For a small business, that might mean production data on your server, a local backup on a separate device, and a cloud backup stored in a UK data centre. The principle works because it removes single points of failure. If ransomware encrypts your server and your local backup is connected to the same network, both copies are compromised. The off-site copy is what saves you.
Modern variations extend this to 3-2-1-1, where the extra “1” means one copy should be immutable or air-gapped, meaning it cannot be altered or deleted even by an administrator. That extra layer matters because sophisticated ransomware now specifically targets backup systems.
Ransomware resilience: why having a backup is not the same as being able to recover
The 2024 Synnovis ransomware attack on NHS pathology services cancelled more than 1,500 operations, disrupted care for hundreds of thousands of patients, and cost at least £32 million in direct recovery work. The vulnerability was not the absence of backup. It was the dependency on a single provider and insufficient isolation between systems.
For small businesses, the ransomware risk is not abstract. UK guidance from both the ICO and NCSC is clear: backups must be segregated or offline, privileged backup accounts must be tightly controlled, and organisations should be able to detect suspicious changes to backup data.
The ICO specifically warns that attackers often try to delete or encrypt backups too, so a business should assess whether its recovery environment could survive the same attack that hit production.
The NCSC’s ransomware-resistant backup guidance boils down to practical principles: keep at least one backup separated from the main environment, secure admin access to backup systems, test restores regularly, and never assume a restore point is safe until you have verified it is clean and malware-free.
A backup that has not been tested, that sits on the same network as your live systems, or that nobody has tried to restore in the last 12 months is not protection. It is hope.
Ransomware resilience is one of the strongest arguments for treating business continuity and disaster recovery as an operational priority rather than an afterthought.
GDPR, compliance, and the legal case for recovery planning
For UK SMEs, backup and recovery are not just good IT practice. They sit inside a legal obligation.
The UK GDPR, through Article 32, requires organisations to use appropriate technical and organisational measures to protect personal data, including the ability to restore availability and access to personal data in a timely manner after a physical or technical incident. The ICO also requires businesses to regularly test, assess, and review those measures.
In plain English: if you hold personal data, you need a backup process, a recovery route, and evidence that you can actually restore data when something goes wrong. “We use the cloud” is not an adequate answer.
The ICO treats even temporary loss of access caused by ransomware as a potential personal data breach. If that breach is likely to risk people’s rights, the business may need to notify the ICO within 72 hours and keep records of its assessment.
Certain sectors face additional pressure. Legal services are among the most frequently targeted by ransomware and handle large volumes of confidential, time-sensitive data. Healthcare organisations face serious harm risks from data unavailability. Financial services firms must ensure third-party contracts support resilience requirements including business continuity and exit planning.
Recruitment businesses process special-category personal data where Article 32 security and recoverability expectations are particularly high. Manufacturing businesses face contractual continuity pressure even where sector-specific backup law is less explicit.
Cyber insurers are increasingly asking for evidence of a tested continuity plan as a condition of cover. A documented, exercised plan is not just about compliance. It is about demonstrating that the business takes operational risk seriously.
The common mistakes that leave small businesses exposed
The most common continuity and recovery failures are rarely caused by a complete absence of technology. They come from partial protection and optimistic assumptions.
The clearest warning sign is that nobody has ever performed a proper restore test. UK guidance stresses testing repeatedly, and multiple recovery sources confirm that “backup successful” does not prove the data is actually recoverable.
Other red flags: backups stored on-site or in the same environment as production systems. No one in the business can state the RTO or RPO for key systems. Microsoft 365 data is assumed to be fully protected just because it is in the cloud. Backup reports are checked, but restore results, excluded folders, permissions, and encryption key access are not. There is no immutable, offline, or segregated copy that would survive ransomware. The business does not know who to call, what gets restored first, or how staff would keep working during an outage.
Businesses frequently assume backups are fine because the software says they are.
They assume cloud platforms cover everything. They assume the person who set the system up years ago will know what to do in a crisis. They assume ransomware only affects larger targets.
Each of those assumptions has a cost, and the cost is usually discovered at the worst possible moment.
What a good managed backup and disaster recovery should look like
For SMEs, the biggest value of managed backup and disaster recovery is not the technology stack. It is the discipline around it.
A good managed service defines what is being protected, monitors backup jobs, separates and secures recovery data, performs regular test restores, documents the recovery order, assigns clear responsibilities, and gives the business realistic recovery expectations for named systems.
The questions that cut through generic sales language are straightforward: what are our agreed RTO and RPO for key systems? How are backups monitored, and who checks failures? How often do you perform test restores or disaster recovery tests? What gets restored first after an outage? What happens if ransomware reaches production systems and the backup environment?
A managed provider that can answer those questions with specifics, not generalities, is one that treats disaster recovery as an operational discipline rather than a line item on a proposal.
At Computercentric, our managed IT services are built around exactly this approach: proactive monitoring, managed backup with tested restores, Microsoft 365 protection, cybersecurity, and disaster recovery planning that helps businesses restore continuity within hours rather than hoping for the best. For businesses considering outsourcing their IT support, recovery capability is one of the most important things to evaluate in any provider.
The real goal is recoverable business operations
Small businesses do not need continuity planning because they want more documentation. They need it because real life is unpredictable. Staff make mistakes. Hardware fails. Internet drops. Cyber criminals do not only target large enterprises. Cloud services reduce some risks while creating others.
The businesses that recover quickest from disruption are not usually the ones that spent the most on business continuity and disaster recovery. They are the ones that prepared properly: documented what matters, tested their backups, agreed a recovery order, and made sure someone is accountable when things go wrong.
A strong business continuity and disaster recovery plan gives an SME three things: a way to protect data, a way to restore systems, and a way to keep trading while recovery takes place. That is what turns an IT incident from a crisis into a manageable interruption.
For businesses across Birmingham, Sutton Coldfield, Walsall, Wolverhampton, Lichfield, and Aldridge that want that protection without trying to design and manage it all internally, Computercentric’s managed services model is built for exactly this kind of joined-up resilience.
Frequently asked questions
Is business continuity the same as disaster recovery?
No. Disaster recovery focuses on restoring IT systems and data after a serious incident.
Business continuity is the broader plan for keeping the entire business operating during and after disruption, covering people, processes, communications, and alternative working arrangements as well as IT recovery.
Is backup enough on its own?
No. Backup gives you a copy of data. It does not tell you who restores it, in what order, how long recovery will take, or how the business keeps operating while systems are down.
A small business typically needs all three: backup so data exists after an incident, disaster recovery so systems can be restored in the right order, and business continuity so staff can still serve customers during the outage.
Does every small business need a business continuity plan?
In practical terms, yes. The threshold is not company size but dependency. If the business relies on email, internet access, cloud apps, shared files, customer data, or devices to trade, it needs some form of continuity and recovery planning.
The plan can be simple and proportionate, but it should exist and it should be tested. UK government guidance is written specifically with smaller organisations in mind.
Does ISO 22301 cover disaster recovery?
Yes, as part of a wider business continuity management system rather than as a standalone discipline. ISO 22301 provides a useful framework, but most small businesses do not need formal certification to apply good continuity practice.
The value is in the principles: understanding your risks, documenting recovery actions, testing regularly, and improving over time.
What should come first, business continuity or disaster recovery?
Business continuity is the wider strategy, so it comes first conceptually. Disaster recovery sits within it as the IT-specific component focused on restoring systems and data.
In practice, many SMEs find it easiest to start with a combined plan that covers both, rather than treating them as separate documents.
How often should backups and recovery plans be tested?
The Cabinet Office toolkit says continuity arrangements should be exercised at least annually, with additional review when the business changes, staff change, or lessons are learned from an incident.
The ICO expects regular testing of disaster recovery measures. For most SMEs, a practical cadence is automated daily backups, monthly restore checks for critical systems, and a fuller recovery exercise at least once a year.
What is the 3-2-1 backup rule?
Keep three copies of your data, on two different types of storage media, with one copy stored off-site. This principle removes single points of failure and remains one of the most effective data protection strategies for businesses of any size.
Modern best practice adds a fourth element: one copy should be immutable or air-gapped so it cannot be altered by ransomware.
Is a disaster recovery plan a legal requirement in the UK?
There is no single UK law that mandates a disaster recovery plan by name. However, the UK GDPR requires organisations holding personal data to implement appropriate security measures, including the ability to restore data availability after an incident.
For regulated sectors such as finance and healthcare, additional resilience requirements apply. Cyber insurers also increasingly require evidence of tested recovery plans as a condition of cover.
How Computercentric helps small businesses stay operational
By the time most businesses think seriously about backup and recovery, they have already experienced the disruption. Systems go down, work stops, and the real question becomes how quickly things can be brought back under control.
At Computercentric, we work with small businesses across the West Midlands to make sure that situation is handled properly long before it happens. With more than 20 years of experience, our role is to put the structure, protection, and accountability in place so recovery is not left to chance.
That means looking beyond individual tools and treating backup, disaster recovery, cybersecurity, and day-to-day IT support as one joined-up responsibility. Everything is designed around clear recovery priorities, realistic timeframes, and systems that are actively monitored and regularly tested, so there are no surprises when they are needed.
What this looks like in practice
- Proactive monitoring and maintenance to reduce the risk of disruption
- Managed backup with verified restore testing to ensure data can be recovered reliably
- Defined recovery priorities with clear RTO and RPO targets based on business impact
- Microsoft 365 backup and protection beyond standard retention limits
- Ransomware-resilient backup design with isolated and secure recovery points
- Business continuity planning that supports staff, communication, and ongoing operations
- Responsive, locally delivered support from a team that understands your business
When an incident does occur, the difference is immediate. Recovery follows a defined path, systems are restored in the right order, and the business continues operating with minimal disruption.
