Data Backup and Disaster Recovery for Small and Medium-Sized Businesses (SMEs)

Many pitfalls await companies looking for backup systems. Organizations that do not employ IT specialists are particularly vulnerable.

Backup for SMEs: the art of difficult choices

Hackers have targeted small and medium-sized enterprises for years. However, in the last two years, the wave of cyber-attacks on the infrastructure of this group of companies has taken an exceptional turn. Industry statistics estimate that ransomware attacks target SMEs between 50 and 70 percent specifically. Other incidents, such as phishing, crypto-jacking, and DDoS, are also included. Any one of these can interrupt critical business operations, leading to severe financial losses.

According to Gartner, the average cost of downtime for an SME following a ransomware attack is $5,600 per minute. HIPAAtrek, on the other hand, calculates that it takes 287 days to restore a system after a ransomware attack completely. Security experts are under no illusion – the game of cat and mouse with cyber-criminals does not end with detecting and stopping attacks. You also have to consider the worst scenario of attackers breaking through the security measures used by an organization and invading the company’s network. In such a situation, everything must be done to minimize the damage and get applications and IT infrastructure back up and running as quickly as possible. This depends heavily on the backup and recovery tools you have in place.

Two types of backup solutions

Analysts believe that companies have a lot of catching up in this area. According to Gartner, by the end of 2022, as many as 40% of enterprises will have completed or completely replaced their backup software. Although the data refers to both SMEs and corporate clients, it is expected that this indicator may be slightly lower for smaller companies. Storware is not surprised by these predictions, as the division of backup solutions into two parts has been noticeable for several years now. The first is made up of manufacturers offering solutions based on the architecture of the 1990s, while the second is made up of a new wave of players who build products based on innovative mechanisms.

The D2D2T (a disk-to-disk-to-tape backup strategy) philosophy that has been pushed through for many years is slowly becoming a thing of the past. Companies are increasingly using deduplicators or object-based memory. What further drives customers to seek new solutions is the development of cloud services and containerization.

Problems with the designation of RTOs

According to research conducted by Veeam, the interruption tolerated by companies following a failure of IT systems should not be longer than two hours. This two-hour restoration time is an average value created primarily for marketing purposes. However, a statistic is like a lighthouse in the daytime – it does not reveal anything or illuminate anything, but you can always refer to it for support. It is similar in this case. IT teams should not rely on studies, suggestions, or averages when determining the acceptable business downtime (RTO) associated with an IT system failure. Business continuity should be defined on a company-by-company basis; you can’t lump everyone together.

Suppliers of backup systems are constantly pushing the boundaries and trying to attract customers with, for example, low RTOs (Recovery Time Objective) or RPOs (Recovery Point Objective). It is easy to imagine agitated passengers waiting two hours for the baggage belt to start in one scenario. At the same time, in other cases, some companies make intensive use of IT systems at specific times – at the end of the week or month or as e-shops offering niche products. In these cases, you may have to wait up to several hours for your IT system to be restored to operation.

Unfortunately, companies can often not define their data protection needs and cannot choose the right tools. RTO is complicated to estimate because the process requires the involvement of several departments within the company and goes beyond the scope of IT. A slightly easier task is defining the RPO. In an ideal model, the RPO is zero. In practice, the lowest value is set for financial institutions in seconds. In general, the rule of thumb is that the more data you generate and the more critical it is, the more often you should back up. For the average small business, backup every few days is generally sufficient. However, daily backup is recommended for remote working, regular work with customer data, or regulated industries. It is also worth realizing that a 5-hour RPO does not necessarily mean that the organization will lose five hours of data in the event of a disaster.

When a word-processing application shuts down at midnight and comes up again at 3:15, there is little or no loss. Worse is if the failure occurs at 10 am, and you don’t get around to it by 3 pm, in which case you can lose precious, sometimes even irreplaceable, data. Either way, a shorter restore point target means less data is lost but requires more backups and additional disk space, and computational and network resources for backups. The conclusion is simple – the shorter the RPO, the greater the financial outlay for backup.

Backup – more than RTOs and RPOs

It is important to note that business processes and disaster recovery should not only be the responsibility of backup software. It is crucial to ensure redundancy for critical components in the lower layer: servers, storage, or network devices. Besides, just making a backup is only half the battle; making sure the process is done correctly is another matter. A study by provides exciting insights into this, showing that 60 percent of backups are incomplete and that one in two restore operations fail.

Smaller companies do not always recognize the difference between backup and archiving. Knowing these two standards greatly helps sort digital assets and acquire more storage space for backups. The first option deals with data that is currently changing and needs to be restored quickly. In contrast, data intended to be archived does not change and is not used for various reasons, most often legal considerations. Experts estimate that around 75 percent of the data on servers belonging to SMEs has not been used for at least a year. This type of information needs to be archived. This has two advantages: the data is better organized and therefore easier to find, and it saves money by not having to spend funds on extra space for backups.

Another mistake SME owners make is a certain short-sightedness. They often assume that data remains within the office. This used to be the case, but with the advent of cloud services and the exponential growth of remote working, the situation has changed dramatically. Files are dispersed and are found in different locations: on staff members’ home computers and in server rooms belonging to cloud providers. Besides, migration to a cloud environment raises additional challenges in data protection. In the SaaS model, the service is run and managed in the cloud by a third-party provider who never takes full responsibility for the data, only the availability of the service. Many companies that use SaaS think they don’t need to care about backup, which is a severe mistake. Data processed by cloud applications require unique backup solutions.


The number of threats to which corporate data is exposed can only increase. There is also a shortage of specialists on the market who would substantively and technically support the company in the data protection area. Today, a modern data backup and restore system plays a much more important role than simply moving data from one place to another: it protects against cyber threats, automates data protection for key areas of IT infrastructure, secures data of remote employees, saves time and company resources and much more.

A backup system such as Storware also allows you to limit the number of specialists needed to keep your infrastructure safe. And in case of problems – there is always a support team at your disposal. Win-win situation.

Paweł Mączka Photo

text written by:

Pawel Maczka, CTO at Storware