MSP Backup and Disaster Recovery: A Complete Guide for Australian Businesses
Data loss is not a question of if, but when. Ransomware, hardware failure, human error, natural disasters, and malicious insiders all threaten your business data. Your MSP's backup and disaster recovery (BCDR) capability is arguably the most important service they provide — because when everything else fails, backups are what keep your business alive.
Why Backup Is Your Last Line of Defence
The Australian Cyber Security Centre (ACSC) reported that ransomware remains one of the top cybersecurity threats to Australian businesses. In 2025, the average ransom demand for Australian businesses exceeded $250,000, with total incident costs (including downtime, recovery, and reputational damage) averaging $1.5 million.
The only reliable defence against ransomware is tested, immutable backups. If your MSP cannot demonstrate that your backups are working and recoverable, you are one incident away from catastrophic data loss.
The BCDR Framework
Effective disaster recovery is not just about backing up files. It is a framework that covers four elements:
1. Backup Strategy
Your backup strategy defines what is backed up, how often, and where it is stored.
What to back up: - All servers (full image and file-level) - All critical databases - Microsoft 365 data (Exchange, SharePoint, OneDrive, Teams) - Line-of-business applications - Configuration files (firewalls, switches, routers) - Virtual machines
How often: | Data Type | Backup Frequency | Retention | |-----------|-----------------|-----------| | Critical servers | Every 4 hours (minimum) | 30 days daily + 12 months monthly | | Workstations | Daily | 30 days | | Microsoft 365 | Daily | 90 days | | Databases | Every 1–4 hours | 30 days with point-in-time recovery | | Configurations | Weekly | 12 months |
Where to store: - On-site: Fast recovery but vulnerable to physical disasters - Off-site: Protected from local disasters but slower recovery - Cloud: Scalable and geographically diverse - Immutable storage: Protected from ransomware and deletion
The ideal setup is a 3-2-1 strategy: 3 copies of data, on 2 different media types, with 1 off-site. In 2026, the recommendation is 3-2-1-1: add 1 immutable copy.
2. Recovery Point Objective (RPO)
RPO defines how much data you can afford to lose. It determines your backup frequency.
- RPO of 1 hour: Backups every hour. You lose at most 1 hour of data.
- RPO of 4 hours: Backups every 4 hours. You lose at most 4 hours of data.
- RPO of 24 hours: Daily backups. You lose at most 1 day of data.
Most Australian SMBs target an RPO of 4–24 hours for general systems and 1–4 hours for critical databases. The RPO you choose should be based on the business impact of data loss, not technical convenience.
3. Recovery Time Objective (RTO)
RTO defines how quickly you need to restore operations after a disaster. It determines your recovery infrastructure and processes.
| Business Size | Typical RTO Target | What It Means |
|---|---|---|
| Small (1–20 users) | 4–8 hours | Business can survive half a day offline |
| Mid-market (20–100 users) | 2–4 hours | Business needs to be operational within a half-day |
| Enterprise (100+ users) | 1–2 hours | Every hour of downtime costs significant revenue |
Your RTO should account for: - Revenue impact of downtime - Staff costs during downtime (people still get paid) - Customer and reputational damage - Regulatory reporting requirements (some breaches require notification within 72 hours)
4. Disaster Recovery Plan
Your DR plan is the documented process for recovering your IT environment. It should include:
- Contact list: Who to call (MSP, vendors, key staff)
- Incident classification: What constitutes a disaster vs a major incident
- Recovery procedures: Step-by-step instructions for each system
- Communication plan: How to notify staff, customers, and stakeholders
- Testing schedule: When and how the DR plan is tested
- Provider responsibilities: What the MSP is responsible for vs your internal team
Common BCDR Solutions Used by Australian MSPs
| Solution | Type | Key Feature |
|---|---|---|
| Datto SIRIS | Appliance + Cloud | Hybrid backup with instant virtualisation |
| Veeam | Software | Flexible, supports most platforms and clouds |
| Acronis | Software + Cloud | Good cyber protection features |
| Rubrik | Appliance + Cloud | Enterprise-grade, strong security |
| Cove (N-able) | Cloud-first | Cloud-native, good for distributed environments |
| Microsoft 365 Backup | Cloud | Native M365 backup (not a full BCDR solution) |
The best solution depends on your environment, budget, and recovery requirements. Your MSP should be able to explain why they chose their BCDR platform and how it meets your needs.
The Microsoft 365 Backup Gap
Many Australian businesses assume Microsoft backs up their M365 data. They are wrong.
Microsoft's responsibility is the platform — keeping Exchange Online, SharePoint, and OneDrive running. Your responsibility is your data within those services.
Microsoft provides: - Geo-redundant storage (data is replicated across data centres) - Point-in-time recovery (up to 14 days for SharePoint, 30 days for OneDrive)
Microsoft does NOT provide: - Long-term backup retention - Granular point-in-time recovery beyond their default windows - Protection against accidental or malicious deletion beyond soft-delete - Compliance-grade backup for regulatory requirements
If your MSP manages your M365 environment, they should be implementing a third-party M365 backup solution. If they are not, you have a significant gap.
Ransomware Resilience
Modern ransomware specifically targets backups. Attackers know that if they can encrypt or delete your backups, you have no choice but to pay the ransom.
How to Protect Against Backup-Targeting Ransomware
- Immutable storage: Backups that cannot be modified or deleted for a defined period, even by administrators.
- Air-gapped backups: Physical separation from the network. Ransomware cannot encrypt what it cannot reach.
- Separate credentials: Backup systems should use different admin accounts than your primary environment.
- Monitoring: Alert on any changes to backup schedules, configurations, or data.
- Regular restoration testing: If you have never tested restoring from backups, you do not have backups — you have hope.
Evaluating Your MSP's BCDR Capability
Ask your MSP these questions:
- "What BCDR solution do you use, and why did you choose it?"
- "When was the last time you tested a full restoration of our environment?"
- "Are our backups stored in immutable storage?"
- "What is our RPO and RTO, and how are they achieved?"
- "Do we have a documented disaster recovery plan?"
- "How do you protect our backups from ransomware?"
- "Can you show me a backup success report for the past 30 days?"
- "What happens to our backups if we change MSPs?"
If your MSP cannot answer these questions confidently, your backup posture needs immediate attention.
Related Guides
- Essential 8 Maturity Level 1 — Backup requirements under Essential 8
- MSP Cybersecurity Incident Response — What happens during a breach
- MSP Health Score — Benchmark your MSP's capability
- RMM Software Comparison — How RMM integrates with BCDR
- MSP Technical Documentation — What your MSP should document
Was this helpful?