Why DR matters more in South Africa
SA businesses live with a stacked risk profile: load-shedding kills hardware; Eskom voltage events fry equipment; ransomware crews target mid-market companies weekly; and cloud misconfigurations quietly erase data nobody notices until it's needed. Insurance is tightening — you can't claim cyber cover in 2026 without proving MFA, immutable backups and tested restores. DR isn't an IT project anymore. It's a governance obligation.
RTO, RPO and the honest maths
Pick your RTO and RPO per system, not for the whole business. Payroll and finance systems usually need tight numbers; the marketing team's file share can survive 24 hours down.
- RTO ≤ 1 hour, RPO ≤ 15 min. Trading, e-commerce, mission-critical apps. Requires warm/hot DR — real money.
- RTO ≤ 4 hours, RPO ≤ 1 hour. Typical SME finance/ERP/CRM. Cloud-based DR-as-a-Service fits well.
- RTO ≤ 24 hours, RPO ≤ 24 hours. General file shares, non-critical apps. Traditional daily backup is usually enough.
- RTO ≤ 72 hours. Archive, compliance data. Cold cloud storage is fine.
The 3-2-1 rule, updated for 2026
- 3 copies of your data — production + 2 backups.
- 2 different media types — e.g. cloud + local NAS.
- 1 copy off-site — different physical or cloud location.
- +1 immutable copy — cannot be modified or deleted even by admins during a defined retention window. This is the anti-ransomware layer.
- +1 tested — a copy that has been successfully restored in the last 90 days. Untested is unproven.
Modern industry shorthand: 3-2-1-1-0 — three copies, two media, one off-site, one immutable, zero errors on last restore test.
The 4 layers of a real DR plan
- Endpoint / user data. Laptops sync to OneDrive/SharePoint with retention + third-party backup. Never rely on the user to back up their own device.
- SaaS data. Microsoft 365, Google Workspace, HubSpot, Xero — every SaaS platform needs its own third-party backup with independent credentials. See our M365 backup guide.
- Server / VM workloads. Image-based backup (Veeam, Nakivo, Datto) with off-site replication to a cloud DR target. RTO measured in hours, not days.
- Runbook. The written, tested document — who calls whom, who has admin credentials in the offline vault, who talks to customers, who talks to the regulator (POPIA breach = 72 hours). No runbook = no DR.
Ransomware-proof design principles
- Immutability is non-negotiable. If your backup admin's credentials can delete backups, ransomware will too. Use S3 Object Lock, Wasabi immutable buckets, or Veeam hardened repository.
- Air-gap or logical isolation. Backup infrastructure must not sit on the production Active Directory. Separate identity plane. Different MFA. Different admins.
- Long enough retention. Ransomware dwell time averages 20+ days before detonation. Backups that only go 14 days back are already infected. Minimum 60 days rolling immutable copies.
- Detection tied in. Backups feed anomaly alerts — sudden 40% file-change rate is ransomware, not user behaviour.
- Insurance-ready evidence. Monthly restore-test reports, immutable-copy attestations, MFA on backup consoles — cyber-insurance renewals demand this now.
Testing that catches the lies
- Monthly file-level restore. Random file, random user, random day. Time it.
- Quarterly application restore. Bring up a full VM or M365 mailbox in an isolated environment. Log in. Prove it works.
- Annual full DR exercise. Simulated outage, follow the runbook, involve non-IT stakeholders. Debrief and update the plan.
- Chaos-day (advanced). Unannounced: an engineer breaks something at 09:30 on a Tuesday. See what actually happens vs. what the runbook says.
- Document every test — dates, results, defects, remediations. This is your insurance and audit evidence.
Frequently asked questions
What's the difference between backup and disaster recovery?
Backup is a copy of your data you can restore from. Disaster recovery (DR) is the whole plan to get the business running again — people, systems, processes, communications. Backup is one ingredient; DR is the recipe. A business with backups but no DR plan still loses days when something breaks.
What is RTO and RPO in plain English?
RTO (Recovery Time Objective) = how quickly you must be back up. RPO (Recovery Point Objective) = how much data you can afford to lose. If RTO is 4 hours and RPO is 1 hour, you must be running again within 4 hours with no more than 1 hour of lost work. Both drive cost — the tighter the numbers, the more you pay.
Is Microsoft 365 already backed up?
No. Microsoft retains deleted items and versions for a limited window (usually 30–93 days), but that's retention, not backup. It won't protect you from ransomware, malicious deletion, retention-policy misconfigurations or a departed employee's data being wiped after 30 days. Every serious SA business needs a third-party M365 backup.
What does a DR setup cost in SA?
Realistic monthly ranges: R60–R120/user for M365 backup, R2,500–R8,000/month for a cloud-based DR appliance for a small server estate, R15,000+ for full immutable, air-gapped backup with 4-hour RTO. Cheap DR is expensive DR when you need it.
How often should we test DR?
Full test at least annually; partial test (restore a random file, restore a mailbox, spin up a server in the DR site) quarterly. Untested backups fail — the industry average is around 30% of restores fail on first attempt. If you haven't tested it, you don't have it.
