Backup and Disaster Recovery for California Small Business

Why most small business backups are not backups

The conversation we have with new clients goes the same way every time. "Yes, we have backups." Great. When was the last time someone actually restored from one? Silence. The reason that silence happens is that backups are an insurance policy nobody wants to actually file a claim against until they have to. By then, the policy has lapsed and nobody knew.

Half the small business backup setups we open up are quietly broken. Agents stopped running. Cloud syncs hit quota. External drives never got plugged back in. Even the working ones often share credentials with the production network, which means a ransomware crew with domain admin rights can encrypt them along with everything else. A backup that lives on the same network and shares the same credentials as the data it is supposed to protect is not a backup. It is a second copy of the problem.

The 3-2-1 rule, plus immutability

The classic 3-2-1 rule says you should keep three copies of your data, on two different media, with one copy off-site. That rule was written before ransomware. In 2026, you also need immutability — at least one copy that cannot be deleted, modified, or encrypted, even by someone with valid administrator credentials, until the retention window expires.

That is the only kind of backup that survives a real ransomware attack. The first thing a competent attacker does after gaining domain admin is hunt down the backup server and the cloud backup admin account and wipe everything they can reach. Immutable storage breaks that step. The retention lock is enforced by the storage platform itself, not by your AD.

What we deploy:

RTO and RPO in plain English

Two numbers govern every disaster recovery plan worth the name. RTO is your Recovery Time Objective — how long it takes to be operational again after a failure. RPO is your Recovery Point Objective — how much data you can afford to lose, measured as a window of time before the failure.

We set both with you against the actual revenue cost of downtime, not a generic best-practice number. A Salinas cooler in the middle of harvest cannot be down for a day; the RTO is hours and we engineer for it. A CPA firm in February cannot lose two days of client work; the RPO is fifteen minutes. A Monterey clinic on a normal Tuesday can stand down for a few hours if it has to, but cannot lose patient records for any window. A San Jose SaaS company has to consider customer SLAs in addition to internal cost. Each of those gets a different stack. Same discipline, different numbers.

Ransomware recovery: day one to day thirty

If you are reading this with a ransom note on your screen, the order of operations is what determines whether you pay or not. We have walked clients through the day-one-through-thirty timeline more than once. The plain-talk version of that timeline is in our blog post on how ransomware actually gets in. The short version on the recovery side:

• Hour 1. Disconnect, do not power off. Pull network cables, disable Wi-Fi, preserve memory state.
• Hour 1–6. Engage your cyber insurance carrier and incident response. Engage us if you have not already. Preserve evidence.
• Day 1–3. Identify the entry point and the persistence the attacker established. Confirm the immutable backup is intact and the last known-good restore point.
• Day 3–10. Rebuild domain controllers, file servers, and endpoints from clean media. Restore application servers from the last clean snapshot. Re-establish identity from scratch with new credentials and re-enrolled MFA.
• Day 10–30. Bring users back online in waves. Monitor heavily. Replace the controls that failed. Rotate every credential and key the attacker may have touched.

The clients with immutable backups recover. The ones without them often pay. We build your environment so you are in the first group.

Who this is for, and the seasonal angle

Backup and DR matter for every business, but the consequences scale very differently. Agriculture, food processing, and cold-storage operations in Salinas, Watsonville, and Hollister cannot afford to lose a harvest week — when product is on the dock, downtime measured in hours becomes downtime measured in spoiled inventory. Healthcare, dental, and clinical practices in Monterey, Carmel, and Pacific Grove have HIPAA exposure on top of operational. Legal firms and CPAs in Santa Cruz, San Jose, and Gilroy have client trust and bar exposure. Distribution and 3PLs face C-TPAT obligations on top of business continuity. We engineer the program for the consequence, not for a brochure.

Outside our drive radius, we deliver the same backup and DR program fully remotely to clients across the United States. The cloud-anchored architecture works the same way regardless of which time zone the office sits in.

What our BCDR service includes

• Veeam or Datto deployment, configured for image-level and application-aware backup
• Immutable cloud target with object lock, isolated from production credentials
• Microsoft 365 backup covering Exchange Online, SharePoint, OneDrive, and Teams
• Monthly tested restores of at least one workload, with written reports
• Documented recovery runbooks tailored to your environment
• Annual disaster recovery tabletop exercise with your team
• RTO and RPO commitments tied to actual workload classes
• Backup status reporting included in your monthly metrics

BCDR is included in every managed IT plan. Standalone BCDR engagements are available, priced per scope. See full pricing.