Having a backup and actually being able to restore a shop are two different things. 95 percent (Unitrends, 2025) of organizations run backup systems, but fewer than 30 percent (Unitrends, 2025) test them comprehensively. This gap becomes visible in an emergency: 60 percent (Unitrends, 2025) of organizations believe they can recover within hours, yet only 35 percent (Unitrends, 2025) actually do. Disaster recovery answers how an online shop comes back online predictably, quickly and completely after an outage -- with clearly defined targets instead of hope. This guide shows how a tested DR plan goes beyond plain backup strategies.
A Backup Is Not the Same as a Restore
Many shop operators equate a backup with safety. But a backup is just a data state on storage media -- whether it turns into a working shop is decided only during the restore. In practice, restores fail for reasons that testing would have revealed: silent corruption of backup files, missing database dumps, incompatible software versions or incomplete configurations. Only 15 percent (Unitrends, 2025) of companies test their backups daily, and 25 percent (Unitrends, 2025) test recovery once a year or less.
Disaster recovery looks at the whole path from outage back to normal operation: which components must be restored in which order? How long does it take? Which data state is available? Who carries out the steps? A DR plan documents these answers and makes them verifiable. Plain backups answer none of these questions -- they only provide the raw material for the actual restore.
The Silent Risk of Untested Backups
RTO and RPO: The Two Metrics of Every Restore
A DR plan without measurable targets stays non-binding. Two metrics give it structure: RTO (Recovery Time Objective) describes how quickly the shop must be available again after an outage. RPO (Recovery Point Objective) describes how much data loss is acceptable -- how old the most recent available data state may be at most. An RPO of one hour means that, in the worst case, the data of the last 60 minutes is lost. An RTO of four hours means the shop is back online at most four hours after the outage.
Both values have direct business meaning. The RTO determines the maximum downtime and thus the revenue loss -- the average cost of unplanned outages is put at roughly 5,600 US dollars per minute (Gartner) in current studies, though this value varies strongly by industry and company size. The RPO determines how many orders, customer accounts or content changes must be re-entered manually in an emergency. The lower both values, the higher the technical and financial effort -- the art lies in an economically sensible balance.
| Protection tier | Typical RPO | Typical RTO | Mechanism |
|---|---|---|---|
| Daily backup only | up to 24 hours | hours to days | manual restore from one backup |
| DR plan with snapshots | approx. 1 hour | a few hours | frequent snapshots, documented procedure, offsite copy |
| Replication / standby | minutes | minutes to 1 hour | continuous replication to a standby system |
The right tier depends on the business model. A shop with few orders per day can live with an RPO of 24 hours, while a high-revenue shop with hundreds of transactions per hour needs an RPO in the range of minutes. This classification is the foundation of every DR plan and should be set together with the technical reality of the hosting environment. It determines how much technical effort is required and which residual risk is consciously accepted.
Why So Many Shops Are Unprepared
The preparedness figures are sobering: 57 percent (Dark Reading) of small businesses with 5 to 99 employees have no disaster recovery plan, and for midsize firms it is still 47 percent (Dark Reading). Overall, only about 54 percent (LLCBuddy, 2025) of organizations have an established DR plan. At the same time, a large gap exists between self-assessment and reality: 94 percent (U.S. Chamber of Commerce Foundation) of small businesses consider themselves prepared, but only 26 percent (U.S. Chamber of Commerce Foundation) actually have a plan.
The consequences of this gap are severe. 34 percent (Infrascale, 2025) of affected small and midsize businesses needed six months or more to recover, some over a year. Even more dramatic: 93 percent (Invenio IT) of organizations with prolonged data loss of ten days or more file for bankruptcy within the following year. Data loss is therefore not a pure IT problem but an existential business risk.
Preparation Beats Improvisation
The Typical Outage Scenarios
A DR plan must cover different types of outage, because each requires a different restore path. Ransomware encrypts data and often targets the backups in parallel -- the average downtime after a ransomware attack is 24.6 days (Statista). Hardware failures on the server, faulty updates, databases deleted by operator error, hosting provider outages and systems compromised after a breach are also realistic scenarios.
Ransomware
Encrypted production data and potentially online backups too. Requires clean, isolated backups and a clean-restore path.
Hardware Failure
Defective storage media or server failure. Requires offsite copies and a documented rebuild of the environment.
Faulty Update
An update makes the shop unusable. Requires a fast rollback and a verified data state from before the update.
Operator Error
Accidentally deleted data or configurations. Requires granular restore of individual components.
Provider Outage
Data center or hosting unreachable. Requires a location-independent copy and an alternative restart location.
Compromise
Breached system with possible backdoors. Requires forensics and recovery from a state before the breach.
For the compromise scenario, the DR plan and the security incident interlock. How cleanup and a clean restart after a breach work is described in detail in the emergency plan for a hacked website. The key point: recovery must come from a state before the compromise, since later backups may already contain malicious code.
Building a Reliable DR Plan
A DR plan is more than a backup configuration. It is a documented, tested procedure that can be followed in an emergency without improvisation. Creation starts with an inventory: which systems are business-critical? Which data must be protected? Which dependencies exist between components? From this analysis, RTO and RPO are derived per system.
- Capture and prioritize business-critical systems and data classes
- Define RTO and RPO per system -- aligned with the business model
- Set up a multi-tier backup chain: local backup, snapshot, location-independent offsite copy
- Document the restore order (database, files, configuration, DNS, certificates)
- Store credentials, contacts and provider details centrally and securely
- Plan restore tests and run them at fixed intervals
- Update the plan after every test and every major change
The multi-tier backup chain is the heart of it. A proven orientation is the 3-2-1 rule: three copies of the data, on two different media types, one of them at another location. For ransomware resilience, an additional immutable copy is increasingly recommended -- one that even compromised administrator accounts cannot delete. This separation is decisive because attackers deliberately encrypt reachable backups.
Document the Restore Order
Tested Recovery: The Decisive Step
The restore test is what distinguishes a DR plan from a backup configuration. In the test, recovery is actually performed in an isolated environment -- ideally in a dedicated staging environment that mirrors the production system. The test reveals what was overlooked in theory: missing permissions, forgotten configuration files, incompatible PHP or database versions, expired certificates or incomplete backups.
A complete restore test also measures the actual RTO: how long does recovery really take? If the measured value exceeds the defined target, either the process must be optimized or the target adjusted realistically. This measurement turns an assumption into a reliable commitment. Recovery speed is improving measurably: 53 percent (Varonis, 2025) of organizations recovered from a ransomware incident within a week in 2025, up from 35 percent (Varonis, 2025) the previous year -- progress that is hard to achieve without tested plans.
- Actually perform recovery in an isolated environment -- not just check the backup
- Compare measured RTO against the target
- Spot-check data integrity after the restore (orders, customer accounts, content)
- Verify functionality: checkout, payment, search, login
- Log and fix deviations and obstacles
- Update plan and documentation based on the findings
A backup that has not been restored is not a backup but a hope. Only a successful restore test turns data into a reliable recovery capability.
Lowering RPO: More Frequent and Cleaner Backups
A low RPO comes from frequent backups. A daily full backup means an RPO of up to 24 hours -- for an active shop that can mean hundreds of lost orders. Incremental backups several times a day, continuous database replication or transaction-based logs lower the RPO drastically. For the database, combining a regular full dump with a continuous transaction log is a proven way to keep the data state almost gaplessly reconstructable.
What matters is the cleanliness of the backups. A consistent database dump requires that no inconsistent intermediate state is frozen during the backup -- with running transactions that is a technical challenge. File backups must cover configuration as well as media and code. Regular database maintenance and optimization ensures that the data to be backed up stays healthy and that the restore succeeds reliably.
Lowering RTO: Faster Restart
A low RTO comes from automation and preparation. The more steps are documented, scripted or kept on standby in advance, the shorter the downtime. A prepared standby system (warm or hot standby) can lower the RTO from hours to minutes, but is more elaborate and costly. For many shops, a well-documented and practiced manual restore process with a clear order is the pragmatic middle ground.
Documented Procedures
Every recovery step is written down and proven in a test. No searching for the how in an emergency.
Scripted Steps
Recurring steps are automated. This reduces errors and speeds up the restart considerably.
Standby System
A kept standby system takes over in an emergency. The highest tier for critical, high-revenue shops.
Professional monitoring reduces the detection time of an outage to minutes and is therefore the prerequisite for a short RTO -- because downtime begins with the outage, not with its discovery. The earlier a problem is detected, the earlier recovery starts.
For the RTO, it is worth looking at the individual recovery phases in detail. The measured total time typically consists of detection, decision, data transfer, rebuild and verification. In many cases the actual restore is not the bottleneck but the upstream clarification -- who decides which backup is used, and who has access to the necessary systems. Clarifying these organizational steps in advance and including them in the plan often gains more time in an emergency than any technical optimization. A realistic DR plan therefore calculates the RTO as the sum of all phases, not just the pure data copy time.
The restart location must also be considered. If only one component fails, recovery on the existing infrastructure is enough. But if the entire location or hosting provider fails, the shop must be brought back up in an alternative environment -- with all dependencies from DNS to payment integration. This case should be described separately in the DR plan and rehearsed at least once, as it involves considerably more steps than a simple restore in the same place. The location-independent offsite copy is the technical prerequisite here, the documented restart procedure the organizational one.
GDPR: Recoverability Is Mandatory
Disaster recovery is not only sensible from a business perspective but, for shops with personal data, also legally required. Article 32 GDPR explicitly demands the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident (GDPR Art. 32). The regulation also requires a procedure for regularly testing, assessing and evaluating the effectiveness of these measures -- which effectively makes restore tests a legal expectation.
GDPR names confidentiality, integrity, availability and resilience of systems as protection goals (GDPR Art. 32). Resilience means systems can survive an incident and recover -- exactly what a DR plan describes. Anyone who keeps backups but does not test them meets the requirement of quick recoverability only on paper. How retention and protection periods can be designed in a legally sound way is covered in the article on GDPR-compliant data backup.
What a DR Plan Delivers in a Maintenance Contract
Disaster recovery is not a one-time setup but an ongoing process. Backup chains must be monitored, restore tests run regularly and the plan adapted to every major change of the shop. In a maintenance contract, this process becomes a predictable routine: defined RTO and RPO targets, monitored backups, documented recovery procedures and restore tests at fixed intervals.
The benefit lies in reliability. Instead of improvising in an emergency, a well-practiced team follows a rehearsed procedure. The investment in a DR plan is a fraction of the potential damage -- given average outage costs of around 356,000 US dollars per day (Varonis, 2025) for larger incidents, preparation pays off quickly. How a maintenance contract is structured in detail is described in the article on what a maintenance contract should include.
From Backup to Reliable Recovery
Sources and Studies