Backup & Disaster Recovery
Image-based backups with off-site replication, immutable storage, application-aware snapshots, and quarterly tested recovery for NY/NJ businesses. The difference between a 4-hour outage and a 4-week extortion negotiation.
What's included
- Image-based local appliance backup with off-site cloud replication
- Immutable storage — attacker-resistant retention
- Application-aware snapshots — SQL Server, Exchange, Active Directory, Hyper-V, VMware
- Microsoft 365 and Google Workspace third-party backup (separate from the platform's native retention)
- Quarterly recovery testing with documented PDF results
- 1-hour RTO target for managed clients on standard tier
- 4-hour RPO standard; 15-minute RPO available for transactional workloads
- Documented recovery runbook with named contacts and decision authority
- Geographic separation — backups land in a different region than production
- Cyber-insurance-aligned retention and attestation
- Vendor flexibility — Datto, Veeam, Acronis, MSP360, AWS Backup, Azure Backup
“We have backups” is not a strategy
Most small businesses think they have backups until they need to restore. Then they discover the appliance has been failing for six weeks, the off-site replication never finished its last sync, the SQL database was backed up at the file level so it cannot actually recover, and the cloud retention policy quietly aged out the snapshot from before the ransomware landed. We architect, monitor, and test backup so that the day you need it is not the day you find out it has been broken.
The architecture we deploy
Local appliance for fast restore. Image-based backups land on a dedicated on-premises appliance — typically a Datto or Veeam-managed device — so the first hour of any recovery does not depend on cloud bandwidth. Single file restores happen in minutes. Full bare-metal restores happen in hours, not days.
Off-site replication to immutable cloud storage. Every snapshot replicates to a cloud target in a different geographic region. The cloud storage is immutable — the bytes cannot be deleted, encrypted, or modified for the retention period, even by someone with domain administrator credentials. This breaks the modern ransomware playbook where attackers compromise the backup infrastructure first to force the ransom payment.
Application-aware snapshots. For SQL Server, Exchange, Active Directory, Hyper-V, VMware, and other transaction-heavy systems, we use VSS or vendor APIs to take consistent snapshots. The database engine confirms the snapshot is recoverable before it’s committed. File-system-only backup is insufficient for these workloads — we test that distinction quarterly.
Microsoft 365 and Google Workspace third-party backup. Both platforms are explicit that they do not protect customers from user error, malicious deletion, or ransomware on synced files. We deploy independent backup (typically Datto SaaS Protection or AvePoint) covering mailboxes, OneDrive/Drive, SharePoint/Shared Drives, Teams chat history, and calendars. Retention is configurable to your compliance profile.
Geographic separation. The local appliance lives at your site. The cloud replication targets a different US region. A localized disaster (fire, flood, building loss) does not compromise the off-site copy.
Recovery-as-a-Service for higher tiers
For managed clients on the Sovereign tier or with documented business-continuity requirements, we add DRaaS — the ability to spin up your line-of-business applications in the cloud as a temporary DR environment while the office is being rebuilt or production is being recovered. Typical use case: a ransomware event that takes production down for a week. Instead of waiting for hardware replacement and clean rebuild, your team works against the cloud-hosted recovery copy while we cleanse and rebuild production in parallel.
RTO and RPO — designed, not assumed
We don’t pick a backup schedule arbitrarily. We start with two numbers from you: RTO (how long can you be down before the business hurts?) and RPO (how much data loss can you absorb?). Common patterns:
- Typical SMB office — 4-hour RTO, 4-hour RPO. Hourly local snapshots, 4-hour off-site replication.
- Transactional business (e-commerce, payment processing, contact center) — 1-hour RTO, 15-minute RPO. Continuous data protection, near-real-time replication.
- Regulated healthcare or finance — 4-hour RTO, 1-hour RPO, plus immutable retention aligned to HIPAA (6 years) or SOX (7 years).
The architecture and cost scale with the targets. We will not over-engineer if your business doesn’t need it; we will not under-protect just to keep the price simple.
Testing — the part most providers skip
Quarterly, we boot a recent backup in an isolated sandbox environment, recover the production server image, and verify that applications actually run and accept transactions. The documented PDF result lives in your client folder and is available to your auditor or cyber-insurance carrier at renewal time. Untested backups do not count.
Cyber-insurance alignment
Every 2026 cyber-insurance renewal questionnaire we have seen asks the same five backup questions: image-based local + cloud, immutable storage, application-aware for databases, quarterly tested with documented results, written incident-response runbook. Our standard backup deployment satisfies all five and we provide attestation letters for the underwriter at renewal.
Pair with the rest of the stack
For full ransomware resilience, backup is one of five layers — pair it with cybersecurity (EDR + SOC + MFA), cloud (M365 hardening), and managed IT for ongoing monitoring and patch management. See co-managed IT if you have an in-house IT person and want Sage as the backup-and-DR specialist behind them.
Project-priced based on environment complexity — number of servers, retention requirements, RTO/RPO targets, and DRaaS scope. Request a backup audit and we will assess your existing setup against the 2026 standard before quoting.
Backup & Disaster Recovery — questions we get
What is the 3-2-1 backup rule and do you follow it?
Three copies of your data, on two different media, with one copy off-site. We exceed the 3-2-1 standard with a modern variant: three copies, two media, one off-site, one offline (immutable), and one tested. The extra "tested" requirement is the part most providers skip — and the part that matters most when ransomware lands.
What are RTO and RPO and what targets should we aim for?
RTO (recovery time objective) is how long you can be down before the business hurts. RPO (recovery point objective) is how much data loss you can absorb. A typical SMB target is 4-hour RTO and 4-hour RPO. Transactional businesses (e-commerce, payment processing, contact center) need 1-hour RTO and 15-minute RPO. We design backup architecture to meet your specific RTO/RPO before we configure the first snapshot.
How often is data backed up?
Standard schedule is hourly snapshots local with off-site replication every 4 hours. More aggressive schedules (15-minute snapshots, continuous data protection) are available for transactional databases and clients who need them. We size the schedule to your RPO and the cost of cloud storage.
How is recovery actually tested?
Quarterly, we boot a recent backup in an isolated sandbox environment and verify the system actually restores and runs. We test application functionality, not just file recovery — a SQL backup that "restores" but cannot accept transactions is useless. Documented results are delivered as a PDF, and we maintain a recovery log so your auditor or cyber-insurance carrier can see the test cadence. Untested backups do not exist.
What is immutable backup and why does it matter for ransomware?
Immutable storage means the backup data cannot be deleted, encrypted, or modified — even by a domain administrator credential — for a defined retention period. Most ransomware operators in 2026 specifically target backup infrastructure before encrypting production, because they know unrecoverable backup forces the ransom payment. Immutable storage breaks that playbook. We deploy it on every managed-IT backup deployment.
Do we need backup for Microsoft 365 and Google Workspace?
Yes. Both platforms protect against their own infrastructure failures but do not protect you from user error, malicious deletion, ransomware on synced files, or retention-policy gaps. Microsoft and Google both explicitly recommend third-party backup. Standard scope: mailboxes, OneDrive/Drive, SharePoint/Shared Drives, Teams chat, calendars. Retention typically 365 days minimum, 7 years for regulated industries.
What is application-aware backup and why does it matter?
For databases (SQL Server, Exchange, Oracle), file-system-level backup captures the data files but not necessarily in a consistent state. Application-aware backup uses VSS or vendor APIs to flush transactions to disk, take a quiesced snapshot, and verify the database engine considers the backup recoverable. Without it, your "backup" may not restore. We deploy application-aware snapshots on every SQL, Exchange, and AD environment.
How long should we retain backups?
Operational retention (for accidental deletion, ransomware) is typically 90-365 days at hourly granularity tapering to monthly. Compliance retention varies: HIPAA expects 6 years, PCI-DSS 1 year for audit logs, SOX 7 years, NY SHIELD Act has no explicit retention but expects "reasonable" controls. We design retention to your regulatory profile plus the operational margin you want.
What happens if our entire office is destroyed by fire or flood?
Geographic separation matters. Off-site backup replication to a different region (typically AWS or Azure in a different US region) means a localized disaster does not compromise your recovery data. We can spin up your line-of-business applications in the cloud as a temporary DR environment while the office is rebuilt — DRaaS is part of our higher-tier backup plans.
Will backup help us pass a cyber-insurance audit?
Yes. Every cyber-insurance carrier we have seen in 2026 requires: documented backup, off-site retention, immutable storage, regular restore testing, and a written incident response plan. Our standard backup deployment plus the quarterly test logs satisfies all five. We provide attestation letters for renewal questionnaires.
Backup & Disaster Recovery — recent case studies
- Healthcare
Healthcare Practice Scales 12 → 47 Endpoints with HIPAA-Aware IT
A growing NJ healthcare practice migrated to Microsoft 365, segmented its network, and tripled its endpoint count without IT growing pains or compliance gaps.
Read more about Healthcare Practice Scales 12 → 47 Endpoints with HIPAA-Aware IT - Restaurants
12-Location Restaurant Group Recovers from Ransomware in 11 Days
A multi-location restaurant group switched MSPs after a ransomware near-miss. We rebuilt their security stack, network, and POS infrastructure across 12 sites in under two weeks.
Read more about 12-Location Restaurant Group Recovers from Ransomware in 11 Days
Other services we deliver
AI Optimization & Workforce Automation
Workflow automation (n8n, Make.com), RAG, custom AI agents, and AI workforce planning — built and deployed, not just pitched.
Read more about AI Optimization & Workforce AutomationManaged IT Services
Helpdesk, monitoring, patching, and vendor management under one flat monthly bill.
Read more about Managed IT ServicesvCIO & vCISO
Fractional IT and security leadership: roadmaps, budgets, QBRs, risk assessments, and compliance strategy.
Read more about vCIO & vCISO
Ready for IT that does not surprise you?
A 30-minute call. No slide deck. We will tell you what looks healthy, what looks risky, and what we would do first.