Every business owner knows they should back up their data. Almost none of them have actually tested whether that backup works. And a surprising number discover the hard way — after a ransomware attack, a flooded office, or a failed hard drive — that their backup either wasn't running, wasn't complete, or couldn't be restored in time to save the business.

This article is the backup and disaster recovery guide we wish every Ghanaian business owner would read before something goes wrong — not after.

The Real Cost of Doing Nothing

Data loss is not a theoretical risk. It is a routine event that happens to businesses of every size, in every industry. The question is not whether your business will face a data loss event — it's whether you'll recover from it when it happens.

60%
of small businesses that suffer major data loss shut down within 6 months
94%
of companies that suffer catastrophic data loss do not survive longer than 2 years
30%
of businesses have never tested their backup or disaster recovery plan

The sources of data loss are more varied than most people expect. It's not just hackers. Hardware failure is the most common cause — hard drives fail, SSDs corrupt, and RAID arrays that "shouldn't" fail do. Human error is the second most common — accidental deletion, overwriting the wrong file, or formatting the wrong drive. Ransomware, power surges, fire, flooding, and theft round out the list.

"It's Backed Up to OneDrive" Is Not a Backup Plan

Sync services like OneDrive, Google Drive, and Dropbox are not backups. They are mirrors. If a ransomware attack encrypts your files, the encrypted versions sync immediately to the cloud and overwrite your clean copies. If someone deletes a folder, it disappears from every synced device. A real backup is separate, versioned, and tested.

Backup vs. Disaster Recovery: Not the Same Thing

These two terms are often used interchangeably, but they describe very different things — and confusing them leads to gaps in your protection.

Backup is the act of copying your data to a separate location so it can be restored if the original is lost or damaged. It answers the question: can we get our data back?

Disaster Recovery (DR) is the broader plan for restoring full business operations after a major disruption — not just the data, but the systems, infrastructure, processes, and people needed to use that data. It answers the question: how quickly can we get back to work?

A business can have excellent backups and still take three weeks to recover from a disaster if there's no DR plan — because restoring data is only one part of getting operations back online. You also need to restore or replace hardware, reconfigure software, reconnect staff, and notify customers. DR planning addresses all of it.

RTO and RPO: Two Numbers Every Business Must Know

Before you design any backup or DR system, you need to define two things specific to your business:

  • Recovery Time Objective (RTO): How long can your business operate without its IT systems before the damage is unacceptable? For a hospital, this might be zero — they need systems back immediately. For a small consultancy, it might be 48 hours. Your RTO tells you how fast your recovery must happen.
  • Recovery Point Objective (RPO): How much data can you afford to lose? If your RPO is 24 hours, you need backups that run at least daily — because in a worst-case scenario, you'll restore yesterday's data and lose everything since then. If your RPO is 1 hour, you need continuous or near-continuous backups.

Most Ghanaian SMEs haven't formally defined these numbers, which means they've also never built the backup infrastructure needed to meet them. A practical starting point for most businesses: RTO of 4–8 hours, RPO of 24 hours. This is achievable with standard backup tools and doesn't require expensive infrastructure.

Define RTO and RPO Per System

Not all systems are equal. Your accounting software and customer database likely have a much lower acceptable RTO than your archived marketing files. Define RTO and RPO separately for your critical systems so you can prioritise recovery effort correctly when the time comes.

The 3-2-1 Backup Rule

The 3-2-1 rule is the industry-standard framework for backup architecture. It's simple, proven, and eliminates most of the single points of failure that cause backup strategies to fail when they're needed most.

3 Copies of Data

Keep at least 3 copies of your data total — the original and two backups. One copy is not a backup. Two copies with one failure mode between them is still a single point of failure.

2 Different Media

Store copies on at least 2 different types of storage media — e.g. internal server and external hard drive, or local NAS and cloud storage. Different media have different failure modes.

1 Offsite Copy

Keep at least 1 copy offsite — physically away from your office. If fire, flooding, or theft destroys your premises, an offsite or cloud copy is the only thing standing between you and total loss.

A practical 3-2-1 implementation for a Ghanaian SME: daily backup to a local external drive or NAS (copy 2), plus automated cloud backup to Google Drive, OneDrive, or AWS S3 with versioning enabled (copy 3, offsite). The original data on your servers or workstations is copy 1.

The Specific Threats Ghanaian Businesses Face

Generic backup advice doesn't always account for local realities. Here are the data loss risks that are particularly relevant in the Ghanaian context:

  • Power surges and outages: Unstable power supply is one of the most common causes of hardware failure locally. Sudden power cuts can corrupt data mid-write, and voltage spikes can destroy hard drives and servers instantly. Every server and critical workstation should be on a quality UPS (Uninterruptible Power Supply) with surge protection.
  • Flooding: Many commercial areas in Accra and other cities face seasonal flooding. Ground-floor server rooms and storage areas are particularly vulnerable. An offsite cloud backup is non-negotiable if your physical infrastructure is in a flood-risk area.
  • Theft: Office break-ins do happen, and external backup drives are portable and valuable. A backup stored on a drive chained to the same desk as the server it's backing up solves nothing. Offsite or cloud backup is essential.
  • Ransomware via phishing: Ransomware attacks targeting Ghanaian businesses are increasing, typically delivered via phishing emails. Once deployed, ransomware encrypts every accessible file — including network-connected backup drives if they're always mounted. Backups should be disconnected or air-gapped when not actively running.
  • Single-person IT dependency: When the one person who set up the backup system leaves, the backup often stops working — quietly, with no alerts. Automated monitoring and alerts for backup failures are essential.

Building Your Backup Plan Step by Step

01

Identify and classify your critical data

List every type of data your business depends on — customer records, financial data, contracts, project files, email, software configurations. Rank them by how damaging their loss would be. This prioritisation drives every decision that follows.

02

Define your RTO and RPO

How long can you operate without IT? How much data can you afford to lose? Write these numbers down for your top three critical systems. They determine how frequently you must back up and how fast your recovery infrastructure must be.

03

Choose your backup tools

For local backup: a dedicated NAS device (Synology or QNAP are reliable choices) or a scheduled backup to an external drive that is physically disconnected after each backup run. For cloud backup: Veeam, Acronis, or built-in tools like Windows Server Backup combined with Azure Blob Storage or AWS S3. Ensure versioning is enabled so you can roll back to a point before an infection.

04

Set backup schedules and retention periods

Daily incremental backups with a weekly full backup is the standard approach for most SMEs. Retain daily backups for 30 days, weekly backups for 3 months, and monthly backups for at least 1 year. This gives you flexibility to recover from both recent errors and longer-running issues like slow-moving ransomware that wasn't detected immediately.

05

Configure alerts for backup failures

Your backup system must email or message someone when a backup fails, runs long, or produces warnings. Silent failures are the most dangerous — a backup that quietly stopped running six months ago gives you complete false confidence. Assign a named person to review backup alerts weekly.

06

Document your disaster recovery procedure

Write down exactly how you would restore operations after a total failure — step by step, in plain language, accessible to someone other than your IT person. This document should be stored somewhere that survives the disaster: printed and kept offsite, or in a cloud document accessible from a personal device. A DR plan that only exists in your IT manager's head is not a plan.

Why Testing Your Backup Is Non-Negotiable

A backup that has never been restored is just a hope. The only way to know your backup works is to restore from it — under controlled conditions, before you're under pressure.

Most businesses that think they have a solid backup discover real problems only when they test: files that weren't included in the backup scope, restore times that are far longer than the RTO they assumed, software that requires a licence key that no one recorded, or a backup that was running but writing to a full disk and silently failing for months.

At minimum, run a full test restore of your most critical system once every six months. Do it on a test machine or a separate environment — not your live system. Verify that the restored data is intact, up to date, and that the software running on it functions correctly.

The Ransomware Test

Specifically test whether your backup is protected from ransomware. Mount your backup drive or connect your cloud backup to a test machine and check whether the backup files themselves are accessible and unencrypted. If ransomware on your network could reach and encrypt your backup destination, your backup provides no ransomware protection — even if it protects against hardware failure.

Backup Health Checklist

Use this checklist to audit your current backup posture. If you can't tick every item, you have a gap worth addressing before it becomes a crisis.

// BACKUP::HEALTH_CHECK
  • All critical data is identified and included in the backup scope
  • Backups run automatically on a defined schedule — not manually
  • At least one copy of data is stored offsite or in the cloud
  • Cloud backup has versioning enabled with at least 30 days of history
  • Backup drive or destination is not permanently mounted (ransomware protection)
  • Backup failure alerts are configured and go to a named person
  • Backup logs are reviewed at least monthly
  • A full restore test has been completed in the last 6 months
  • RTO and RPO are defined for all critical systems
  • A written DR procedure exists and is accessible outside the main office
  • Servers and critical hardware are on a UPS with surge protection
  • More than one person knows how to initiate a restore
Not Sure Where You Stand?

GreyFixTech offers backup and disaster recovery assessments for Ghanaian businesses — we'll audit your current setup, identify gaps, and build a recovery plan matched to your actual RTO and RPO requirements. Get in touch for a free assessment →