Prepare for the Worst Day So the Baseline Holds

Your server dies at 2pm on a Tuesday. Ransomware encrypts every shared drive in your office. The one person who knows how the billing system works hands in their resignation.

You have no business continuity plan for your small business. No documented recovery steps. No tested backups. No written record of who has access to what.

So you scramble. You call your IT provider in a panic, lose a day, maybe a week. Revenue stops. Staff sit around with nothing to do and clients start asking questions you cannot answer.

This post is about setting your technology up so that day, the one you hope never comes, still has a floor under it. A functional baseline where the business keeps running, though roughly. Not from predicting the exact disaster, but from planning for the possibility of one.

Every Small Business Is One Bad Day Away from Chaos

Here is what we see at SixFive, over and over again. A business owner runs a team of 10 to 30 people. They have a file server, a few cloud apps, maybe a line-of-business application that handles operations. Things work fine. Nobody thinks about what happens when they stop.

Then something breaks.

The most common scenarios are mundane, and they cause weeks of pain:

• A staff member clicks a phishing link. Ransomware locks every file on the network. The “backups” turn out to be a USB drive sitting in a drawer, unplugged for six months.
• The office floods over a long weekend. The on-premise server on the storeroom floor is destroyed. Insurance covers the hardware, eventually. It does not cover three weeks of downtime as you rebuild from scratch.
• Your bookkeeper or office manager resigns. They were the only person who knew the password to the accounting system, the payroll process, and which supplier portals need manual logins each month. None of it was written down.
• A Windows update goes wrong on a Friday afternoon. Your line-of-business app refuses to launch. Nobody knows the vendor’s support number or what version you are running.

We deal with at least one of these every month. Real phone calls from real business owners who assumed it would not happen to them.

The businesses that recover quickly had a plan, or at least the building blocks of one, before the disaster arrived. The ones that did not? They lose days. Sometimes weeks. Sometimes clients.

Stop Thinking About Disasters and Start Thinking About Baselines

Most advice on business continuity planning was written for corporations with risk departments and six-figure budgets. Risk matrices. Impact assessments. 40-page plans that sit in a drawer.

That is not useful for a 15-person business in Sydney or Brisbane.

Stop trying to predict every disaster. You cannot. Build your technology so that the worst day still has a functional baseline instead.

A baseline means: on the worst day, you can still do these things:

• Access your files
• Communicate with your team
• Communicate with your clients
• Process transactions or deliver your core service
• Know who has access to what

That is it. You are not trying to run at full speed. You are keeping the wheels on.

When you build your small business continuity plan around baselines, the work gets concrete. You stop worrying about whether it will be a flood or a hack or a resignation. You ask one question: “Can we still function if this system goes down?” And for every system in your business, that question has a practical answer.

Five Things That Make the Worst Day Survivable

1. Backups That Actually Work

We audit dozens of small businesses each year. Roughly half of them have backups that either do not run, do not include everything, or have never been tested.

A real backup strategy has three parts:

• Automated daily backups of all critical data, including cloud platforms like Microsoft 365. Yes, you need to back up Microsoft 365 separately. Microsoft does not do it for you.
• Off-site or cloud storage so that a physical event at your office does not destroy your backups along with everything else.
• Quarterly restore tests. Pick a random file or folder, restore it from backup, and confirm it opens. If you have never tested a restore, you do not have a backup. You have a wish.

2. Documented Access and Credentials

Every business should have a secure, centralised record of:

• Who has admin access to each system
• Login credentials for business-critical platforms (stored in a proper password manager, not a spreadsheet)
• Vendor support contacts for each major application
• Licence and subscription details for each tool

This is what saves you when a key staff member resigns. If your bookkeeper is the only person who knows the password to Xero, you have a single point of failure that has nothing to do with technology.

A password manager like 1Password or Bitwarden costs a few dollars per user per month. Takes a day to set up properly. And once it is running, you never have to worry about a resignation taking critical knowledge out the door.

3. Redundancy for Communication

If your email goes down, can your team still talk to each other? Can you still reach clients?

Most small businesses run on Microsoft 365 or Google Workspace. Both are reliable, but both can go down. We have had clients unable to send or receive email for half a day during Microsoft 365 outages, with no backup plan and no way to tell clients what was going on.

Your disaster recovery plan should include a backup communication channel. A WhatsApp or Signal group for the leadership team works. The agreement is simple: if email is down for more than 30 minutes, switch to that channel.

For client communication, make sure at least two people in the business have direct phone numbers for your top 10 clients. Do not rely on email alone.

4. A Written Recovery Runbook

A runbook answers one question: “If everything breaks, what do we do first?” One to three pages is all it takes.

It should include:

• Who to call (your IT provider, your internet provider, your key software vendors)
• What to check first (internet, server, cloud services, phones)
• Who makes decisions (if the business owner is unreachable, who has authority to approve spending or contact vendors?)
• Where the backups are and how to start a restore
• A priority list of systems to bring back online in order. Email and phones before your project management tool. Accounting before your CRM.

Print two copies. Keep one in the office and one at the business owner’s home. Save a digital copy somewhere that does not depend on your primary systems: a personal Google Drive or Dropbox account.

5. Access Controls That Limit the Blast Radius

When a single user account gets compromised, how far can the attacker reach? If every staff member has admin access to every system, the answer is: everywhere.

Proper access controls mean:

• Staff get access only to the systems and data they need for their role
• Admin accounts are separate from daily-use accounts
• Multi-factor authentication (MFA) is on for every cloud platform
• When someone leaves, their access is revoked the same day

This will not prevent every breach. But the difference between “one user’s files were encrypted” and “the entire company’s files were encrypted” often comes down to whether access controls were in place.

Where to Start This Week

Pick one item per week. Start with the highest-impact action and build from there:

This week: Check your backups. Ask your IT provider to confirm they exist and are running daily. Verify they cover your file server, email platform, and line-of-business applications. Ask for proof of the last successful backup date.

Next week: Set up a password manager. Start with the business owner and any staff member who manages systems. Migrate the most critical credentials first: email admin, accounting, banking, domain registrar.

Week three: Write your recovery runbook. Sit down for 30 minutes and answer the five questions listed above. Do not worry about making it polished. A rough document beats an empty folder every time.

Week four: Review access controls. Check who has admin access to Microsoft 365, your accounting platform, and your file server. Remove anyone who does not need it. Turn on MFA for every platform that supports it.

Four weeks. No huge cost. No consultants required, though your IT provider can speed things up. By the end, you have a working business continuity plan for your small business that covers the basics and gives your team something to follow when things go wrong.

Get the Baseline in Place

You do not get to choose which disaster hits your business. You do get to choose whether your team has something to work with when it arrives.

Get your backups running. Document your access. Write the runbook. Tighten your controls.

If you want help putting a business continuity plan together that fits your size and your budget, talk to the team at sixfive.io. We will look at where you are, fix what is missing, and build a baseline that holds.