It’s never been more important to have an IT disaster recovery plan in place. According to an annual global review of cyberthreats, in 2017, ransomware—which blocks access to a business’s data, holding it hostage until a ransom is paid—became the most prevalent type of malware. The study further noted that there has been a steady year-over-year increase in these types of attacks since 2014. How disastrous can a ransomware attack be? Without a backup and disaster recovery plan in place, 40% of small-to-mid-size businesses are unable to quickly and fully recover after a ransomware attack.

However, as bad as ransomware attacks can be, most network downtime happens because of hardware and software failures, and power outages.

Without BDR [a backup and recovery solution] in place, 40% report SMBs [small-to-mid-size businesses] unable to recover quickly and fully from ransomware.

Datto State of the Channel Ransomware Report

Although 96% of small-to-mid-size businesses that have a disaster recovery plan in place are able to fully recover from a disaster, four in 10 businesses have no such plan in place.

Here are some important things to think about as you consider your company’s disaster recovery plan:

1. It starts with backup

Copying your data, applications and configurations is actually the first step in disaster recovery. A proper backup strategy ensures that you can recover a point-in-time copy of your data from a secondary location. Periodic point-in-time backups are critical in restoring data and applications from the time before the ransomware attack occurred. It’s like copying all the files your laptop to a new USB stick every night. If one of your files gets corrupted, and you’re not sure when it happened, you can check each of those USB sticks, going to go back to different points in time when the file was not corrupted, and restoring the version you want.

2. Bolster backup with disaster recovery as a service (DRaaS)

Unlike the periodic copies made during backup, DRaaS perpetually replicates your applications and data, storing it in a secure, secondary location. In the event your primary site’s infrastructure fails, however, your applications can be restored from the secondary site, keeping your mission-critical tasks—and your business—up and running despite the disaster. Going back to the laptop analogy, DRaaS is like having a second laptop that updates simultaneously with the first one; so if you create or delete a file on the first laptop, the second one does the same instantaneously. If your first laptop breaks, you can pick up exactly where you left off using the second one, but whatever was deleted on the first laptop before it broke will also be gone on the second. That’s why you want backup in addition to DRaaS: at least you’ll have previous versions of the deleted file you can go back to.

3. Stop shadow IT

“Shadow IT” refers to the practice of employees using unauthorized software because they aren’t—or perceive they aren’t—provided with the tools they need to do their jobs effectively. According to an annual survey of CIOs, shadow IT has been on the rise for four straight years. If IT is unaware of what programs and platforms employees are leveraging, it becomes difficult to ensure there’s any backup plan for the data they’re generating. This point underscores that, as you consider your disaster recovery plan, it’s important to consider both the data you’re aware of and any data pools that may be off IT’s radar.

Disasters are by definition worst-case scenarios. But with a plan in place, you’re in the best possible position to recover crucial data in case of catastrophe.