// Pillar Guide · 2026 Edition · ~25 min read

DISASTER RECOVERY & BUSINESS CONTINUITY FOR FLORIDA SMALL BUSINESS.

What modern BCDR actually means in 2026, how RPO and RTO translate to real Florida operational decisions, the 3-2-1 backup standard plus the new immutable-cloud floor, hurricane continuity architecture, ransomware recovery, Microsoft 365 backup, quarterly testing cadence, and the written incident response plan every Florida small business needs on file. Written by a veteran-owned managed IT provider headquartered in Ocala, FL.

By Steve Condit, USMC Veteran · 30+ yrs ITPublished 2026-05-14Updated 2026-05-14
Get a Free BCDR Assessment →Jump to Guide ↓
// What's In This Guide

ELEVEN SECTIONS. ABOUT 4,000 WORDS.

  1. // 01What BCDR Means in 2026 (vs Old-School Tape Backups)
  2. // 02RPO and RTO Defined With Real Florida Examples
  3. // 03The 3-2-1 Backup Strategy — and Why Immutable Cloud Is the New Floor
  4. // 04Hurricane Continuity: Dual-WAN, Generator-Ready, Cloud-First
  5. // 05Ransomware Recovery — the BCDR Layer That Actually Saves Practices
  6. // 06Microsoft 365 Backup: Why Built-In Retention Is Not a Backup
  7. // 07Testing the Plan: Quarterly Drill Cadence and Audit Evidence
  8. // 08Industry-Specific BCDR (HIPAA, FTC Safeguards, FL Bar 4-1.6)
  9. // 09Cyber Insurance and BCDR — What Underwriters Look For
  10. // 10Building the Written IR / Continuity Plan — What Must Be in It
  11. // 11The Simply IT BCDR Stack — Datto, 3-2-1, Quarterly Tested Restores
  12. // 12Frequently Asked Questions
// 01

WHAT BCDR ACTUALLY MEANS IN 2026.

Walk into the average Florida small business and ask “what's your disaster recovery plan?” You'll usually get one of three answers: “we have a backup” (singular, location unknown), “the cloud handles it” (untested assumption), or a blank stare. Twenty years ago that may have been defensible — backup meant a tape someone took home on Friday, and disaster meant the building burned down. In 2026 the threat model is wider, the regulatory floor is higher, and “we have a backup” is not a plan.

Modern BCDR — business continuity and disaster recovery — is a documented program with three parts: a business continuity plan (how the team keeps working through the disruption), a disaster recovery plan (how systems and data come back), and a tested capability proving both actually work. The output is a written runbook the practice administrator or office manager can execute at 3pm on a Tuesday with adrenaline pumping — not a binder on a shelf no one has opened since the day it was created.

The 2026 threat surface a Florida small business has to plan for: ransomware (encryption of every accessible file, including the local backup), hurricane and tropical storm (multi-day power and connectivity loss, sometimes structural damage), cloud-provider outages (M365, AWS, your hosted EHR), hardware failure (server, NAS, firewall, switch), accidental deletion or corruption (the most common cause, by far), departing-employee data destruction, and physical disaster (fire, flood, theft, structural). The mitigation for each is different. A single backup product cannot cover all seven.

The shift from “backup” to “BCDR” is the shift from a product to a program. The remaining ten sections of this guide are the program.

// 02

RPO AND RTO — THE TWO NUMBERS EVERY OWNER SHOULD KNOW.

Two technical terms, two business questions. RPO (Recovery Point Objective) answers “how far back are we willing to lose?” If your last good backup is from 8pm Monday and ransomware hits at 9am Tuesday, your actual data loss is 13 hours of work. If that's acceptable, your RPO is 13 hours or better. If it isn't, you need backups that run more frequently — hourly, every 15 minutes, or continuous data protection.

RTO (Recovery Time Objective) answers “how long can we be down?” If the server fails at 9am and the team can't see patients, bill clients, or close real estate until 4pm, that's 7 hours of RTO. If that costs $80,000 in lost revenue and rescheduling, the BCDR investment that takes RTO down to 1 hour pays for itself in one event.

Real Florida examples we work with:

  • 10-person Ocala medical practice on a cloud EHR: RPO 1 hour (M365 mail/files), RTO 4 hours (workstation rebuild). The EHR vendor owns the EHR's own RPO/RTO.
  • 15-person Gainesville CPA firm during tax season: RPO 15 minutes (a single hour of lost tax-prep data is brutal), RTO 2 hours. Off-season the same firm can live with RPO 4 hours / RTO 8 hours.
  • 20-person Daytona law firm with real-estate closings: RPO 1 hour, RTO 4 hours. A delayed closing is a contractual problem, not just an inconvenience.
  • 8-person The Villages dental practice: RPO 4 hours, RTO 8 hours. The dental practice management software is the binding constraint.

The right RPO and RTO are business decisions, not IT decisions. The owner or practice manager defines “how much downtime hurts us” and “how much data loss is acceptable” — IT designs the stack to hit those numbers. Tighter objectives cost more. Looser objectives cost more when something goes wrong. The vCIO conversation is finding the right point on that curve.

// 03

3-2-1 — AND WHY IMMUTABLE CLOUD BACKUP IS NOW THE FLOOR.

The 3-2-1 rule has been the backup industry's shorthand for two decades: three copies of every important piece of data, on at least two different storage media, with at least one copy off-site. The first copy is your production data. The second is typically an on-site backup (local NAS, BDR appliance). The third is off-site (cloud target, replicated DR site, or in the old days a courier picking up tapes).

3-2-1 was sufficient when the dominant disaster was hardware failure or fire. It is not sufficient against modern ransomware. Ransomware operators specifically target the on-site backup before encrypting production — if the backup is reachable over the network with credentials, it gets encrypted too. Cloud backups configured with standard user credentials get encrypted too. The result: backups exist on paper, but none of them are usable when the recovery moment comes.

The 2026 update to 3-2-1 is sometimes written 3-2-1-1-0: three copies, two media, one off-site, one immutable, zero errors in the last restore test. The two new requirements:

  • Immutable means the backup, once written, cannot be deleted or altered — even by an attacker with valid admin credentials — for the configured retention period. Implementations include cloud object-lock (S3 Object Lock, Azure immutability), hardened Linux appliances (Datto, Veeam Hardened Repository), or tape that's physically removed and air-gapped after each rotation.
  • Zero errors means your last restore test actually produced a usable result. A backup that has never been tested is not a backup — it's a hope.

The new floor for a Florida small business: production data, an on-site BDR appliance for fast restores, a cloud target with immutable retention, and quarterly tested restores. Anything less leaves the business exposed to the specific failure mode — ransomware encrypting both production and the local backup — that has put more practices out of business in the last three years than any other single cause.

// 04

HURRICANE CONTINUITY: DUAL-WAN, GENERATOR-READY, CLOUD-FIRST.

Florida is the most hurricane-exposed state in the continental US. The 2024 and 2025 seasons brought direct impacts to North Central Florida that took out power and internet for days at a time across Marion, Sumter, Alachua, Volusia, and Citrus counties. Every Florida small business has to plan for the realistic case: a five-to-seven-day disruption with intermittent power and degraded connectivity, not a Hollywood-style total wipeout.

The hurricane-resilient architecture has three layers:

  • Cloud-first applications: Email, files, line-of-business apps, and phones run in Microsoft 365 / hosted EHR / SaaS — not on a server in the back office. If the office goes dark, the team works from home, from a hotel, from a coffee shop in Tallahassee. The cloud-app vendors' data centers are vastly more hurricane-resilient than any small office can ever be.
  • Dual-WAN with cellular failover: Business-class firewall (Sophos, Fortinet, SonicWall, Meraki) with a primary fiber circuit and a cellular failover modem. When Spectrum or AT&T goes down — and they do — the office stays online on cellular for as long as the cell towers stay up.
  • Generator-ready hardware + UPS: Network gear (firewall, switch, WiFi controller) on UPS protection sized for at least 30 minutes of clean power. If the practice has a building generator, network and core endpoints wired to the generator-backed circuits. Laptops over desktops for the workforce — a laptop's battery is its own UPS.

The pre-hurricane runbook (we walk every Florida client through it annually before June 1): off-site current cloud backup verified, laptops fully charged and signed in to M365 offline, key staff have hot-spot data plans, the written work-from-home roster is current, the answering service is briefed for storm-route call handling, on-prem servers are gracefully shut down before predicted landfall.

The cost of getting this wrong: a one-week post-hurricane office closure for a 10-person practice that didn't have cloud-first architecture is roughly $80,000-$150,000 in lost revenue plus the patient/client trust damage. The cost of building it right ahead of time: a few thousand dollars of firewall + cellular failover, plus the discipline of running operations through M365 instead of a local server. The math is not subtle.

// 05

RANSOMWARE RECOVERY — THE BCDR LAYER THAT ACTUALLY SAVES PRACTICES.

Ransomware is the disaster scenario where BCDR earns its keep. The cost of a ransomware incident at a Florida small business in 2026 averages $300,000-$1.85M depending on size, industry, and how much of the BCDR program was actually in place before the incident. The single largest cost driver: how long the business is unable to operate. Every day down adds tens of thousands of dollars in lost revenue, plus regulatory notification costs, plus legal fees, plus the cost of credit monitoring for affected patients or clients.

The ransomware recovery path with a proper BCDR program in place:

  1. Hour 0: Call cyber-insurance hotline first. Breach coach activates attorney-client privilege over the investigation.
  2. Hour 0-2: Disconnect affected systems from network (do not power off). Engage IT provider and forensics team via the breach coach.
  3. Hour 2-12: Forensic scoping confirms blast radius. Identify the immutable backup as recovery source. Begin standing up a clean replacement environment.
  4. Hour 12-48: Restore servers from immutable cloud BDR to a clean network. Rebuild workstations from current image library. Force password rotation on every account.
  5. Hour 48-72: Phased return to operations. Cyber-insurance handles regulatory notification timeline. Practice resumes patient/client work.

Without immutable backup, that timeline becomes weeks instead of days — or the practice pays the ransom (with no guarantee the decryptor works and a 50%+ chance of being hit again within 12 months). The ransom payment is rarely the largest cost. The downtime is.

Sophos' State of Ransomware reports have shown for years that organizations with tested immutable backups recover 4-10x faster and at roughly one-tenth the total cost compared to those without. The single highest-ROI investment a Florida small business can make in IT in 2026 is not a fancy security product — it's a tested immutable backup with quarterly drills.

// 06

MICROSOFT 365 BACKUP: BUILT-IN RETENTION IS NOT A BACKUP.

This is one of the most consequential misunderstandings we encounter at new clients. Microsoft 365 includes retention features: 30-day deleted-items recovery on mail, 14-day default recycle bin on OneDrive and SharePoint, version history on Office documents, and longer retention if the admin has configured Retention Policies in the Microsoft Purview compliance center. Those are retention features — they are not a backup.

Microsoft's own shared-responsibility documentation (search “Microsoft 365 Shared Responsibility Model”) explicitly states that Microsoft is responsible for the platform's availability — and the customer is responsible for protecting customer data within the platform. That language exists for a reason. It means Microsoft will not restore data that was deleted, encrypted, or destroyed outside the retention window — whether the cause was malicious, accidental, or compliance-driven.

The scenarios where M365 retention fails the practice:

  • Ransomware that encrypts OneDrive- and SharePoint-synced files: the encrypted versions sync to the cloud and overwrite the unencrypted versions. Recovery via M365's version-history feature is sometimes possible but not always reliable at scale.
  • Departing employee mailbox deletion or sabotage: if the departure goes unnoticed for more than 30 days, the deleted-items recovery window has expired.
  • Accidental mass deletion of a SharePoint document library: default 93-day site-recycle-bin retention only catches it if discovery is fast enough.
  • Compliance hold or e-discovery demand reaching back years: retention policies cap at a point in time and may not satisfy a 7-year HIPAA or tax-records hold.

The fix: a third-party M365 backup product. Datto SaaS Protection, Veeam M365 Backup, Acronis Cyber Protect Cloud, Barracuda Cloud-to-Cloud, and Spanos all back up mailboxes, OneDrive, SharePoint, and Teams data into an independent cloud repository with retention measured in years rather than days. Pricing typically runs $3-$6 per user per month. Simply IT includes M365 backup in Simply Secure and Simply Compliant as part of the base price — we don't consider an M365 tenant production-ready without it.

// 07

TESTING: QUARTERLY DRILL CADENCE AND AUDIT-DEFENSIBLE EVIDENCE.

A backup that has never been restored is not a backup — it's a hope. The single most-cited gap in cyber-insurance underwriter questionnaires, in HIPAA contingency-plan audits, and in our own onboarding assessments is: when was your last successful restore test, and where is the documented result?

The cadence we recommend and run for every BCDR client:

  • Weekly: automated backup health check. The backup software reports success/failure on every scheduled job; anything red gets investigated within 24 business hours.
  • Monthly: spot-check restore of one mailbox or file from the M365 backup, documented with timestamp and result.
  • Quarterly: partial server restore to an isolated network — verify the image boots, services start, and data is consistent. Document with screenshots, timestamps, and a brief written narrative.
  • Annually: full disaster-recovery drill. Simulate loss of the primary site, stand up the BDR appliance's virtualized recovery on a clean network, log in as a representative user, verify the EHR or line-of-business app comes up correctly. Document with a written drill report.

The documentation is the evidence. Underwriters, HIPAA OCR investigators, FTC examiners, and Florida Bar inquiry committees all expect contemporaneous written records — not after-the-fact reconstructions. The quarterly drill report should include: date and time, scope tested, RPO observed (how recent was the recovered data), RTO observed (how long the recovery took), any failures, and remediation actions taken.

This is one of those areas where 30 minutes of work each quarter, multiplied across the year, creates an audit-defensible BCDR program that costs almost nothing in incremental time but pays for itself the first time an underwriter or auditor asks “prove it.”

// 08

INDUSTRY-SPECIFIC BCDR (HIPAA, FTC SAFEGUARDS, FL BAR 4-1.6).

The regulatory floor for BCDR varies by industry. Here are the binding requirements for the three most common compliance environments we serve at Florida small businesses:

HIPAA Contingency Plan (45 CFR 164.308(a)(7))

HIPAA explicitly requires every covered entity and business associate to maintain a Contingency Plan with five components: a Data Backup Plan (required), a Disaster Recovery Plan (required), an Emergency Mode Operation Plan (required), Testing and Revision Procedures (addressable), and Applications and Data Criticality Analysis (addressable). “Addressable” does not mean optional — it means the practice must implement it OR document why an alternative is reasonable. We have never seen OCR accept an undocumented absence.

FTC Safeguards Rule (16 CFR 314.4)

The Safeguards Rule, applicable to CPA firms and other “financial institutions,” requires a written information security program (WISP) that includes incident response and business continuity. The December 2023 amendment added explicit incident-notification timelines and elevated the Qualified Individual's reporting obligations. A CPA firm without a written BCDR program is in technical non-compliance.

Florida Bar Rule 4-1.6

Florida Bar Rule 4-1.6 imposes a “reasonable efforts” standard on the protection of client confidential information. The Florida Bar's ethics opinions and CLEs have made clear that “reasonable efforts” in 2026 includes tested backup and incident-response capability — not just a vague intent to recover if something goes wrong. A law firm without a tested BCDR program is exposed both to bar discipline and to malpractice liability if a recoverable incident causes client harm.

In all three frameworks the structure is the same: a written plan, a tested capability, contemporaneous evidence. The good news: building one set of artifacts that satisfies HIPAA, FTC Safeguards, FL Bar 4-1.6, and the cyber-insurance underwriter checklist is achievable with a small amount of organized work.

// 09

CYBER INSURANCE AND BCDR — WHAT UNDERWRITERS LOOK FOR.

Cyber-insurance applications in 2026 universally include a BCDR section. Every major carrier (Coalition, Travelers, AIG, Chubb, Beazley, AmTrust) asks roughly the same questions, in slightly different language:

  • How frequently are backups taken? (Daily minimum; sub-daily preferred.)
  • Are backups stored off-site? (Yes is the only acceptable answer.)
  • Are backups immutable or air-gapped? (Yes is the only acceptable answer in 2026.)
  • When was the last successful restore test? (Within 90 days is the target; within 12 months is the floor.)
  • Do you back up Microsoft 365 or Google Workspace data separately? (Yes — native retention does not count.)
  • What is your documented RTO and RPO? (Numerical answer required.)
  • Do you have a written incident response plan? (Yes, with attached document.)

Practices that can answer all seven affirmatively, with documentation attached, get the favorable treatment: lower premiums, higher limits, no ransomware sublimit, no exclusions stapled onto the policy. Practices that can't answer affirmatively get the opposite: declined coverage, materially higher premiums, lower limits, sublimits on ransomware payouts, broader exclusions, or all of the above.

The same evidence package that satisfies the underwriter satisfies HIPAA, FTC Safeguards, FL Bar 4-1.6, and SOC 2. Build it once, use it everywhere.

// 10

THE WRITTEN IR / CONTINUITY PLAN — WHAT MUST BE IN IT.

The written plan is the difference between a BCDR program and a wish. It does not need to be 100 pages of binder material — in fact, the best plans are a few clear pages that the practice administrator can actually read at 3pm on a Tuesday with adrenaline pumping. The structure we deploy at every Florida client:

  • Page 1 — The First Hour: the three phone numbers to call in order (cyber-insurance hotline, IT provider, designated Security Officer or Qualified Individual), the do-not-touch instructions (disconnect; do not power down; do not delete), the documentation rules (timestamps, screenshots, names).
  • Page 2 — Roles and Responsibilities: who at the practice does what during an incident. Owner / practice administrator; Security Officer or Qualified Individual; IT provider; cyber-insurance breach coach; legal counsel; outside communications counsel if applicable.
  • Page 3 — Systems Inventory: what systems the business depends on, where the data lives, which vendor is responsible for what, the RPO/RTO for each.
  • Page 4 — Recovery Scenarios: the three or four most-likely disaster scenarios for your business (ransomware, hurricane, hardware failure, cloud outage) with a half-page runbook for each.
  • Page 5 — Communication Templates: draft language for notifying clients/patients, staff, vendors, and (if required) regulators. Pre-written and ready to customize — no one writes good crisis communication from scratch under stress.
  • Page 6 — Drill Log: the running record of when the plan was last tested, what was tested, what worked, what failed, what was fixed.

Three copies of the plan should exist: a digital copy in M365 (synced, searchable), a printed copy in a binder at the office, and a printed copy at the owner's home or vehicle. Every quarter the plan gets reviewed and the drill log updated. Every annual cycle the plan gets a full read-through with the leadership team.

Simply IT delivers a customized written IR/continuity plan as part of onboarding for every Simply Compliant client. We update it annually as part of the vCIO review.

// 11

THE SIMPLY IT BCDR STACK.

Here's what we actually deploy at every Florida small business that engages Simply Secure or Simply Compliant. It satisfies the cyber-insurance underwriter checklist, the HIPAA 164.308(a)(7) contingency plan requirement, the FTC Safeguards WISP requirement, and the FL Bar 4-1.6 reasonable-efforts standard — with one set of artifacts.

  • On-site BDR appliance: Datto SIRIS or equivalent image-based backup. Hourly incremental backups of every server. Built-in virtualization so a failed server can be brought up on the appliance itself within an hour.
  • Immutable cloud target: Datto Cloud (or equivalent S3-Object-Locked / hardened-Linux) with retention measured in years. Cannot be deleted or encrypted by any credential, including ours.
  • Microsoft 365 backup: Datto SaaS Protection (or equivalent) backing up mailboxes, OneDrive, SharePoint, and Teams to an independent cloud repository with 7-year retention.
  • Workstation imaging: standardized images for every workstation type so a ransomware-encrypted laptop can be reimaged from clean media within hours, not days.
  • Dual-WAN with cellular failover: business firewall with primary fiber and cellular failover. Stays online through Spectrum and AT&T outages.
  • Quarterly drill cadence: partial restore quarterly, full DR drill annually, with written documentation filed in the client's compliance portal.
  • Written IR / continuity plan: customized 6-page plan delivered at onboarding, updated annually in the vCIO review.
  • Cyber-insurance liaison: we work directly with the practice's broker at renewal to provide the BCDR evidence package the underwriter needs.

Pricing: the full BCDR stack is bundled into Simply Secure ($125/user/month) and Simply Compliant ($150/user/month). No long-term contracts, no minimum engagement. A 10-person Florida practice on Simply Compliant invests $1,500/month for the complete stack — versus the $300K-$1.85M average ransomware recovery cost without it. The ROI math is the same as fire insurance: pay the premium every month, never want to need it.

// 12

FREQUENTLY ASKED QUESTIONS.

What is BCDR (business continuity and disaster recovery)?+
BCDR is the combined discipline of (1) keeping the business operational during a disruption (business continuity, or BC) and (2) restoring systems and data after the disruption (disaster recovery, or DR). Modern BCDR in 2026 is no longer just “we have a backup somewhere” — it's a documented program with defined recovery time objectives, immutable cloud copies, quarterly tested restores, and a written continuity plan the owner can execute under stress. For a Florida small business, BCDR has to anticipate hurricane downtime, ransomware encryption, accidental deletion, hardware failure, and cloud-provider outages — with a different mitigation for each.
What's the difference between RPO and RTO?+
RPO (Recovery Point Objective) is the maximum acceptable amount of data loss measured in time — how far back are you willing to lose? An RPO of 1 hour means backups must run at least hourly. RTO (Recovery Time Objective) is the maximum acceptable downtime — how fast must the business be operational again? An RTO of 4 hours means the team must be back online within 4 hours of disaster declaration. Most Florida medical practices we work with target RPO under 1 hour and RTO under 4 hours for core EHR; most CPA firms target RPO under 4 hours and RTO under 24 hours; most law firms target RPO under 1 hour and RTO under 8 hours. The tighter the objectives, the more the BCDR stack costs.
How often should we test our backups?+
Quarterly, at minimum, with at least one full restore drill per year. “Backup ran successfully” reports from your backup software do not constitute a tested backup — the only proof a backup works is a restore that actually produces usable data. Cyber-insurance underwriters increasingly require attestation of quarterly restore testing, and HIPAA/FTC auditors expect the same. Simply IT runs quarterly partial restores (a representative file, mailbox, server snapshot) and an annual full-DR drill against an isolated network for every BCDR client.
Is cloud backup better than on-premise backup?+
Modern BCDR uses both. The 3-2-1 rule says you need 3 copies of data on 2 different media with 1 off-site — and the 2026 best-practice update adds “1 immutable” (cannot be deleted or encrypted by ransomware). The on-premise copy (a local NAS or BDR appliance) gives you fast restore for routine failures. The cloud copy gives you survivability when the building floods, burns, or is encrypted by ransomware that reaches the local backup. Single-location backup — whether on-prem only or cloud only — is no longer defensible for any business with compliance obligations.
How do we prepare for a Florida hurricane shutting down our office?+
Three layers. (1) Cloud-first architecture: email, files, line-of-business apps, and phones run in Microsoft 365 / hosted VoIP / SaaS — not on a server in your office — so the team can work from any internet connection. (2) Dual-WAN failover: business-class firewall with a primary fiber circuit and a cellular failover so the office stays online if Spectrum or AT&T goes down. (3) Documented work-from-anywhere posture: every team member has a laptop (not a desktop), MFA on every account, and a written runbook for hurricane shutdowns. We help every Florida client through this annually before June 1.
Does Microsoft 365 back up our email and files?+
Not in any meaningful BCDR sense. Microsoft 365 has retention policies (30-day deleted-items recovery, 14-day default OneDrive recycle bin, and longer if you configure it), but those are retention — not backup. Microsoft's own shared-responsibility documentation explicitly says customers are responsible for backing up their M365 data. A ransomware attack, malicious deletion, departing-employee mailbox wipe, or accidental SharePoint library deletion is not recoverable from M365's native retention if discovery happens outside the retention window. A separate M365 backup product (Datto SaaS Protection, Veeam M365, Acronis, Barracuda Cloud-to-Cloud) is part of the modern BCDR stack.
How long does ransomware recovery actually take?+
If you have a tested, immutable backup: 24-72 hours for a Florida small business, depending on data volume and how clean the rebuild can be. If you don't: weeks to months, plus the cost of negotiating with the threat actor, paying the ransom (with no guarantee of decryption working), and dealing with the regulatory and insurance fallout. The Sophos State of Ransomware 2024 report puts the average SMB ransomware recovery at $1.85M when including downtime, lost revenue, and remediation — versus roughly $150K-$300K when an immutable BCDR program is in place pre-incident.
What does proper BCDR cost for a Florida small business?+
BCDR is bundled into Simply IT's Simply Secure ($125/user/month) and Simply Compliant ($150/user/month) tiers — it's not an extra line item. That covers image-based BDR appliance on-site, immutable cloud target, M365 backup, quarterly restore testing, the written continuity plan, and the annual full-DR drill. Standalone BCDR pricing (when bought separately) typically runs $80-$150 per user per month at most Florida MSPs depending on data volume and RTO targets. There is no minimum engagement and no long-term contract.
Is BCDR required for HIPAA compliance?+
Yes, explicitly. 45 CFR 164.308(a)(7) requires a Contingency Plan — including a Data Backup Plan, a Disaster Recovery Plan, an Emergency Mode Operation Plan, periodic testing and revision, and applications and data criticality analysis. Every Florida medical practice we audit has a backup; almost none have the full written contingency plan the Rule requires. This is one of the most common HIPAA documentation gaps and one of the easiest to close.
Is BCDR required for cyber insurance?+
Yes, increasingly. By 2026 every major cyber-insurance carrier requires tested encrypted backup as part of the standard 10-control underwriter package. Carriers ask for: backup frequency, immutability or air-gap, off-site retention, last successful restore-test date, and recovery point/time objectives. Practices without testable BCDR see either denied coverage, materially higher premiums, or a sublimit on ransomware payout. Practices with documented quarterly testing see the opposite.
How long does it take to recover from a full disaster?+
Depends on the disaster and the stack. A single ransomware-encrypted workstation: 2-4 hours from a tested image. A full-server outage with immutable cloud BDR: 4-12 hours to a virtualized recovery instance, 24-48 hours to full restoration. A hurricane that shuts the office for a week with cloud-first architecture: zero downtime if the team has laptops and the cloud apps stay up. An office fire that destroys all on-prem hardware with no cloud backup: weeks to months. The point of the written continuity plan is to know which scenario you can actually survive.
Does Simply IT include BCDR in its managed-IT pricing?+
Yes. Simply Managed ($75/user/month) includes baseline endpoint backup and M365 retention. Simply Secure ($125/user/month) adds the full image-based BDR appliance, immutable cloud target, M365 backup, and quarterly restore testing. Simply Compliant ($150/user/month) adds the full written contingency plan, annual full-DR drill, audit-defensible evidence, and the HIPAA / FTC / FL Bar documentation overlays. Veteran-owned, headquartered in Ocala FL, serving 9 North Central Florida counties. No long-term contracts.
// Related Resources

CONTINUE READING.

Pillar Guide
Cyber Insurance: 10 Controls →
Pillar Guide
HIPAA Cybersecurity Guide →
Solution
Cloud Backup →
Reference
IT Glossary →
FAQ Hub
Frequently Asked Questions →
Get Started
Free BCDR Assessment →
READY FOR A TESTED BCDR PROGRAM AT YOUR FLORIDA BUSINESS?

Get a free BCDR assessment from a veteran-owned managed IT provider headquartered in Ocala, FL. We'll review your current backup architecture, RPO/RTO posture, Microsoft 365 backup status, hurricane continuity readiness, and the written IR/continuity plan — and give you an honest written gap-and-fix report with no obligation.

By submitting you consent to be contacted by Simply IT via phone, email, or SMS. Reply STOP to opt out of SMS at any time. Privacy Policy

Or call us directly: 352-723-5003