What Happens to Your Data If Your Office Burns Down or Floods

Most small businesses think about data loss in terms of cyberattacks. Ransomware, phishing, compromised accounts. Those are real threats and they get a lot of attention. What gets far less attention is the scenario where the physical location that houses your servers, workstations, and network equipment is destroyed. A fire, a flood, a burst pipe, a tornado, or an electrical failure that takes out hardware. No attacker involved. Just physics.

The result is the same as ransomware in terms of impact, but worse in one critical way: there is no decryption key. There is no negotiation. The hardware is destroyed and the data on it is gone. If your only copies of that data were in the building, they are gone permanently.

This is the scenario that the 3-2-1 backup rule was designed to protect against, and it is the scenario that exposes whether a business truly has a backup strategy or just thinks it does.

What is typically in the office

Before understanding what you lose, it helps to inventory what is actually at risk in a typical small business office.

On-premises server. Many SMBs still run a physical server in a closet or small server room. This server may host file shares, Active Directory, line-of-business applications and local databases – accounting software, CRM, ERP – and sometimes email. Everything on that server is physically present in the building.

NAS (Network Attached Storage). A NAS device used for file storage, backups, or media. Often positioned as the “backup” solution, which means the backups are in the same building as the data they protect.

Workstations and laptops. Employee computers contain local files, browser bookmarks, application configurations, cached credentials, and sometimes the only copy of documents that were never saved to the server or cloud storage.

Network equipment. Routers, switches, firewalls, access points, and their configurations. Replacing hardware is straightforward. Recreating the configuration from memory is not. If the rebuild is also a chance to upgrade from consumer-grade gear, the hardware-decision side is in business WiFi vs consumer WiFi: why it matters for your office.

Physical documents. Contracts, tax records, employee files, and client paperwork that exists only on paper or on a local scanner.

Surveillance systems. Security cameras with local DVR/NVR storage. Footage is typically not backed up offsite.

What you lose in a physical disaster

Everything on the server

If your server is destroyed and your only backup is on a NAS sitting next to it, both are gone. The server contained:

• File shares with years of business documents
• Active Directory (user accounts, group policies, permissions)
• Database for your line-of-business application (accounting, CRM, ERP)
• Email archive if running an on-premises mail server
• Application configurations and customizations

Rebuilding a server from scratch takes days. Rebuilding it without any backup of the data or configuration takes weeks, and some data is simply unrecoverable.

Everything on the NAS

If the NAS was your backup destination and it was in the same building as the server, your backup strategy failed at the most fundamental level. The purpose of a backup is to survive the loss of the primary copy. A backup in the same physical location as the primary does not survive a fire, flood, or electrical event that destroys both.

This is the most common backup failure mode for small businesses. They have a backup. It runs every night. The backup software sends confirmation emails. Everything looks fine. Until the building floods and both the server and the backup drive are underwater.

Employee workstations

Files saved to the desktop, downloads folder, or local drives that were not synced to cloud storage or the server. In many businesses, employees save work locally without realizing it is not backed up. A 2019 survey by Ontrack found that 33% of businesses that experienced data loss cited physical damage to hardware as the cause.

Configuration and institutional knowledge

Server configurations, firewall rules, application settings, printer configurations, VPN setup, and the dozens of small customizations that make the IT environment work. These are rarely documented. The person who set it up may not even work there anymore. Recreating these from scratch adds days to the recovery even if you have the data.

Insurance does not recover data

This is the misconception that causes the most damage. Business property insurance covers the physical hardware. It pays to replace the server, the workstations, the network equipment, and the furniture. What it does not cover is the data that was on those devices.

You can buy a new server for $5,000. You cannot buy back ten years of client records, financial data, project files, and email history. That data has no replacement cost because it cannot be replaced. It can only be restored from a backup that exists somewhere other than the destroyed building.

Some cyber insurance policies cover data recovery costs, but they typically cover the cost of recovery services (forensics, rebuilding), not the value of lost data itself. If the data cannot be recovered because no offsite backup exists, insurance pays for the attempt and the diagnosis of “unrecoverable.” It does not recreate the data.

For a broader understanding of what cyber insurance covers and what it does not, see the dedicated guide.

Real cost of data loss from a physical disaster

The financial impact breaks down into direct and indirect costs.

Direct costs

Hardware replacement. Servers, workstations, networking equipment, and peripherals. $10,000 to $50,000 for a typical small business. Usually covered by property insurance.

Data recovery attempts. If drives survived the event (partially burned rather than completely destroyed, or water-damaged but potentially recoverable), professional data recovery services cost $500 to $5,000 per drive with no guarantee of success. For fire-damaged hardware, recovery rates are very low.

IT labor for rebuilding. Rebuilding the IT environment from scratch: installing operating systems, reconfiguring servers, re-establishing Active Directory, reconnecting applications, and setting up workstations. 40 to 200 hours of IT labor depending on complexity. At $100 to $200/hour for emergency IT services, this is $4,000 to $40,000.

Software re-licensing. If license keys and installation media were stored only on the destroyed hardware, you may need to re-purchase or re-activate software. Most vendors accommodate disaster scenarios, but the process takes time and often requires proof of prior purchase that may also have been in the building.

Indirect costs

Downtime. Every day the business cannot operate is lost revenue. For a business doing $1 million in annual revenue, each day of total downtime costs roughly $2,740. Ransomware recovery takes two to four weeks on average. Physical disaster recovery without offsite backups takes just as long or longer because there is no data to restore at all.

Client impact. If you cannot access client records, deliver projects, or communicate with customers for weeks, some of those clients will not wait. They will find another provider. The client relationships you lose during an extended outage may never come back.

Regulatory consequences. If you are a HIPAA-covered entity and patient records are destroyed without a recoverable backup, you have a reportable incident. The records are gone, which means you cannot demonstrate you maintained them as required. Similar issues apply to businesses subject to financial record retention requirements.

Employee impact. Staff who cannot work are either idle (costing you payroll for zero productivity) or working from personal devices in an improvised setup that creates security risks and reduces efficiency.

How to protect against physical disaster

Offsite backup

The single most important protection. If a copy of your data exists outside the building, you can recover from any physical disaster. The building and all its hardware become replaceable commodities. The data survives.

Offsite backup options:

Cloud backup. Your data is backed up to a data center operated by a backup provider (Veeam, Acronis, Datto, Backblaze, or a managed service provider). The data is encrypted in transit and at rest, stored in a geographically separate location, and accessible from anywhere with internet access. This is the simplest and most reliable offsite backup for most small businesses. For a comparison of approaches, see cloud backup vs on-premises backup.

Rotating offsite drives. A set of external drives that are rotated between the office and an offsite location (a bank safe deposit box, an employee’s home, a separate office). One drive is always offsite with a recent backup. This is lower-tech than cloud backup but provides air-gapped protection that is immune to both physical disaster and network-based attacks.

Replication to a second location. If your business has multiple offices, replicate data from one location to the other. This provides near-real-time offsite backup but only works if the second location is far enough away that a single event cannot affect both.

Cloud-first infrastructure

The most effective protection against physical disaster is not having critical data in the building at all.

Microsoft 365 or Google Workspace for email and file storage means your email, OneDrive/Google Drive files, and SharePoint/Shared Drive data is in the cloud. If the office burns down, your employees can access everything from a laptop at home or a coffee shop.

Cloud-hosted line-of-business applications (cloud CRM, cloud accounting, cloud ERP) mean your business data is not on a server in your closet. It is in the vendor’s data center with their redundancy and disaster recovery.

VoIP phone systems rather than on-premises PBX mean your phone system survives the building loss. Calls can be rerouted to mobile phones or new locations.

The more infrastructure you move to the cloud, the less you lose when the building is lost. A fully cloud-based business can be operational from any location with internet access within hours of a physical disaster. A business with all critical systems on-premises faces weeks of rebuilding. If you still have a server in the closet doing real work, see how to move your on-premises server to the cloud for what a phased move actually looks like.

Note that cloud infrastructure still needs backup. Microsoft 365’s built-in retention is not a substitute for independent backup – you still need a proper M365 backup strategy covering Exchange, SharePoint, OneDrive, and Teams. But cloud infrastructure is protected against the physical disaster scenario by default because the data is not in your building.

Documented disaster recovery plan

A disaster recovery plan answers the questions you do not want to be figuring out while standing in a parking lot watching your office burn:

• Where are the backups and how do you access them?
• What is the priority order for restoring systems? (Email first? Line-of-business application? File shares?)
• Who is responsible for each phase of the recovery?
• Where will employees work during the recovery? (Home? Temporary office? Coworking space?)
• How will you communicate with clients during the outage?
• What vendor contacts are needed? (Insurance, IT provider, cloud service providers, ISP)
• What credentials are needed and where are they stored? (Not in the building that just burned down)

Write this plan down. Store it in the cloud (not only on the server in the office). Test it annually. Update it when your environment changes. And make sure it is paired with a business continuity plan that covers how staff and clients are managed during the outage – disaster recovery gets systems back, but business continuity keeps the operation running in the meantime.

Test your backups

Having a backup is not the same as having a recoverable backup. Backup software that runs every night and sends a success email does not prove the data can be restored. The only way to verify recoverability is to test the restore.

Test quarterly at minimum. Restore a sample of files, a database, and a full system image to verify the process works and the data is intact. Document the test results: how long the restore took, whether the data was complete, and any issues encountered. If you have never tested a restore, schedule one this week. The first time you test should not be during an actual disaster.

The cost comparison

A cloud backup service for a small business with 1 TB of data costs $50 to $200 per month. An annual cost of $600 to $2,400.

A physical disaster without offsite backup costs:

• $10,000 to $50,000 in hardware replacement
• $4,000 to $40,000 in IT rebuild labor
• $2,740 per day in lost revenue during downtime
• Permanent loss of irreplaceable business data
• Potential client loss and regulatory consequences

The backup costs less per year than a single day of downtime costs during recovery. There is no rational argument for not having offsite backup. For businesses that want offsite backup without managing the infrastructure themselves, Backup as a Service (BaaS) handles the storage, monitoring, and recovery as a managed service.

Sequentur provides managed cybersecurity and backup services that include cloud backup management, disaster recovery planning, and the infrastructure protection that ensures your business can recover from any scenario, whether it is a ransomware attack or a physical disaster. If you want to evaluate your current backup coverage and disaster recovery readiness, reach out through our contact page.