What's your disaster recover plan?
A business can be destroyed by losing its data. I have known even losing the data on a single person's hard drive to be very expensive, and losing your servers can be much worse. You need to think about backups, continuity, hardware. I have taken a server out of a bomb blasted building and it worked - but it might not have.
Lets start with backups. Its not enough to take them, you should do test restores too to make sure they work. You backups should not be on the same physical site: otherwise a fire, a bomb, a bomd threat, or anything that denied you access to the premises would be fatal.
More subtly, they should not be with the same provider. Take the case of Raisup who had backups with their VPS provider. When the provider shut the out, they lost their servers and their backups: so they could not restore the backups elsewhere. The lesson is that your backups should be independent of the machines they are backing up.
You also need to ensure security so backups cannot be deleted if the machine they are backing up is compromised and vice-versa. This means you cannot implement a simple solution such as regularly syncing files to a backup server. Its not a difficult problem and solutions exist, but you need to use them.
Then consider what you need to back up: servers, email, vital documents on the various staff members laptops.....
You also need to consider what you will do with the backups. If hardware is physically destroyted you replace them? Do you have alternate premises or can staff work from home even if your IT infrastructure is destroyted? Can you replace a service that is no longer available?
For a small business an element of accepting some losses and delays if the worst happens may be reasonable compared to the cost of comprehensive preparation - but you need to know that what you could lose is what you can lose and still stay in business.
Despite our dislike of cloud solutions in general, backup is one area where they shine: they are backed up to a different location, often to systems that are backed up themselves, and there are many solutions that make it possible to encrypt the data. Encryption is a good idea, not only to protect your proprietary data, but good practice (and in some cases a legal oblication) with regard to your customers data (especially if you hand any kind of personal data).