The accelerated move to the cloud driven by the pandemic, has seen a large number of organisations shift from on-premise Exchange to Office 365 over the last two years. Moreover, Microsoft Office 365 enables users to safeguard their data in cloud storage via its online collaboration and sharing system, but can businesses totally depend on Microsoft Office 365 to protect their data?
In short, the answer is “no”. In fact, Microsoft itself states in its service agreement for Microsoft 365: “We recommend that you regularly backup your content and data that you store on the services or store using third-party apps and services.”
While backup is a critical part of IT, it is sadly neglected, and often because many assume it just happens or it is someone else’s responsibility. Many think Microsoft takes care of it all, but while it may take care of a large chunk of it, the company’s focus is on managing its infrastructure and ensuring uptime for its users. The software giant expects its customers to take responsibility for their own data.
The idea that Microsoft fully backs up all its users’ data on their behalf is common and dangerous. Businesses need to rid themselves of that notion and change their mindset because something could easily go wrong, and leave them without critical data, or worse.
The misconception lies between Microsoft’s perceived responsibility and the end user’s actual responsibility when it comes to the protection and retention of their Office 365 data in the long term. At the end of the day, each organisation must ensure it has access to, and control over, its Exchange Online, SharePoint Online, OneDrive for Business and Microsoft Teams data.
Microsoft provides a level of backup and recoverability, but it is not what many companies think it it. Over and above the standard measures that Office 365 has in place, each business needs to re-look at the level of control it has over its data, as well as how much access they really have to that data. The software offers geo-redundancy, which many people erroneously assume is the same thing as a backup. It isn’t. A real backup only happens when a system or person makes a historical copy of specific data and then stores in a different location. It is even more critical for organisations to have immediate access to, and direct control over backup to ensure in the event of data loss, theft, or accidental deletion, it can be recovered quickly. On the other hand, geo-redundancy, protects against failure at a site or hardware level, ensuring that in the event of an outage or infrastructure crash, workers can carry on, uninterrupted, without being aware that a problem exists.
This isn’t to say anything negative about Microsoft Office 365, it is a software-as-a-service offering that is ideal for the needs of organisations of every size and in every industry. It gives users robust application availability and uptime to make sure they can work uninterrupted, but on its own, it doesn’t protect its users from the slew of security threats out there. Having an Office 365 backup, on the other hand, can do exactly that. It is important to remember that the vast majority of compromises stealthily lurk on networks for more than three months before they are uncovered. Because of this, by the time the user notices there’s something missing, it will probably be too late.
Unfortunately, this isn’t the only risk associated with not backing up Office 365. Another issue steps in, if a user is deleted, whether intentionally or by mistake, that removal is replicated across the network, alongside the user’s OneDrive for Business account and mailbox. Office 365 includes certain native recycle bins and version histories, but these can only protect the business from data loss in a marginal way, which can see a simple recovery from a proper backup turn into a massive issue, once the platform has geo-redundantly permanently deleted the information, or should the retention period have gone by.
Another issue arises due to confusion around the retention policy. We live in a digital time of accelerated change, and policies need to evolve alongside the times. Retention policies are difficult to keep up with at the best of times, but more so in today’s era of increasingly stringent regulations. Office 365 has only partial backup and retention policies that were put in place to prevent situational data loss, rather than be a thorough backup solution that takes all factors into account. In addition, Office 365 does not offer point-in-time restoration of items in the mailbox, which in the event of a disaster, can turn the clock back to a point in time before the catastrophe struck, and rescue the situation. Using a proper backup solution ensures that retention policy gaps are closed, and restoration becomes more flexible. Backups, whether short or long-term, ensure that information can be recovered instantly, in a manner that is simple and reliable.
While most view security threats as being advanced threat actors continually on the lookout for ways to evade the security nets, in truth, the biggest threat is often sitting in the office down the hall from you. Some of these insider threats are simply careless employees who unwittingly open malicious links or attachments, download apps from untrusted sources, or unwittingly leaking their login credentials to seemingly legitimate sites. Others are disgruntled staff members who intend to cause the company harm, either by selling its secrets, tampering with its data, or by damaging its systems. Microsoft doesn’t have the ability to tell a legitimate user from a terminated staff member who is trying to delete critical company information before disappearing. Again, a proper backup ensures that data, in its correct form, can be restored.
Then there’s the question of external cyber threats. Stories of major organisations with the best security solutions money can buy falling victim to ransomware have littered the headlines for the past few years, proving that no one is immune. Not only does this scourge cost businesses a fortune in downtime, data recovery, forensics and legal issues, but it can also seriously damage a company’s reputation, resulting in a loss of customer confidence. Having regular, thorough backups in place will mitigate the damage and make sure that the business can recover quickly, with minimum disruption.
Another area where having backups immediately at hand might be critical is when it comes to issues of regulatory and compliance requirements. A business might need to retrieve an email, file or some other document from a couple of years ago, as proof should the company be involved in litigation, or for auditors who need to ensure that all the checks and balances are in place. While most companies might never find themselves in a legal wrangle, it can happen to anyone, and having a backup in this instance could mean the difference between winning, or losing and being saddled with prohibitive costs. We live in an increasingly tight regulatory environment, and although compliance requirements and access regulations differ from country to country, almost every region insists on the careful storage and protection of personal information.
For these and other reasons, it is critical that businesses back up their Office 365 data. While most of us believe it won’t happen to us, unfortunately, it does, and too often. Protecting your Office 365 data is the only way to make sure you are covered if it does.