Microsoft 365 back ups? Are they enough?

Assumptions & Misconceptions

It’s reported that around 80% of security incidents are linked to human interaction and mistakes, and whilst systems like Microsoft 365 have some data storage and back-up functionality, many assume it’s sufficient for their needs - and that’s where the trouble starts.

Even a small incident can wipe out critical information, and as data becomes more valuable to organisations, backup and protection is increasingly critical. All companies’ back-up data to some extent, with the expectation that a clean copy of their data can be recovered and rapidly restored in the event of a primary data or system failure.

Such issues typically arise from hardware and software failure, data corruption, human error, accidental data deletion, and malicious cyber-attacks (ransomware, malware, or virus).

Backup copies allow data to be restored from an earlier point in time enabling business continuity and recovery from an unplanned incident, but many back-up systems are simply not capable of this, and a failure could be catastrophic to an organisation. 

To meet regulatory and compliance standards, many organisations need a robust and resilient process that stores backed up copies in a separate medium from primary systems, providing effective protection against damaging data losses, when an incident occurs.

Legal Obligations

Data should only be used for specific, legitimate purposes; it should be accurate, up-to-date, and kept for no longer than is necessary. Security directives require organisations to take appropriate measures to protect their systems and data using proportionate technical and organisational measures to prevent and respond effectively to any breach.

It’s important to remember that whilst software-as-a-service (SaaS) options, like Microsoft 365, take responsibility for the application infrastructure and uptime, it remains the customer’s responsibility to manage and protect their business data, and whilst some security and data replication is included, it may not be enough – as the care of your data is your responsibility!

Does Microsoft 365 provide data back-up?

There are data retention capabilities within Microsoft 365 but they are not actually data backups. The service assures that data won’t be removed or deleted for as long as required, but the company disclaims liability for any data loss caused by service disruptions, and full data retention remains the customer’s responsibility.

According to Microsoft’s Shared Responsibility Model, the user should ensure their data is safely backed up in a different location, to adhere to the common definition of a data backup, which is a separate copy, stored in a separate location, with quick and easy recovery and restoration.

Relying solely on M365 for storage and security protection is simply not enough, because it doesn’t meet the standards of data retention required in sectors like financial services, healthcare, retail, and government. At the time of writing, their backup is not granular, so businesses looking to implement data recovery without a proper backup solution in place will not find it easy, or even possible, without damaging business disruption.

The Bottom Line

Backup and recovery are extremely important in today’s digital economy. The increasing legislation and alarming escalation in cybercrime – both in scale and sophistication, exposes vulnerable organisations to the dangers and consequences of security breaches and data loss.

Our highly secure S3 storage solutions and business continuity services are based entirely within the data sovereignty of the Channel Islands, and provide the highest levels of data storage and protection. Data sets from Microsoft 365, company proprietary systems, and any other on-premise applications can be fully protected using our immutable S3 storage solutions. Data stored with us is immutable, meaning it cannot be changed, tampered with, or modified in any way, making it permanent and unalterable – and any attempts to change or tamper with it are immediately detectable.