Data backup is a critical process for disaster recovery and business continuity. So important, in fact, that it is wise to be informed whether Microsoft 365 is backed up.
The short answer to the title question is yes and no. Whilst Microsoft does back up Office 365 data, it does have limitations. On the one hand, Microsoft 365 helps to safeguard all the information stored on the platform.
However, that may not necessarily mean Microsoft’s backup options are a solution for your business.
As a matter of fact, in most cases, it won’t be!
Business owners need to plan a backup strategy that covers any likely scenario. Not least, because data protection regulations dish out financial penalties to firms that neglect to protect data.
As a result of legal obligations, businesses that store the data of third parties are required to backup data regularly and install security measures that comply with regulatory mandates.
If you fall outside the boundaries of Microsoft 365’s very limited backup solution, it is advisable to look for other options.
This is why!
Why is Backing Up your data so important?
Data loss can occur in a number of ways:
- Employees or even your Internal or External IT Team can accidentally delete files
- Malware can delete, corrupt or steal your data
- Malicious actors using ransomware can encrypt any data on your network and deny you access
- Hard drive failure caused by electrical or mechanical damage
- Insider threats from rogue employees or contractors
- Natural disasters; fire, flood (not just the biblical kind, think Air conditioning faults and other Plumbing gone awry!
To determine the level of data backup your company requires, you need to consider the financial impact. This should include the loss of productivity, the cost of recovery and potential compliance penalties.
Data backup should be a foundational aspect of your data recovery plan. For more guidance about the contents of a data recovery plan read our earlier article here.
With the heightened risk of a data breach, securing your data and legislating for data recovery is key to meeting compliance standards such as GDPR. Companies are legally obligated to report data breaches to the relevant authorities and to third parties that are affected.
A growing number of data breaches incur a penalty. Moreover, consumers lose faith and trust in brands that do not protect their data. It is estimated that 60% of companies fold within six months of a data breach.
Ensuring that Microsoft 365 and all your other critical business data is backed up is one of the safest and most proactive ways of protecting your company, your customers and remaining compliant.
How is Data Stored in Microsoft 365?
Microsoft claims their data backup protocols help to “comply with national, regional, and industry-specific requirements governing the collection and use of individuals’ data.”
This is true to a degree. Microsoft 365 does provide a data backup service that meets a set of compliance obligations.
First of all, your data is stored and available in at least two locations at the same time. Therefore, if one server goes down, you should still be able to access your data from a second data centre. Data is only replicated within primary datacenter regions so it is available in more than one storage unit.
The benefit here is that your data is readily available and you shouldn’t encounter any problems other than in highly unlikely scenarios, albeit not impossible.
For example, all the locations which store you Microsoft 365 may fail simultaneously. That would mean your data cannot be accessed from either location which will seriously impact your productivity and profits.
To avoid this, Microsoft offers replications and redundancy across multiple storage locations. It is very unlikely that multiple data centres become immobile. The only realistic way that can realistically happen is if the tech giant falls victim to a ransomware attack and pull the plug on all their data centres.
It’s hard to imagine a world where this would happen. Having said that, Microsoft’s track record of protecting its servers from cybercriminals is not great.
It’s also worth noting that Microsoft has a 30-day retention period, the exception being SharePoint which only has a 14-day retention period. That means any files you share will be lost if they’re not backed up by any other means.
On a positive note, short-term data backup on SharePoint and OneDrive are excellent. The software performs versioning which automatically saves versions of the document whilst you’re working on it. If you have a power outage or a system failure, the amount of data you lose, if any, will be minimal.
Microsoft 365 enables 500 versions by default. All you have to do is update list settings in the main settings area.
What else could go wrong?
Not all data loss is due to technical errors. What happens if a file is mistakenly deleted by a user or malicious actor?
Companies are responsible for protecting critical data and have an obligation to implement recovery and security protocols. Depending on your level of compliance, this includes adequate technologies and appropriate training.
When Microsoft performs a backup, the information overwrites previous backups which have expired. At most, Microsoft only stores your backed up data for 30 days.
If someone accidentally moves a file with critical business data into the recycle bin, it will be unrecoverable after 30 days. Whilst this solution is good practice to help you navigate a ransomware attack, deleting files is not good business practice for employees that may need to access the data at a later date.
This can be problematic for files stored in SharePoint. For example, you may decide you need to revive an idea, strategy, images or figures from a previous version that has been placed in the recycle bin during housekeeping.
Microsoft cannot restore data once the 14-day expiry date has passed. Ultimately, businesses are responsible for storing and recovering your data.
So how about data that can be stolen or deleted by rogue employees or cyber criminals that have infiltrated your IT network?
Microsoft’s backup policy helps to protect sensitive data. One way of doing this is to assign levels of access to every user by updating the permission settings. This ensures employees have restricted access to files, folders or libraries they are not authorised to touch.
Companies that work with contractors are, therefore, well-protected. Not even Microsoft employees can access data stored in the cloud. This satisfies your compliance obligations – for the most part.
However, Microsoft also recommends that you take advantage of the other data backup options they offer: Preservation locks and retention label policies.
But that’s not straightforward either.
Problems with Microsoft 365 Backup
Preservation locks prevent anyone – including a global admin – to delete or relocate protected files. Sensitive data that you don’t want to lose is assigned a retention label that cannot be tampered with.
Sounds like a great solution – but, alas, it is not without its complications.
Whilst preservation locks are an effective tool against rogue employees and hackers, it’s not the simplest of solutions. To give you an idea, the overview alone is 25 pages and over 5000 words long. It’s not light reading.
Moreover, the variety of options available in this tool could easily be misconfigured – which could actually open a doorway for hackers instead of keeping them out. Misconfigured cloud software is responsible for a high number of data breaches.
The other issue with Microsoft’s retention labels is it stores older versions of the file. Duplicated files take up storage allocation in your 365 accounts. The chances are you will have to pay for more storage space far sooner than you would if you don’t use the preservation lock.
And since you cannot undo a retention policy once it has been activated, the file will always be stored on your system – even after it’s outdated. Microsoft will, of course, increase their fees for additional storage intermittently leaving you paying storage for files you don’t even need.
Another problem with retention labels is you can’t delete stored data. So what do you do if a customer requests their ‘right to be forgotten’ under the rules of GDPR?
As far as we’re aware, Microsoft hasn’t planned for this scenario. But then, neither has GDPR. That means the consumer does not have a right to be forgotten by firms that deploy Microsoft’s preservation lock.
What if Malicious Malware Deletes Your Files?
The rise of cybercrime leaves every business susceptible to malicious malware. If you follow the business news, you will probably be aware of the alarming number of high profile companies that have suffered a data breach in recent years.
Scaremongering aside, there are plenty of ways to protect consumer data from cybercriminals. Yes, the threat is real, but today’s cyber security solutions keep the average hacker at bay. If you notice, the breaches that hit the headlines are usually the result of state-sponsored espionage attacks.
However, that’s to say business owners should be blasé about the level of cybersecurity defences they implement to protect your network. There is still a possibility that malware finds its way onto your computer undetected.
With that said, some malware is designed to delete files that are not frequently opened. That means your files could go missing without you noticing. This will cause a major problem if the only backup solution you’re relying on is Microsoft 365.
Remember Microsoft’s 14 or 30-day retention policy? It’s not a long period of time to pass before data is lost forever.
Third-party backup tools avoid all the complications made above. With alternative backup solutions at your disposal you are not reliant on Microsoft, nor are you limited to their data backup policies and protocols.
Recommended Data Backup Options
We’ve established that Microsoft 365 offers a variety of data backup options that helps businesses to protect some data and navigate associated risks.
However, it is also clear the fundamental solutions proposed by Microsoft are inadequate. We doubt GDPR regulators will let firms off the hook if you choose to rely on Microsoft 365 without any supporting backup solution.
Even Microsoft recommends backing up your data and content on a regular basis. Microsoft’s Service Agreement reads:
Our recommendation is based on years of experience in the IT industry. As a matter of fact, we doubt there is any IT professionals out there that would say, Microsoft 365 backup solutions are suitable for any company. They are suitable for some small businesses with less than five employees and freelancers that work alone, and only if the data isn’t critical to their business, but that’s it.
Fortunately, there are plenty of alternative data backup solutions. We can’t recommend which one is best for you here because it depends on your business needs. However, feel free to contact our IT professionals in London and we would be happy to discuss the matter with you.
In the meantime, you might want to check out this list of data backup recommendations so you can get a feel for what is on the market.
In most cases, you will need a solution that is compatible with a wide range of software. Basically anywhere you store data should be backed up, including apps.
Some cloud backup services also enable you to backup smartphones and tablets together with operating system files and applications. These types of tools are ideal for businesses that adopt a hybrid model or Bring Your Own Device (BYOD) strategies.
Also, look out for cost. Most data storage solutions offer several subscriptions and put a cap on the amount of storage space you are entitled to under each option. There may also be a limit in the number of devices the service will backup.
The data backup service we offer at MicroPro is fully managed to make updating your backups simple. Our team of experts also provide recommendations for how often your backups should take place and when.
For more information about our data backup solutions, contact our team of IT specialists in London today. We’re here to help!