How do you know you have control of your Office 365 data? Most of us would quickly answer “of course I have control” or “Microsoft makes sure I have access to my data”.
On closer inspection, it’s not so clear.
Although Microsoft takes great care with the security aspects of its products, its core business is managing the Office 365 infrastructure, not doing work that you should actually be doing yourself.
It provides you with the tools you need to make the backups you need for peace of mind, but it doesn’t do them on your behalf.
This is a common misconception and if we don’t change our mindset, the resulting inaction can have major repercussions.
That’s why you need to make sure you really do have access and control over your data in Microsoft Exchange Online, SharePoint Online and OneDrive for Business products.
In this article, we’ll tell you about the dangers of not backing up Office 365 and why alternative solutions to Microsoft help you retain your data for the long term and protect it for the future.
The confusion surrounding Office 365
As mentioned above, there is a common misconception that affects both Microsoft’s perceived responsibility and that of the user.
The backup and recovery capability that Microsoft provides and what users assume they are getting are often quite different.
That is, aside from the standard precautions that Office 365 has in place, you may need to re-evaluate the level of control you have over your data and access to it.
For starters, Microsoft Office 365 offers geographic redundancy, which is often confused with a backup.
Like, an Exchange Online backup is when you create a historical copy of your data to be stored in another location. In addition to having a copy, it is key to have direct access and a high degree of control over that copy, so that if data is lost, accidentally deleted, or if there is a hack, for example, the user can recover it quickly.
Geographic redundancy, on the other hand, protects against web or hardware failures, so that if an infrastructure failure occurs, users remain productive and often oblivious to the underlying problems.
Why is geographic redundancy not enough?
According to Microsoft’s own description, geographic redundancy means that “regardless of where customer data is stored, Microsoft does not control or limit the locations from which customers or end-users can access it”.
Therefore, we cannot assume that Microsoft will be responsible for securing all of our data or access to it in case of need.
6 Reasons why backing up Office 365 is important
As a software-as-a-service (SaaS) platform, Microsoft Office 365 is perfectly suited to the needs of many organisations. It provides the availability and application uptime that ensures your users don’t lose productivity.
However, there are other aspects that Office 365 users don’t take into account that can protect you against the many security threats that can occur.
You probably think that the recycle bin is enough to retrieve everything you need. Like you, many other people are wrong on this point, as the time it takes from when data is compromised until the user becomes aware of it varies, but can sometimes be as little as 14 days or even 1 day, depending on the individual case.
Given these sometimes very tight deadlines, you may not notice that a key file is missing until it is too late to recover it via the recycle bin.
Hundreds of IT professionals around the world who have migrated to Office 365 have identified six key data protection vulnerabilities:
1. Accidental deletion
If you delete a user, either on purpose or accidentally, this deletion is replicated across the network, along with the deletion of the SharePoint user and OneDrive data.
The native recycle bins and version histories included in Office 365 can only protect you from data loss to a limited extent, which can turn a simple recovery from a backup into a big problem after Office 365 has deleted the data for good.
It is important for the Office 365 user to know that there are two types of deletions, soft deletion and hard deletion.
An example of soft deletion is emptying the “deleted items” folder. In this case, permanent is not completely permanent, as the item can still be found in the retrievable items mailbox.
A final deletion is when an item is tagged to purge it from the mailbox database, completely. When this is the case, the item is irretrievable.
2. Gaps in the retention policy
Data retention policies do not remain unchanged over the years, let alone since the digital age has imposed such a drastic pace of change.
Like other solutions, Office 365 has limitations in its retention policies and does not pretend to be all-encompassing.
So you can’t expect that in the face of a catastrophic problem, Office 365 will have the ability to revert the data somewhere between the problem and your work.
By contrast, with an Office 365 backup solution, there are no retention policy gaps. You can set up short-term backups or long-term archives, granular or point-in-time restores, and of course, your data is at your fingertips for quick, easy and reliable recovery.
3. Managing hybrid email deployments and Office 365 migrations
Organisations and businesses that opt for Office 365 usually need a period of time to transition between on-premises Exchange and Office 365 Exchange Online.
Some even leave a small part of their legacy system in place temporarily for greater flexibility and control.
These hybrid email deployments are common but present additional management challenges.
The right Office 365 backup solution should be able to handle this temporary solution and manage the data efficiently, regardless of its location.
4. Internal security threats
When we talk about security threats, images of hackers and viruses come to mind.
However, the reality is that companies suffer from internal threats that happen more often than we imagine.
Employees, consciously or unconsciously, are also a threat to company data. For example, access to files and contacts changes so quickly that it is not easy to know whether the user who has this access is trusted. Microsoft has no way of knowing the difference between a user on staff and a terminated employee deliberately trying to delete data.
In addition, some users unknowingly create threats by downloading infected files or accidentally leaking usernames and passwords on websites that can compromise the entire company.
5. External security threats
Malware and viruses, such as ransomware, have caused serious damage to organisations around the world.
Not only is the company’s reputation at risk, but also the privacy and security of internal and customer data.
Moreover, these threats can sneak in from many access points, such as emails or attachments, and it is not always enough to educate users on what to look out for, as these types of hooks are very well designed.
In this respect, and in the face of such an attack, Exchange Online’s recovery capabilities are insufficient to handle serious attacks.
Regular backups will help ensure that a separate copy of the data is not infected and can be recovered quickly.
6. Legal requirements
Occasionally, it is necessary to recover emails, files or other data during legal actions. Although Microsoft has built-in a couple of safety nets, they are not a robust backup solution capable of keeping your company out of legal trouble.
For example, if you accidentally delete a user, their internal mailbox, personal SharePoint and OneDrive account are also deleted.
Legal requirements vary from industry to industry and country to country, but fines, penalties and legal disputes are aspects of your business that you probably don’t want to leave on the to-do list.