Why Office 365 Backup is a Must for Every Business

by Nov 6, 2019Cloud & Hosting

IDC has released a new report calling attention to the critical importance of Office 365 backup for protection against SaaS data loss and other risks.

As with other software-as-a-service platforms, Microsoft Office 365 has become an essential productivity tool for organizations, and its adoption rate continues to accelerate. But IDC has found that a staggering number of businesses using the suite have no form of O365 backup protection in place, leaving them at risk of losing data from a number of causes.

Additionally, many users have the wrong impression that their data is automatically safeguarded by Microsoft, when in fact it’s not. While Microsoft has numerous security controls in place to prevent breaches and maintain service uptime, backing up the data is largely the customer’s responsibility.


60% of businesses are unprotected

IDC found that 6 in 10 O365 users are not using any backup system, which exposes them to several serious risks:

  • Data loss and security breaches
  • Failure to comply with regulatory policies
  • Lack of control over data

Below, we unpack each of these risks to illustrate how they can severely impact businesses of all sizes. But first, let’s provide some context on the state of SaaS and why backup is largely flying under businesses’ radar.


Essential productivity, but without essential protection

Office 365 is unquestionably an indispensable tool for many organizations. The platform enables teams to collaborate and work from virtually anywhere, providing cloud-based access to Microsoft’s most popular applications, including Exchange, Outlook, OneDrive, Word, Excel, SharePoint and others.

However, as IDC makes clear in its report, “While O365 is fast becoming the center of business productivity, a backup and recovery strategy is just an afterthought.”


Common misconceptions about Office 365 backup

IDC’s findings match up with our own experiences talking to customers about Office 365: many have misconceptions about how their data is stored in the cloud and what happens when it goes missing.

Examples of what we hear:

  • “The cloud is inherently a backup.” – This misconception is based on the assumption that SaaS data will always be available because it’s stored in the cloud via off-site servers/data centers. While that’s technically true, it doesn’t protect an organization from data that is accidentally (or maliciously) deleted from the cloud, as we further illustrate below.
  • “We’re covered by Microsoft’s SLA.” – O365’s service-level agreement is primarily focused on service availability. It is incorrect to assume that Microsoft will recover lost data, unless the loss is due to problems occurring within Microsoft’s cloud infrastructure.
  • “We trust Microsoft’s backups.” – Once again, this is a misconception about backup and recovery capabilities that aren’t actually there. Microsoft’s native backup capabilities are limited to the Recycle Bin feature, which means customers need an independent O365 backup solution if they want to protect their data.
  • “Data loss is unlikely.” – This misconception doesn’t take into consideration the numerous ways that businesses can (and do) lose data from their SaaS applications. For example, when data is accidentally deleted, whether on a large scale or when a single file goes missing, it may be unrecoverable unless an independent O365 backup system is being used.


Common reasons for Office 365 data loss

Let’s take a closer look at the ways in which businesses lose data in SaaS apps like O365. Since many users mistakenly assume their data is safe, it’s important to illustrate how easily files get wiped out.

  • Accidental deletion: Somebody deletes an email. A file gets moved to trash. An entire OneDrive folder gets deleted because the user thought it wasn’t needed any longer. (It was.) Accidental deletion is the most common reason for data loss in Office 365. Microsoft does offer some limited restore options, allowing you to recover files placed in the Recycle Bin, but only for a couple months. After that, it’s gone – unless you have your own backup.
  • Malicious deletion: Imagine a scenario in which an employee has been terminated from the company under hostile circumstances. Before they exit the building, they delete a swath of critical shared folders in OneDrive. It happens more often than you might think. And again, without a backup in place, these files could be gone forever.
  • Overwritten data or migration errors: Moving a large volume of data to a new location is a surefire way to accidentally delete files if the migration isn’t handled carefully. Similarly, if a third-party integration isn’t configured properly, data can be swiftly overwritten. These are common mistakes in O365 (as well as other SaaS platforms) that are extremely costly for unprotected organizations.
  • Cancelled user licenses: Again, mistakes happen. A common scenario is when employees leave a company and their Office 365 account is cancelled or allowed to expire before important files are retrieved from the account. Months later, somebody realizes they never asked the exiting employee for their work on The Big Project Due Today – and it’s long gone.
  • Malware: Just because it’s in the cloud doesn’t mean it’s immune to malware. For example, if you’re syncing local files to OneDrive, and the local files are encrypted with ransomware, then the cloud files will likely be encrypted as well.


How often do these scenarios really happen? A lot.

According to a survey published by EMC Corp, 80% of companies using SaaS have lost business data. So the common assumption that “it won’t happen to us” is just wrong.


Microsoft vs. the Customer: Who’s responsible for the data protection?

While Microsoft plays a fundamental role in ensuring the availability and performance of O365 apps, the actual data is the customer’s responsibility.

In its report, IDC breaks down those responsibilities side by side to clear up some misconceptions about Microsoft’s role when it comes to Office 365 backup.


Microsoft’s responsibility:

  • Cloud infrastructure: The reliability of the technology that powers the platform as it relates to uptime, availability, etc.
  • Data replication: Geo-redundant data storage for protection against adverse events occurring at Microsoft’s data centers
  • Data privacy: Regulatory controls for data privacy and storage security, industry certifications, etc.
  • Security: Security surrounding data center and infrastructure, as well as enabling app-level controls for users and administrators


Customer’s responsibility:

  • Data: Input and access of the business data within O365 apps
  • Backup: Independent replication of O365 data stored outside of Microsoft’s cloud
  • Recovery: Any recovery option that a customer requires beyond the limited Recycle Bin feature, i.e. granular restore or full point-in-time recovery
  • Internal legal compliance: Compliance with industry-specific regulations that are beyond the regulatory controls provided by Microsoft


Why is there no native O365 backup?

It’s certainly possible that Microsoft could someday offer its own backup and recovery capabilities for O365. But it’s important to keep in mind that when data loss occurs on the customer end, the applications are simply working as designed.

For example, OneDrive is designed to automatically sync your local files to the cloud. Whether they’re infected with ransomware is not (necessarily) Microsoft’s concern – only the syncing is. Just because the files are encrypted does not mean they shouldn’t be synced, at least from the application’s perspective.

Similarly, if a large amount of data is overwritten in O365, due to human error, how would the app know the difference? Once again, the application is simply following the user’s commands. This is a prime reason why an independent backup is needed.


A lack of compliance

In addition to the risk of data loss, some companies using O365 also face unique challenges of staying in compliance with federal regulations.

One critical issue is how long data is retained after an account is cancelled. For many organizations, Microsoft’s retention period falls short.

As IDC explains in its report, “Microsoft offers a 90-day retention policy that does not meet the more stringent data retention regulations for certain industries such as financial services, healthcare, retail, and government.”

These businesses require a third-party backup in order to set their own retention policies and remain compliant with these strict regulations.


Lack of data control

An important thing to remember about SaaS environments is you never have complete control over your data. You have access to it, of course, but the infrastructure is out of your hands.

This is a problem for today’s data-driven businesses. Because if you’re not in complete control over your data, it create process limitations, as well as risk exposure. Without an independent backup, IDC says, “Organizations do not have an exit strategy or freedom from SaaS lock-in because they are not in complete control.”


Selecting the right O365 backup

IDC provides several recommendations for selecting an O365 backup solution that eliminates the risks outlined above.

Here’s what to look for:

  • Flexible storage / deployment: For greater control of data, companies should have the freedom to choose where the backups are stored, i.e. on their own infrastructure or in a secondary cloud.
  • Recovery options: Look for platforms that enable a variety of recovery options, such as granular file-level recovery, full restoration of data back into the users’ accounts, backup exports, and so on.
  • Deep integration with O365: To benefit from features like direct file restores and intelligent API throttling, the backup platform needs to be deeply integrated with the Office 365 suite.
  • Scalability: Businesses should be able to scale easily as their data grows and/or as more users are added – without storage limitations or unreasonable investments.


Backing up Office 365 with Backupify

We like Datto’s Backupify for its robust, automated backup of all O365 data, including OneDrive files, Contacts, Calendars, Exchange and SharePoint.

Backups occur automatically 3 times a day and can be restored instantly to a user’s account or an administrator’s computer. A robust search function makes it easy to locate lost files, and data can be restored at a granular level or via a full restore with all folder structures intact.

Unlimited storage options allow businesses to scale easily while also maintaining control of their data.


Request a free demo

Learn more about protecting your Office 365 data with Backupify. Request a free demo or contact our business continuity experts at Invenio IT. Call (646) 395-1170 or email success@invenioIT.com.

New call-to-action

Dale Shulmistra is a Business Continuity Specialist at Invenio IT, responsible for shaping the company’s technology initiatives -- selecting, designing, implementing & supporting business continuity solutions to bolster client operational efficiencies and eliminate downtime.