Should I be protecting my data in Microsoft 365? - Bistech

Safeguard your organisation and prevent data loss with a third-party backup solution.

Microsoft’s cloud has experienced rapid adoption over the last few years, with 2020 alone seeing nearly 60% growth1. Improved data durability, data scalability and the consumption model are just a few of the reasons businesses are moving their data into the cloud.

Yet despite the overwhelming popularity of Microsoft 365, there’s some confusion about its built-in data protection capabilities. This includes the common misconception that Microsoft fully backs up your data for you — a misconception that could have significant consequences.

Data loss itself can occur in any number of ways, from accidental deletion to internal and external security breaches and ransomware attacks. In the case of the latter, for example, data is often maliciously deleted or encrypted. Without a robust backup in place, a business would be forced to either pay an increasingly large ransom demand or lose its data.

Even Microsoft’s own service agreement recommends regularly backing up your content and data using third-party services in addition to the native features they offer2. Yet despite this, International Data Corporation (IDC) estimates that 60% of organisations don’t have a protection strategy in place for their critical business data residing in Microsoft 3653.

What native features does Microsoft provide?

Recycle bin

If an employee accidentally deletes an email, OneDrive file or SharePoint item, Microsoft 365 stores this in the recycle bin for a limited period. To recover an item, it would need to be restored before it expires or the recycle bin is emptied by an admin — well-meaning or otherwise. In the case of malware deleting infrequently used files, it’s probable that this won’t be noticed in time and the data will be lost forever.

A proven third-party backup tool would allow you to easily locate and restore these files after a prolonged period, or even restore an entire user or folder to a point in time.


Another native tool to protect against mistakes is versioning, with Microsoft 365 enabling 500 versions by default and continually saving them while a document is being worked on. While versioning is effective at preventing typical user errors, it can easily be disabled by a rogue admin or fake administrator — just another reason why it’s vital to back up the data that matters to your business.

Another challenge here comes again from malware, which may be able to change or encrypt your file more times than the number of stored versions — meaning that without third-party backup, there wouldn’t be a valid version available to restore.

Retention policies

Microsoft 365’s retention policies are complex (the “overview” is 25 pages and over 5,000 words long) with numerous options that could potentially be configured incorrectly and reduce protection.

Certain types of recovery, such as point-in-time restorations of mailbox items, are easily achieved by third-party solutions but simply not possible when relying only on retention policies. This is because they’re not intended to be an all-encompassing backup solution.

They’re also only effective against hackers and rogue admins if the optional ‘retention lock’ feature is enabled. However, this feature prevents anyone undoing a retention policy and can never be reversed. So, if you get a ‘right to be forgotten’ request from GDPR, it cannot be satisfied — potentially a very serious side effect of relying on Microsoft 365 to back itself up.

And finally, with both versioning and retention policies, it’s important to note that these extra versions are counted against your storage allocation — both of which have a cost implication to consider.

So, who’s responsible for protecting your data?

Microsoft is responsible for its global infrastructure as well as maintaining uptime for its applications and services. Microsoft clearly states that, as the customer, you are responsible for the protection and long-term retention of your data.

This is referred to as the Shared Responsibility model.

Given the importance of protecting your corporate data and Microsoft’s strong recommendations to ensure you take responsibility for doing so, what should you be looking for when selecting a backup solution?


Select a product that’s both easy to deploy and easy to use when it’s needed the most — recovering your critical data.


A cloud-based product with consumption-based pricing allows you to scale up or down depending on your changing business needs.

Built-in ransomware protection

Ransomware attacks often target backups too. Ensure that any product you choose has isolation, immutability and recovery baked in for maximum protection.

Zero touch

A solution delivered as-a-service means you can protect your data with no on-premise infrastructure or time-consuming maintenance.

Peace of mind

In an IT landscape increasingly under threat of both intentional cyber attacks and accidental data loss, a solid backup solution is no longer a ‘nice-to-have’ — it’s a vital part of any disaster recovery plan. Ultimately, wherever your business-critical data sits, its responsibility lies with you.

So for total peace of mind, call our expert team today on 03330 11 22 55 to discuss your cloud strategy and backup requirements.

1 Gartner, 2021, ‘Gartner Says Worldwide IaaS Public Cloud Services Market Grew 40.7% in 2020’

2 Microsoft, 2021, ‘Microsoft Services Agreement’

3 IDC, 2019, ‘Why a Backup Strategy for Microsoft Office 365 is Essential for Security, Compliance, and Business Continuity’