Over recent years, the modern workplace has seen significant increases in the number of organizations migrating from on-premise Exchange environments to Office 365. After all, Microsoft provides today’s modern workplace with best-in-class apps and powerful cloud services with accessibility built-in, letting work groups carry out their responsibilities and collaborate like never before.
In fact, Office 365 is the most widely used cloud service by user count. One reason for this continued surge in user adoption in the workplace is the recent addition of licenses extended in both the government and education spheres, with the financial services holding the highest rate of Office 365 use and healthcare continuing to climb. Microsoft hosts the infrastructure for Office 365, but this doesn’t supplant your responsibility to maintain a backup of your organization’s data. It’s actually your obligation to access, move and recover your data, not Microsoft’s.
There seems to be a false perception in our industry that data cultivated and stored in cloud ecosystems such as Office 365 doesn’t need to be backed up beyond the native offerings and features – but this simply is not true. Your organization’s business continuity relies on a proper disaster recovery plan, and backup must be at the heart of it. Best practices recommend a 3-2-1 backup rule in which an organization has three sets of backups, stored across two forms of media, with one copy living off-site.
Microsoft, to their credit, takes care of a lot in terms of backup and provides great value for all of its Office 365 users. The primary focus for Microsoft is to manage the Office 365 infrastructure and maintain the highest level of availability for all users, but quite a common misconception is that Microsoft fully backs up your data on your organization’s behalf. We highly recommend that everyone using Office 365 for Exchange, SharePoint and even OneDrive take a closer
Learn more about supplementing your Office backups in our whitepaper
look at what Microsoft does in terms of backup and data retention versus what you assume they are doing. What most will find is that Microsoft does employ standard precautions, but the gap between this and what most organizations need appears to be wide. Aside from the standard precautions Office 365 has in place, it may serve you well to reassess the degree of control you have with your data and how much access you truly
have to it.
What Microsoft does offer and provide is geographic redundancy, a term we use to signify a computer system operating at multiple geographical locations as a redundancy in case the primary system fails due to any reason. This can often be mistaken as backup. Of course, true backup occurs when a historical copy of the data is made and then stored in a different location. It is absolutely paramount that you have access to and control over that backup so, if data is compromised, accidentally deleted or maliciously attacked, you can quickly recover. Geographic redundancy, on the other hand, only protects against a hardware or site access failure, so if there is an infrastructure crash or a large outage, your users will remain productive, and in most
cases are completely unaware that Microsoft had an issue with one of their hosting locations. Microsoft Office 365 is an extremely capable and feature-rich Software as a Service (SaaS) platform. It provides an extremely high level of availability and uptime, to ensure your users always have access; however without an Office 365 backup plan, you are likely severely exposed to a number of security threats. There are many, many threats to your Office 365 data, but in this post, we’ll focus on just five most concerning.
What would happen if you needed to unexpectedly retrieve emails, files or other types of data amid legal action or inquiry? Microsoft has a couple of safety nets for cases like this (one is called Litigation Hold), but this is not a robust backup solution capable of keeping your company out of legal trouble. Just as an example, if you or your administrator accidentally delete a user, their “on-hold” mailbox, their SharePoint site and OneDrive account are all gone – permanently deleted when the user was deleted. In this instance, you would not get this particular user’s data back from Microsoft. Legal requirements, compliance requirements and access regulations vary between industries, but fines, penalties and legal disputes are three things that are best avoided if at all possible.
Malware and viruses, like ransomware, have done a lot of damage to organizations across the country. Not only is your company’s reputation at risk, but also the security and privacy of internal and customer data as well. External threats can sneak in through emails and attachments, and it isn’t always enough to educate users on what to look out for — especially when the infected messages seem so compelling and look legitimate. Microsoft Exchange’s backup and recovery functions are inadequate in handling serious attacks
on your data, but regular backups will help ensure a separate copy of your data is uninfected easy to recover.
People often conceptualize security threats in terms of hackers and viruses. However, businesses experience threats from the inside, and they happen more often than you think. Organizations fall victim to threats posed by their own employees, both intentionally and unintentionally. Access to files and contacts changes so quickly that, it can be hard to keep an eye on those in which you’ve installed the most trust. Microsoft has no way of knowing the difference between a regular user and a terminated employee attempting to delete critical company data before they depart. In addition, some users unknowingly create serious threats by downloading infected files or accidentally leaking usernames and passwords to sites they thought they could trust. Another example is evidence tampering. Imagine an employee strategically deleting incriminating emails or files — keeping these objects out of the reach of the legal, compliance or HR departments.
REASON #4: Accidental User Deletion
If you delete a user, whether you meant to or not, that deletion is replicated across the network, along with the deletion of their personal SharePoint site and their OneDrive data. Native recycle bins and version histories included in Office 365 can only protect you from data loss in a limited capacity, which can turn a simple recovery from a proper backup into a big problem after Office 365 has geo-redundantly deleted the data forever, or it has fallen out of the retention period. There are two types of deletions in the Office 365 platform: a soft delete and a hard delete. An example of soft delete is emptying the Deleted Items folder. It is also referred to as “Permanently Deleted.” In this case, permanent is not completely permanent, as the item can still be found in the Recoverable Items mailbox. A hard delete is when an item is tagged to be purged from the mailbox database completely. Once this happens, it is unrecoverable, Period.
The rapid pace at which business and data flow in today’s digital age lends itself to continuously evolving policies, including retention policies that are difficult to keep up with, let alone manage. Just as discussed above with hard and soft delete, Office 365 has limited backup and retention policies that can only fend off situational data loss and are not intended to be an all-encompassing backup solution. Another helpful type of recovery, a point-in-time restoration of mailbox items, is not in scope with Microsoft Office 365. In the case of a catastrophic issue, a backup solution can provide the ability to roll back to a previous point in time prior to this issue and saving the day. With an Office 365 backup solution, there are no retention policy gaps or restore inflexibility. Whether you need short-term backups, long-term archives, or granular or point-in-time restores, everything is at your fingertips, making data recovery fast, easy and reliable.
There are, without a doubt, security blind spots you may or may not have been aware of before within Microsoft Office 365, but hopefully this post sheds some light on areas you should further inspect within your own 365 environments. Take the time to read what data retention you have enabled in Office 365 and be aware that permanently deleted data is gone forever without an Office 365 backup solution in place. You already made a smart business decision by deploying Microsoft Office 365, now find a backup solution that offers you both complete access and complete control of your Office 365 data and avoid the unnecessary risks and bottom-line costs of data loss.
To find out how we could help you assess and enhance your organization’s Microsoft Office 365 data, contact one of our subject matter experts for a pressure-free Office 365 consultation.
Xigent holds partnership with backup industry leaders with products specifically designed to back up Microsoft Office 365 data with compliance, internal and external security threats, and retention gap confusion all at top-of-mind. Eliminate the risk of losing access and control over your Office 365 data including Exchange Online, SharePoint Online, OneDrive for Business and Microsoft Teams – so that your data is always protected and accessible to you and your employees.