Click to learn more about author W. Curtis Preston.

Office 365 is one of the top enterprise SaaS applications and has become a staple technology across nearly every sector.However, there’s a common and costly misconception that cloud-based apps are automatically backed up and recoverable. While these apps have some native protection for incidents like server failure or minor user errors, they often do not protect from events like a cyber-attack or rogue administrator.

The reality is that you are responsible for protecting your data and if you continue to rely on Microsoft alone, you may be putting your critical data at risk. Without proper backup, you could find your Office 365 applications—and perhaps, even the company—out of commission for hours or days.  You may also lose intellectual property essential to your company. To protect your business, it’s time to backup your environment properly.

This fact was painfully driven home to one San Francisco company recently, that according to a lawsuit filed  in federal court,  lost their entire company’s intellectual property that was stored in G Suite. Someone accidentally deleted their entire account and Google has said the data cannot be restored.  This is because like Microsoft, Google is not backing up data in its SaaS accounts in a way that would allow a customer to restore from such an event.

When the Recycle Bin isn’t Enough

If you delete or accidentally corrupt a few files, the recycle bin is your best friend. You can easily go into the Recycle Bin and pull them out, but it’s not designed to restore an entire user to a point in time – you would have to drag out each needed file.  It’s also unavailable if someone deletes the account itself, such as what happened above.

If ransomware specifically targets how an application works, then you have a bigger problem. Ransomware can mutate certain files multiple times and create dozens of useless versions. Once that happens, any future backups will be made up of data that is meaningless to your business.

To be fair, Office 365 does provide a number of tools to protect you against ransomware, but these are mainly perimeter tools aimed at stopping the ransomware in the first place. These are essential tools, but they can benefit from some additional monitoring to detect ransomware if it does make it through the perimeter defenses.

But perhaps a more perilous problem than ransomware is when the issue arises from inside the organization. A rogue administrator can wreak havoc on an environment, deleting files and folders and reducing versioning to a very low number that makes it difficult to recover documents and assets from specific points in time.  Microsoft’s new Retention Policies and Retention Lock can help mitigate this, but they rely on versioning to work. That means that this “backup” is being stored in the same location as the primary dataset, which is a basic violation of backup design. In addition, this system is not designed for point-in-time restore, since it uses an e-discovery workflow. It is therefore more built around finding specific emails or files, versus restoring an entire user to a point in time.

Skip the Middleman

Without proper backup, you have to go through Microsoft to solve any issue with your data. Although SharePoint backs up the environment every 12 hours, in order to access lost data you need to contact Microsoft support to use this backup. This process can take days or even weeks to complete, and most businesses just don’t have time to stop operations while they wait for Microsoft to resolve the issue or recover their data. In addition, this service is not mentioned in any documentation, and especially not in any service agreement, which means Microsoft is under no obligation to continue doing it, or to be successful when they restore your data.

Restore a Specific Point-in-time Easily and Efficiently

There’s usually a moment right before everything went wrong – the calm before the storm. Many don’t realize that Microsoft doesn’t offer the ability for precise point-in-time restore that a backup solution can. Instead, you are forced to pick a date, and confirm by trial and error if that set is pre- or post-incident. Even more alarming, Microsoft support can take days or weeks to fully restore your data, compared to the minutes it takes a  competent backup solution. Most enterprises can’t afford to weather the downtime after data loss and require a minimal RTO—quick and painless restoration is the best way to save money and ensure peace of mind.

Preparing for the Inevitable

Office 365 is one of the most popular suite options for the modern enterprise, but IT operators need to understand that it is not an airtight platform when it comes to data backup and storage. Like most SaaS based offerings, you can be assured of reliability and uptime, but there are no SLAs around backup and recovery. Proper backup can play a critical supplementary role in protecting a business, all while giving agency back to the network operator.

It’s never worth gambling the safety of your business – make sure you have a proper backup plan in place.