Should you back up your Office 365 data?

When it comes to Microsoft services, most organisations have now moved from an on-premise model to the cloud-based Office 365 to reduce cost and improve efficiency. Despite the many advantages that the cloud solution offers, it is worth looking at what this transition involves for the protection of your data.

Today, we chat with Geoff Hughes, Managing Director at Venn IT about why and when organisations should back up their Office 365 data.


What are the things to consider when wondering whether you should have a separate data backup for Office 365?

When it comes to data protection, the first thing to consider is usually what are the technical, legal and other requirements for your organisation and what level of risk you would be comfortable with.

Some industries have strict regulations about data protection, backup, and recovery and it’s important for your IT team to be aware of them and of their implications on your systems and architecture. Relying solely on Microsoft Office 365’s native backup could mean some serious legal issues down the track should something happen to your data.

It’s also important to review which systems and data you view as critical for your organisation and to review what you currently have in place to protect them.


What levels of protection are included in your 365 service?

As per their shared responsibility model, Microsoft is responsible for the availability of their service and for the high-level access and security aspects. Below is an illustration of the Office 365 shared responsibility model.


Microsoft Shared Responsibility Model


As you can see, the service availability is handled by Microsoft but, ultimately, they are not responsible for your data. If your data is destroyed or corrupted, it is your responsibility and your problem to fix it.

For example, the recycle bin will keep a copy of the deleted data, but only for a short amount of time. Past that point, you won’t be able to recover it. Microsoft also doesn’t provide a point-in-time recovery, it is thus not possible within the service to recover specific data back to a defined point in time.

I would strongly encourage Office 365 admins to take a look at what is and isn’t included within their service and to make sure they set up their environment to fit their organisational needs. If you have any questions on this topic, feel free to reach out for a chat.


What are the risks of not backing up your data outside of 365?

To put it simply, not backing up your data means that you rely heavily on Microsoft to provide you with your data accurately and at all times.

This can potentially create a few issues down the track such as:

  • What happens if, for legal reasons, you need to recover data?
  • What happens if you need to reconsider your usage of 365 and move to another provider? Are you in a position to mobilise a quick transfer of your data to a new provider?
  • What happens if Microsoft suffers a catastrophic event that leads to your data being corrupted and/or erased?

The answers to those questions will depend on each organisation, the regulations they might be subject to, and their appetite for risk. We know of quite a few companies who have made the choice not to back up their Office 365 data and, as long as it’s an informed decision and not just due to a lack of knowledge of their options, that is totally fine.


What solutions are available?

There are some options included as part of the Office 365 product, but you need to be especially careful during its configuration as well as keeping it in line with your requirements should they change. To give you a quick example, when recording a teams meeting, the meeting organiser can set an expiry date for the recording. What happens if you need that recording after it has expired? Is that something you are willing to leave within the control of your users? Has the policy setting for the organisation been configured correctly for data retention?

At the end of the day, it all comes back to what level of risk you are comfortable with. For some organisations, email might not be seen as being a critical component and they would consider having to wait 24h for email recovery an acceptable delay, for some it is unimaginable. Anything that is critical to your business, for its day-to-day activity or for compliance requirements needs to be looked at properly and that’s when you need to consider an external backup solution.

If you’re still unsure of what this means for your organisation, whether it is for you, and what that would involve, please feel free to reach out to the team at Venn IT. We pride ourselves on our independence and our ability to find the right solutions for our customers, whatever that looks like.