By thinkon

“Without an enterprise-grade backup strategy for [Office] 365, enterprises are exposing themselves to risks such as ransomware, accidental loss of data, lack of data control, compliance exposures, and threats to business continuity.”

Archana Venkatraman, Research Manager, IDC European Datacenter

Monday morning comes and you wake refreshed and smiling. The lyrics to Feeling Good make perfect sense to you and you find yourself whistling the tune as you head into the office.

Your digital transformation is well underway. The migration over the weekend to Microsoft 365 and Azure was successful. You’ve done right by your business – stored all of your organization’s critical data in the cloud. You relish that there will be no more updates for those applications fully hosted in the cloud and no more time spent ensuring security patches are up-to-date. And, best of all, no more fitful nights spent worrying about losing data and waking in a cold sweat from legal compliance nightmares. The hyperscale clouds are infallible, after all. Right?


Relying on a single public cloud provider doesn’t necessarily diminish risk—it’s just a sense of simplicity. Multi-cloud seems more complex, but it is far more secure to have multiple copies of data stored in various secure locations.

The risk to data escalates as demand for cloud storage continues to expand. Predictions are that by 2025, there will be 181 zettabytes of data worldwide.[1] Already, half of all corporate data worldwide is housed in the cloud with a substantial trajectory of growth in the years ahead as businesses increasingly turn to the cloud to enhance business resiliency and agility.[2]

No one cloud is perfect (but ours is close)

The top three public cloud providers have each experienced a headline-worthy crash.

In 2011, long before the cloud stored the copious amounts of data it does today, Amazon’s huge EC2 cloud services crashed, permanently destroying many customers’ data.[3] In 2014, Microsoft Azure faults knocked websites, as well as its own applications and services, offline, which was “hugely disruptive” to many enterprise customers including Tesco, Boeing and Toyota.[4]  In 2019, Google Cloud experienced a four-hour outage, bringing businesses that rely solely on its cloud services to a standstill.[5]

Almost half (49%) of enterprises rely on their cloud vendor for backup and recovery of Software as a Service (SaaS) applications.[6] But what happens when that vendor’s cloud fails?

Cover your asset with backup for Microsoft 365

With applications like Microsoft 365, SaaS providers offer enough protection assurances for the underlying infrastructure to meet their contractual SLAs. The problem lies in the fact that those guaranteed protections do not extend to customer data created on SaaS platforms. It’s vital to employ solutions to protect your data from risk, based on your terms rather than on the potential limitations of the SaaS platform’s offerings.

Additionally, application sprawl makes ensuring company-wide data protection a challenge. IT may not be aware of all the cloud apps that other departments within the organization are purchasing. The ease of purchasing SaaS applications means that departments such as marketing, HR and operational groups can buy cloud applications on a credit card and be using them for business-critical work, under the impression that the cloud has them covered—which it does not.

Globally, Microsoft 365 has 300-million monthly users who depend on the Microsoft 365 suite and its cloud storage for critical business operations.[7] The increase in remote and hybrid work models that heavily rely on email, chats, and documents inside the Microsoft 365 suite (especially SharePoint, OneDrive, and Teams) makes protecting that data critical to maintaining business operations.

To illustrate, a company calendar with multiple-year advanced planning is imperative to an event company’s operations. A shared calendar is stored in Microsoft’s public folders—a location purpose-built for storing shared content. Businesses wrongly assume that the public folders are backed up by Microsoft. In fact, this public folder is retained in what Microsoft calls a backup, but it is not permanent. For example, when you delete a file, it goes into the recycle bin and is retained for a certain period – however, if the retention period is over, it gets permanently deleted with no recovery possible. That’s where having 3rd-party backup in cloud is crucial.

Even though your company may be utilizing a cloud solution, if the public folders’ data disappears, you can’t retrieve it. One data deletion incident or ransomware attack and your multi-year planning calendar is lost.

Microsoft has a long and complex retention policy that many companies do not fully review. However, one big takeaway from it is that once a file gets sent to the desktop recycling bin it is only retained for a certain period of time. Once that retention period ends, the file is permanently deleted (or becomes unrecoverable). That’s why, in three   (4a, 4f, and 6b), the Microsoft Services Agreement recommends having a regular data backup plan provided by a third-party service. They say it three times. It’s that important.

A false sense of data security

“With Microsoft 365, it’s your data. You own it. You control it.”

— The Microsoft Technology Microsoft 365 Trust Center

Microsoft 365 is a perfect example of where businesses can be lulled into a false sense of data safety. Even though sensitive cloud data is stored in Microsoft documents, an estimated 76% is not being backed up.[8] In fact, IDC states that six out of every ten organizations still don’t have any form of Microsoft 365 data protection.[9] The Microsoft cloud is highly secure; however, the possibility of your sensitive data being exposed or lost does exist.

Your data could be up against:

  • internal and external threat actors who find a way to compromise cloud systems (such as ransomware)
  • data center failures due to hardware malfunction or physical catastrophe (such as a natural disaster)
  • employee error, leading to deletion (most people especially before their morning coffee)
  • limited data retention times (listed in the fine print, but who has time to read that?!)
  • cloud policy changes and legacy software being declared redundant, which means your data backup may be discontinued (siloed legacy solutions can be the death of data)

Microsoft’s principal focus is on managing the Microsoft 365 infrastructure and maintaining uptime for users. But they’ve stipulated that you are responsible for your data. The mistaken belief that Microsoft backs up your data on your behalf is quite common.

“While [Microsoft] 365 is fast becoming the [center] of business productivity, a backup and recovery strategy is an afterthought. Relying on Microsoft’s native backup capabilities and infrastructure-level uptime features is a risky strategy because, regardless of where the data is, it is the company’s responsibility,” says Venkatraman[10]

The hard truth is that cloud storage data loss is a real possibility – one that needs to be prepared for. It is your responsibility to secure, protect and establish retention policies for this cloud-based data.

Don’t put all your backup in the same basket

Just like the adage of not putting all your eggs in one basket, don’t put all your backup in one cloud. Just as you wouldn’t put your server and your tape backup in the same location, don’t use the same cloud for your applications and your backup. If you use Azure to back up Microsoft 365 and Azure goes down; then you are losing both your primary and backup sites. In other words, if all your backup is in the same cloud then you risk losing everything.

Although Microsoft provides infrastructure resiliency and application accessibility within Microsoft 365, you are ultimately the data owner. You are charged with the protection of your enterprise’s data, and you must define data protection based on your business’s specific needs. Acquiring a third-party data backup solution that is a completely different footprint than Azure Cloud is the best way to protect your organization from data loss vulnerabilities related to Microsoft 365.

ThinkOn’s Backup for Microsoft 365 featuring DataProtect 365 has your back. Powered by Veeam, Backup for Microsoft 365 featuring DataProtect 365 elevates the data protection experience above and beyond the expected, giving your company ironclad security, faster backups, and better performance. And with DataProtect 365, we keep the end-user experience simple, empowering authorized users in your organization to be a backup administrator or manage data recovery.

Click here and sign up for a free trial of ThinkOn’s Backup for Microsoft 365 featuring DataProtect 365.



[1] Statista, “Volume of data/information created, captured, copied, and consumed worldwide from 2010 to 2025.”

[2] Statista, “Share of corporate data stored in the cloud in organizations worldwide from 2015 to 2021.”

[3] Business Insider, “Amazon’s Cloud Crash Disaster Permanently Destroyed Many Customers’ Data.”

[4] BBC News, “Microsoft Azure fault knock websites offline.”

[5] The New York Times, “Google Disruptions Affect Gmail, YouTube and Other Sites.”

[6] 451 Research, “Taking Control of Your Office 365 Data.”

[7] MakeUseOf, “Microsoft 365 Now Boasts Over 50 Million Subscribers.”

[8] Veeam, “6 Critical Reasons for Office 365 Backup.”

[9] IDC, “Why a Backup Strategy for Microsoft Office 365 is Essential for Security, Compliance, and Business Continuity.”

[10] IDC, “Why a Backup Strategy for Microsoft Office 365 is Essential for Security, Compliance, and Business Continuity.”