Microsoft 365 is reliable, secure and well designed. All of that is true, and that is exactly why it is so easy to fall into a false sense of security. Microsoft’s cloud protects the infrastructure and the availability of the service, but it does not protect your data from you, your employees and attackers. That is a completely different layer of responsibility.

The shared responsibility model

Microsoft operates under a shared responsibility model. Greatly simplified, it splits like this:

  • Microsoft is responsible for the operation of the platform, the availability of the service, the hardware and the protection of data centres,
  • the customer is responsible for their data, accounts, configuration and what users do with that data.

You will find this distinction stated directly in the terms of service. Microsoft guarantees that the service will be available. It does not guarantee that it will recover a file deleted by an employee three months ago, or a mailbox removed along with an account when someone left the company.

Where cloud data loss comes from

A data centre failure is the rarest reason for data loss in Microsoft 365. Far more often, data disappears for reasons no cloud provider controls:

  • accidental deletion of a file, email or a whole document library,
  • deliberate deletion of data by a departing employee,
  • overwriting a document with a wrong version,
  • a ransomware attack that encrypts files synced with OneDrive and SharePoint,
  • account takeover through phishing and deletion of the content by the attacker,
  • removal of a user account together with their mailbox and files.

In each of these cases Microsoft behaved exactly as it should. It carried out the command of an authorised user. The problem is that the command was wrong or malicious.

The recycle bin and version history are not a backup

Microsoft 365 has built-in protective mechanisms, but they have hard time limits and are not a backup.

  • The recycle bin and the second-stage recycle bin keep deleted items for a limited time, usually counted in days.
  • Version history helps undo a change, but only as long as the versions exist and only for supported file types.
  • Legal hold and retention are compliance features, not a tool for convenient recovery.

The worst calls I get always follow the same event. Someone realised data was missing after the retention period in the recycle bin had passed. By then there is nothing left to restore, because the company never had an independent copy.

What an independent Microsoft 365 backup gives you

An independent copy is data kept outside Microsoft’s tenant, under the company’s control and with its own retention policy. Such a backup lets you:

  • restore a single email, file or whole mailbox from months ago,
  • recover data after a ransomware attack or account takeover,
  • keep former employees’ data without maintaining paid licences,
  • meet requirements to keep documents for years.

A backup usually covers Exchange Online email, OneDrive files, SharePoint libraries and Teams content. These are exactly the places where companies keep their real knowledge.

Backup as an element of compliance and GDPR

For many companies an independent copy is not just convenience, it is also a requirement. Personal data protection rules and standards such as ISO 27001 expect a company to ensure the availability and recoverability of data. If customers’ personal data lives only in mailboxes and on SharePoint without an independent copy, it is hard to talk about real continuity and accountability.

A backup also helps in everyday, less dramatic situations:

  • restoring a former employee’s data after closing their account,
  • handing over a complete correspondence history in a dispute or inspection,
  • quickly undoing the effects of a mistake without involving Microsoft support.

What it really costs

The cost of a Microsoft 365 backup is usually counted per mailbox or user per month and is small compared with the consequences of data loss. It is worth setting this amount against a real scenario in which the company loses several years of project correspondence or accounting records. Usually the conversation ends at this point, because the proportions are obvious.

The same applies to Google Workspace

Google Workspace operates under an identical shared responsibility model. Google looks after the platform, the customer after the data. The recycle bin and recovery mechanisms have their limits, and a deleted account takes email and files with it. If a company works on Google Workspace, it needs an independent copy for exactly the same reasons.

How to approach this sensibly

  1. Establish where the company keeps critical data in the cloud and who has access to it.
  2. Check how long the current mechanisms allow you to undo data deletion.
  3. Deploy an independent backup with a retention policy matched to your legal and business needs.
  4. Test restoring a single email and file, so you are sure the process works.

The cloud does not release a company from the obligation to have a backup, it only changes how you make one. If you want to secure data independently of the provider, see how we deliver Microsoft 365 backup and Google Workspace backup. I will help assess what the risk looks like in your environment, before an accidental deletion does it.