Data management is increasingly coming under the governance spotlight, yet a significant vulnerability often goes unnoticed. Many businesses operating on Microsoft 365 assume their data is comprehensively backed up. While Microsoft provides robust infrastructure resilience, a key distinction in its shared responsibility model leaves individual business data – or tenants – exposed to accidental or malicious deletion.
“This isn’t a flaw in the system,” says Craig Freer, director at Qwerti, a local managed service provider, “but a feature of its design. Microsoft ensures the operational continuity of its services. If a data centre were to fail, the company would restore its servers, ensuring the underlying infrastructure remains stable and your data at that macro level is safe.
“However,” he comments, “the responsibility for protecting data at the individual tenant level lies with you, the individual business. In terms of its standard retention policy, Microsoft only holds data for 30 days before it’s permanently deleted. If an employee accidentally deletes a critical folder, or a disgruntled leaver maliciously wipes an entire Teams environment, it creates a significant gap in protection that many organisations are simply unaware of.”
Risk across the operation
The threat isn’t just theoretical; it impacts the three core pillars of a modern business’ IT systems. Firstly, there’s Exchange and email – the lifeblood of daily correspondence. Perhaps the least mission-critical layer, its loss can nonetheless disrupt operations and lead to vital confidential information permanently disappearing.
Secondly, OneDrive contains individuals’ personal work data. The loss of this information can set projects back by months and potentially represents a catastrophic loss of intellectual property and productivity.
Finally, and perhaps most seriously, there’s the collaborative environment of Teams and SharePoint. This is where shared organisational knowledge resides.
“Its deletion can wipe out years of collective work, and make recovery a near-impossible task,” states Freer.
Worse yet, these vulnerabilities are not just limited to human error or malicious insiders. “A successful phishing attack could give hackers control of the whole system, allowing them to encrypt or destroy data with impunity.”
The governance imperative
For most companies, data backup is no longer just an IT function; it’s a board-level mandate. Governance and risk committees routinely ask for proof of backup and evidence of successful restore tests. Microsoft’s infrastructure-level resilience alone does not meet the requirement for granular, tenant-level data protection. This means many organisations, particularly in highly regulated sectors like financial services and law, may be unknowingly non-compliant with their own governance mandates.
“Addressing this vulnerability requires a strategic shift in how businesses view cloud data,” comments Freer. “The solution isn’t to abandon powerful platforms like Microsoft 365, but to augment them with a dedicated, cloud-to-cloud backup solution.”
An effective approach should be seamless and automated, and operate in the background. It should not require any actions from individual users or software installation on their devices, Freer continues.
“It also needs to be cost-effective and scalable. In this context, ‘scalable’ means it offers unlimited storage to avoid escalating costs through constantly having to upgrade storage pools as data volumes grow. Additionally, it must be comprehensive enough to protect all three data environments – Exchange, OneDrive, and Teams/Sharepoint.”
Finally, a truly strategic solution should support data archiving. When an employee leaves, their data often needs to be retained for compliance, but paying for a full, active license is costly. The ability to convert a live backup into a lower-cost archive license preserves a snapshot of the data indefinitely, providing a practical and affordable solution.
“By adopting this kind of dedicated backup strategy, businesses can close a serious security gap, ensure compliance, and safeguard their most valuable digital assets,” Freer concludes.
