Why Microsoft 365 Backup is Essential

In this article, we look at why, as reliance on cloud services like Microsoft 365 grows, ensuring robust data backup has become a critical component of business security and continuity, then we look at some best practices for your 365 backups.

The Misconception – Microsoft 365 Backup Myths 

Many businesses are surprised to learn that they’d been operating under the false assumption that Microsoft 365 automatically provides comprehensive data backup.

In reality, Microsoft 365’s built-in protections, such as retention policies, recycle bins, and versioning, are designed for data retention and compliance rather than comprehensive backup and recovery. For example, email isn’t properly “backed-up” by Microsoft in 365. Instead, the onus is on the business-owner to find their own email backup solution. In fact, Microsoft 365’s backup and recovery default settings only really protect your data for 30-90 days on average (the recycle bin only retains deleted items for 30 days, after which they are permanently deleted).

How Does 365 Handle Email and Other Data? 

While Microsoft 365 doesn’t provide traditional email backup, it does offer several data handling protections, including:

– Data Resilience. Microsoft maintains multiple copies of your data. If a disk fails or a data center issue arises, they can recover data from these copies. However, this isn’t equivalent to a dedicated backup that protects against accidental deletions or malicious activity.

– Retention Policies. You can set retention policies specifying how long emails are kept in user mailboxes. Deleted emails can be retained in a hidden part of the mailbox for a specified period.

– Litigation Hold. For legal purposes, entire mailboxes or specific emails can be put on “Litigation Hold,” ensuring they can’t be deleted or modified. eDiscovery tools allow legal professionals to search for specific data across the environment.

– Email Archiving. Older emails can be moved automatically to an archive mailbox, helping businesses retain critical data without cluttering the primary mailbox.

– Recoverable Items Folder. Deleted emails first go to the ‘Deleted Items’ folder, and if deleted from there, they move to the ‘Recoverable Items’ folder for another 14 days by default (this period can be extended).


That said, despite these features, they aren’t substitutes for a dedicated email backup solution and they have limitations which include:

– Data Loss Protection. They may not protect against all types of data loss, especially if data is deleted before a retention policy is set or if the retention period expires.

– Ease of Recovery. They don’t facilitate easy recovery if a vast amount of critical data is accidentally or maliciously deleted.

– Offsite Backup. They don’t offer a separate, offsite backup in case of catastrophic issues or targeted attacks.

Data Loss Risks in Microsoft 365 

Bearing in mind the limitations of Microsoft 365 and understanding the potential risks associated with data loss in Microsoft 365 is therefore crucial for businesses looking to protect their sensitive information and ensure seamless operations.  While Microsoft 365 may offer many advantages, it’s worth remembering that it’s not immune to data loss, which can occur in several ways.

Recognising these risks is the first step in implementing effective backup strategies to safeguard your data. With this in mind, below are some of the key data loss risks that businesses should be aware of when using Microsoft 365:

– Accidental deletion. Users may, for example, inadvertently delete important emails, files, or records. Without a proper backup, recovery may be impossible after the recycle bin period expires.

– Malicious deletion. Disgruntled employees or cyber-attacks can lead to intentional data deletion. For instance, in a 2023 survey (Ponemon Institute), 59 per cent of organisations reported insider attacks, underscoring the very real risk of malicious deletion by former employees or hackers. It’s worth remembering here how important it is to have an effective employee offboarding procedure to avoid this happening in the first place.

– Internal and external security threats. Phishing attacks, ransomware, and other cyber threats can compromise data integrity. In 2023, for example, the UK’s National Cyber Security Centre (NCSC) reported a 15 per cent increase in ransomware attacks targeting businesses, emphasising the need for secure data backups.

– Legal and compliance issues. Compliance with regulations such as GDPR necessitates maintaining data integrity and availability. Failure to do so can result in hefty fines. For example, the UK Information Commissioner’s Office (ICO) fined British Airways £20 million in 2020 for a data breach that compromised customer information. Also, in a more recent high-profile case, the ICO fined TikTok an eye-watering £12.7 million in April 2023 for various breaches of UK data protection law. Although these relate to large turnover businesses which may contribute to the larger fines, the key point is that they help highlight the fact that there is a real legal and financial risk of inadequate data protection, a cause of which may be an inadequate backup, e.g. of 365.

Limitations of Microsoft 365’s Built-in Protection 

While Microsoft 365 offers several data protection features, they have significant limitations. As previously mentioned, retention policies and recycle bins, for example, provide limited recovery windows and are not designed for long-term data protection. Once data surpasses the retention period, it is permanently lost.

Similarly, versioning allows recovery of previous document versions but does not protect against complete file deletion or data corruption.

These native tools are not full, automated backup solutions, and businesses relying solely on them risk permanent data loss in critical scenarios.

The Benefits of a Dedicated Microsoft 365 Backup Solution 

So, why invest in a dedicated (third-party) Microsoft 365 backup solution?

Comprehensive data protection ensures that all data (including emails, files, and collaborative documents) is regularly backed up and easily recoverable. This means that if an important email or document is accidentally deleted or maliciously removed, you can quickly restore it without disrupting your business operations.

Also, dedicated backup solutions offer quick and reliable recovery. Unlike relying on native tools, which can be cumbersome and time-consuming, dedicated backups enable faster data restoration, thereby minimising downtime and ensuring business continuity.

It’s worth remembering that these solutions can actually enhance security. Many third-party backup providers offer advanced encryption and security measures that go beyond Microsoft’s native protections. This additional layer of security is crucial in safeguarding sensitive business information from cyber threats.

Also, as previously highlighted, dedicated backup solutions can support compliance with legal requirements. With regulations like GDPR imposing strict data protection standards, having a reliable backup can help ensure that your business meets these requirements, reducing the risk of non-compliance penalties.

In fact, Microsoft itself actually recommends that businesses deploy a third-party backup solution because it recognises the limitations of its own native tools and backup and retention policies. It’s also worth noting here that investing in a separate “point-in-time” backup and restoration solution is something that many businesses value. As the name suggests, this type of solution allows a business to return to a point-in-time before any issues.

Integration with Business Continuity Plans 

Your Microsoft 365 data is a critical component of a comprehensive business continuity plan because ensuring data availability and integrity is essential for seamless business operations, even in the event of data loss incidents. Quick recovery times provided by dedicated backups can help reduce downtime, thereby allowing businesses to resume operations promptly.

Also, robust backup solutions can complement disaster recovery plans, thereby ensuring that data can be quickly restored in emergencies, such as cyber-attacks or natural disasters. In essence therefore, backups are the safety net that allows businesses to bounce back swiftly from disruptions, maintaining operational efficiency and customer trust and perhaps even being the thing that saves the whole business.

Why Employee Training and Awareness Can Help 

Effective data protection extends beyond technology to include employee education. For example, educating staff about the importance of data security and proper handling procedures can be crucial in mitigating risks.

Measures like regular phishing awareness training can significantly reduce the likelihood of successful attacks. For example, a 2022 report (Cofense) found that phishing simulations reduced click rates on malicious emails by 68 per cent. Creating a culture of security within your organisation encourages proactive participation in data protection efforts, making every employee a stakeholder in the company’s security posture.

Regular updates and refreshers keep employees informed about new threats and evolving backup protocols. This ongoing education and training ensures that staff are always aware of best practices and the importance of adhering to them, further strengthening your business’s defences against data loss.

Linking these efforts to your Microsoft 365 backup strategy can help ensure a comprehensive approach to data protection. For example, while technical measures like backups are essential, combining them with a well-educated workforce maximises your organisation’s resilience against data loss and cyber threats. This integrated approach can help ensure that your data remains secure, accessible, and compliant with regulatory requirements, ultimately helping to safeguard your business’s continuity and reputation.

Implementing Microsoft 365 Backup – Best Practices 

Adopting an effective Microsoft 365 backup strategy involves several best practices. For example:

– Selecting the right backup solution is critical. Businesses should choose a provider that offers comprehensive coverage, reliability, and security. Key factors include encryption, automated backups, and ease of data restoration, and whether it’s a “point-in-time” backup solution.

– Once a solution has been selected, setting up and managing backups properly is essential. This involves configuring the backup system to ensure all relevant data is included and regularly monitored to confirm that backups are occurring as scheduled.

– Also, conducting periodic tests and audits of backup systems can help ensure they function as expected and identify potential issues before they become critical problems. Regular testing verifies that data can be restored quickly and accurately, providing peace of mind that your business is prepared for any data loss scenario.

What Does This Mean For Your Business? 

Ensuring the security and integrity of your data is now not just a technical necessity but a business imperative. The increasing reliance on cloud services like Microsoft 365 brings many benefits but also exposes businesses to some significant risks if data protection measures are inadequate.

The potential risks of data loss, e.g. resulting from anything from accidental deletions to malicious cyber-attacks, highlight the necessity of having a robust backup strategy in place. It’s worth noting however, that Microsoft 365’s native tools, while useful, are insufficient for comprehensive data protection. Many businesses have now realised this and have decided that dedicated, third-party backup solutions can provide the necessary depth of coverage, security, and compliance support that they need.

Ensuring data availability is also crucial for business operations. Having a dedicated backup solution can guarantee that data is always accessible, even after accidental or malicious deletion. This can minimise downtime and helps maintain business continuity, ensuring that operations can proceed smoothly without significant interruptions.

Additionally, adhering to data protection regulations like GDPR is essential to avoid legal penalties and protect customer trust. Once again, reliable, regular backups help businesses meet these regulatory requirements, reducing the risk of non-compliance penalties and safeguarding the company’s reputation.

The security enhancements offered by dedicated backup solutions, such as advanced encryption, may also prove to be vital in protecting sensitive business information. These solutions provide an additional layer of security, ensuring that your data remains secure from a variety of evolving and what appear to be ever-more-sophisticated cyber threats.

Implementing a dedicated Microsoft 365 backup solution should therefore be seen as a proactive step towards securing your business’s future. By addressing the gaps in Microsoft’s native protections and integrating comprehensive backup strategies, businesses can safeguard against data loss, ensure regulatory compliance, and maintain seamless operations. In today’s digital landscape, where data is a critical asset, protecting it with reliable backup solutions is not just advisable, it’s essential and investing in a robust Microsoft 365 backup strategy protects your data, fortifies your overall security posture, provides peace of mind, and can deliver a solid foundation for continued growth and success.

Tech Insight : No Email Backup For Microsoft 365?

In this insight, we look at what many users think to be a surprising fact in that Microsoft 365 doesn’t provide a traditional email backup solution, and we look at what businesses can do about this.

Did You Know?…. 

Contrary to popular belief, Microsoft 365 (previously known as Office 365) is not designed as a traditional “backup” solution in the way many businesses might think of backups. Most importantly, email isn’t properly “backed-up” by Microsoft. Instead, the onus is on the business-owner to find their own email backup solution. In fact, Microsoft 365’s backup and recovery default settings only really protect your data for 30-90 days on average.

So, How Does It Handle Email and Other Data? 

Although Microsoft 365 doesn’t automatically provide a traditional email backup, it does provide some email and data handling protections that can include aspects of email. For example:

– Microsoft has multiple copies of your data as part of its ‘data resilience.’  For example, if there’s an issue with one data centre or a disk fails, they can recover data from their copies. Although this can help, it’s not the same as a backup that can be used to recover from accidental deletions, malicious activity, etc.

– Microsoft 365 provides retention policies that allow you to specify how long data (like emails) are kept in user mailboxes. Even if a user deletes an email, it can, therefore, be retained in a hidden part of their mailbox for a period you specify.

– For legal purposes, it is possible to put an entire mailbox (or just specific emails) on “Litigation Hold”, which basically ensures that the emails can’t be deleted or modified. Also, eDiscovery tools / document review software can be used by legal professionals for searching across the environment for specific data, e.g. to find emails, documents CAD/CAM files, databases, image files, and more.

– Microsoft’s archiving, i.e. where older emails can be automatically moved to an archive mailbox, can be one way to help businesses ensure that critical data is retained without cluttering the primary mailbox.

– When users delete emails, they go to the ‘Deleted Items’ folder. If emails are deleted from there, they go to the ‘Recoverable Items’ folder, where they remain for another 14 days (by default, but this can be extended) and can, therefore, be recovered.


Although these features help with retaining some important business data and emails, they’re not a substitute for a dedicated and complete email backup solution, and they have their limitations, which are:

– They may not protect against all types of data loss, especially if data gets deleted before a retention policy is set or if the retention period expires. For example, with email archiving, when an item reaches the end of its aging period, it is automatically deleted from Microsoft 365.

– They may not facilitate easy recovery if a user accidentally (or maliciously) deletes a vast amount of critical data.

– They don’t offer a separate, offsite backup in case of catastrophic issues or targeted attacks.

Third-Party Backup Solutions

Given these limitations and given that most businesses would feel more secure knowing that they have a proper email backup solution in place (such as for the sake of business continuity and disaster recovery following a cyber-attack or other serious incident), many businesses opt for third-party backup solutions specifically designed for Microsoft 365 to provide another layer of protection.

These solutions can offer more traditional backup and valued recovery capabilities, such as ‘point-in-time restoration’.

Backup Soultions

There are many examples of third-party Office 365 and email backup solutions and for most businesses, their managed support provider is able to provide an email backup solution that meets their specific needs.

Does Google Backup Your Gmail Emails? 

As with Microsoft 365, Google provides a range of data retention and resilience features for Gmail (especially for its business-oriented services like Google Workspace) but these aren’t traditional backup solutions. The retention and resilience features Google’s Gmail does provide include:

– For data resilience, Google has multiple data copies. If one fails, another ensures data availability.

– Deleted Gmail emails stay in ‘Trash’ for 30 days, allowing user recovery.

– The ‘Google Vault for Google Workspace sets email retention rules, which can be used to preserve emails even if deleted in Gmail.

– “Google Takeout” (data export) is probably the closest thing to backup that Gmail offers its users. Takeout lets users export/download their Gmail data for offline storage. Also, the exported MBOX file can be imported into various email clients or platforms. However, this isn’t necessarily the automatic, ongoing backup solution that many businesses feel they need.

Like 365, Google Workspace offers archiving to retain critical emails beyond Gmail’s regular duration.


As with Microsoft 365’s data retaining features, these also have their limitations, such as:

– They might not protect against all types of data loss, especially if emails are deleted before retention policies are set or if the retention period expires.

– They might not offer an easy recovery process for large-scale data losses.

– They don’t provide a separate, offsite backup.

What Can Gmail Users Do To Back Up Their Email?

In addition to simply using Google Takeout for backups, other options that Gmail users could consider for email backup include:

– Third-party backup tools, such as UpSafe and Spinbackup and others.

– Using an email client, e.g. Microsoft Outlook. For example, once set up, the client will download and store a local copy of the emails, and regularly backing up the local machine or the email client’s data will include these emails.

– Setting up email forwarding to another account, although this may be a bit rudimentary for many businesses, and it won’t back up existing emails.

– While a bit tedious, businesses could choose to manually forward important emails to another email address or save emails as PDFs.

– Google Workspace Vault can technically enable Workspace admins to set retention rules, ensuring certain emails are kept even if they’re deleted in the main Gmail interface.

What Does This Mean For Your Business? 

You may (perhaps rightly) be surprised that Microsoft 365, and Google’s Gmail don’t specifically provide email backup as a matter of course.

Considering we operate in business environment where data is now a critical asset of businesses and organisations, email is still a core business communications tool, and cybercrime such as phishing attacks, malware (ransomware) are common threats, having an effective, regular, and automatic business backup solution in place is now essential, at least for business continuity and disaster recovery. Although Microsoft and Google offer a variety of data retention features, these have clear limitations and are not really a substitute for the peace of mind and confidence of knowing that the emails that are the lifeblood of the business (and contain sensitive and important data) are being backed up regularly, securely, and reliably.

For many businesses and organisations, therefore, their IT support company (or MSP – ‘managed service provider’) is the obvious and sensible first stop for getting a reliable backup solution for their Microsoft 365 emails.

This is because their IT Support company is likely to already have a suitable solution that they know well, and have an in-depth understanding of the business’s infrastructure, requirements, and unique challenges. This means that they can tailor their backup solution to fit specific client needs, ensuring seamless integration with existing systems. Also, their first-hand knowledge of a business’s operations positions them better for rapid response and effective resolution in case of data restoration requirements or backup issues. For businesses, lowering risk by entrusting email backup to a known entity can also streamline communication and support processes, making the overall backup and recovery experience more efficient and reliable for the business.