Microsoft 365’s dirty little secret

Posted by Rob Stevenson, CEO and founder of Legal Futures Associate BackupVault

Stevenson: Shared responsibility model

Microsoft 365 (formerly called Office 365) is one of the most widely used cloud services in the world. According to consumer data experts Statista, as of February 2022, Microsoft 365 controlled around 48% of the market share for major office suites, with its main competitor being Google.

Many organisations depend on Microsoft 365 services for the day-to-day running of their business, and your law firm is highly likely to be using Outlook for email, SharePoint for storing and editing documents, and Teams for calls, virtual meetings, and instant messaging between colleagues.

But did you know that Microsoft has a dirty little secret? It is not responsible for backing up the data you share and manage across its various services.

This shocking fact that often catches users off-guard, but it’s true: Microsoft is only responsible for ensuring its infrastructure is operational and its products are available for customers. Responsibility for all data stored and processed on the platform sits with the user.

This is called the shared responsibility model, and it’s how most software-as-a-service (SaaS) providers operate – yet 45% of SaaS users are unaware of it.

Microsoft 365’s shared responsibility model

In simple terms, the model means Microsoft is responsible for its own hardware and the platform’s uptime, while the burden of protecting devices, accounts, identities, and data sits with the customer.

The onus is therefore on you as the user to ensure that the data you manage using the platform is adequately protected and backed up in line with your region and sector’s regulations.

What causes the confusion surrounding Microsoft 365 data?

Because you can access Microsoft 365’s services from multiple devices and different locations, it’s easy to be lulled into a false sense of security when it comes to thinking about the data you store on the platform.

Data is replicated from one centre to another to ensure continuity of service if one location goes down – so you could easily be forgiven for assuming that you don’t need a separate form of back-up. But the shared responsibility model means that there is a difference between what Microsoft 365 appears to provide and what it actually does provide.

Replicating data from one location to another simply means that any files that have been corrupted or deleted will be copied along with the ‘good’ data. For users who have put a separate back-up solution in place, this won’t present a major problem – they can just arrange for the uncorrupted data to be restored from the third-party back-up. For users who haven’t got external back-up in place, that data could be lost forever.

The way the recycle bin works is also a little misleading for users, as it does provide an element of data retention. For example, deleted emails in Outlook can be retained for up to 30 days, while documents managed on SharePoint and OneDrive can be retained for up to 180 days.

But even though these deleted files are being retained, you do not get the other essential back-up benefits like a bulk restore option, and granular or incremental recovery.

Why is it important to have separate back-up for your Microsoft 365 data?

It’s likely you’re storing and managing a lot of sensitive and confidential data across the Microsoft 365 platform – and in the event of a data breach or cybersecurity incident, you would face disruption to your business, financial loss and ultimately harm to your reputation.

It’s important to keep in mind that you are more likely to lose data because of people making mistakes than you are through external factors like cyber-attacks. In May this year, it was found that 54% of data breaches in the legal sector were caused by human error. To guard against data loss and its damaging consequences, you need to be backing up your Microsoft 365 data.

Don’t be among the 40% of SaaS customers who’ve lost data because they weren’t aware that the platforms they were using are not responsible for protecting users’ data. If you do not have a third-party back-up service in place already, then you need to consider implementing one as a matter of urgency.

The best back-up solution for businesses who deal with large amounts of sensitive and confidential data is a cloud back-up service that uses remote servers and the highest possible level of encryption.


Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Loading animation