Microsoft 365, formerly known as Office 365, has become a staple in many businesses, providing cloud-based productivity tools such as email, file sharing, and collaboration software. Its cloud-based nature together with native browser support for productivity tools such as Word, Excel, PowerPoint, and Outlook has made it ideal for remote and hybrid workforces and enhanced collaboration across different locations.
But with great power comes great responsibility. Dive into this article to uncover the three vital reasons why backing up your Microsoft 365 data is not a choice – it's a necessity.
From battling ransomware to taming insider threats and transcending the limits of built-in features, your data's resilience awaits.
The numbers back up the data. Microsoft, in 2023, disclosed that 2 billion documents and over 200 petabytes (yes, you read that right!) of new data was being added to SharePoint every month.
However, the popularity of these applications and the importance and sensitivity of data stored in the Microsoft 365 environment has also made them a target for cybercriminals who seek to exploit vulnerabilities to gain access to sensitive data or hold it for ransom. Cybercriminals know that losing access to data stored in Microsoft 365 will bring businesses to a crashing halt. This has made Microsoft 365 a prime target for ransomware, where malware encrypts business-critical data and makes it inaccessible until a ransom is paid, often using anonymous cryptocurrency.
The costs of such attacks can be devastating for small and large businesses alike with IBM estimating that, in 2022, 45% of breaches occur in the cloud and the average total cost of a ransomware attack is $4.54M, not including the cost of the ransom!
To combat these potentially business-ending threats, it is crucial to rethink how data backup works. Traditional backup methods may not be enough to protect Microsoft 365 against ransomware attacks or might include malware in their backups, allowing for easy reinfection.
For instance, if backups are stored on the same infrastructure as the data being backed up, they too can be easily deleted or even encrypted by the ransomware. Microsoft 365 admins must ensure that they use best practices including strong passwords, enabling two-factor authentication, and continuing security educating for employees, the gateway for malware and ransomware. Finally, the most critical thing you can do is to ensure that all Microsoft 365 data is continuously, intelligently, and securely backed up for fast and easy recovery in case there is ever a security breach.
The next few sections dive into the key concerns that need to be addressed to securely protect your Office 365 data. Each section also has a list of recommendations on how to select a security-focused backup as a service platform. With such a system in place, your IT teams will be able to move quickly in the face of an eventual breach and give them a higher confidence in being able to quickly and, more importantly, cleanly recover from malicious data corruption or deletion.
Microsoft has a shared responsibility model that defines the responsibilities of both Microsoft and its customers when it comes to the security of its cloud services, including Microsoft 365. In this model, Microsoft is responsible for the security of the cloud infrastructure, which includes the physical data centers, networking, and hardware while the customer is responsible for securing their data, applications, and users within the cloud environment.
This shared responsibility model catches people off guard when they incorrectly assume that Microsoft is responsible for not just their infrastructure’s reliability but also the security of their data and users, making organizations vulnerable to cyber threats or even accidents.
For example, many people assume that Microsoft 365 automatically provides backups for data stored in its services (e.g., emails, files, calendars, etc.). However, Microsoft only takes on the responsibility to store data in a highly available and durable manner. That is, it will ensure that data stored in its system is never lost and that it is available whenever requested.
Therefore, if a successful ransomware attack happens, Microsoft’s responsibility only includes serving encrypted and ransomwared data back to the user if requested and does not include restoring the organization to a clean state. It is the customer’s responsibility to back up their own data!
To safely operate under this shared responsibility model, it is important for customers to understand their responsibilities and take appropriate action to secure their data and applications in the cloud. This includes configuring access controls, educating users on best practices for security and privacy in the cloud environment, and as seen above, regularly backing up Microsoft 365 data using a 3rd party system.
Encrypting a victim’s data and demanding a ransom payment to return it, better known as ransomware, has become increasingly common. Unfortunately, it is almost impossible to prevent due to the increased sophistication of targeted and multi-channel attacks from well-funded groups, human error, and the lack of awareness and training.
The problem compounds as all it needs is one weak entry point after which hackers can leverage lateral movement and privilege escalation on adjacent systems. In 2022, 85% of organizations were successfully ransomwared at least once and, for significant attacks, 39% of production data was encrypted or destroyed and only 55% of the ransomwared data was ultimately recoverable.
While having backups for your Microsoft 365 data is useful, almost all ransomware attacks try to delete these backups first to leave companies no choice but to pay and are often successful if legacy backup products are in use.
We strongly recommend the selection of a backup product that has features to isolate backups and prevents or delays backup deletion. Modern backup products should also automatically exclude malware from backups to allow for clean restores without the risk of reinfection. They also need to integrate with XDR security systems to proactively invoke backups if threat signals are detected.
Ransomware has also changed the requirements from backup systems for recovery. Given the high cost of ransomware attacks, restores should be quick and last known good backups should be automatically identified. Point-in-time restore is essential instead of having to manually inspect, sort, and restore specific versions at a per-file level. Granular restores are also needed where selected groups of or specific files, folders, or emails can be restored first to front-load restores of immediately required or impacted data.
Departing employees can accidentally or maliciously pose a significant threat to an organization’s data security. If the departure is involuntary, they may intentionally delete data or shared content as an act of revenge. This can result in significant data loss or damage and, in extreme cases, may affect the organization’s ability to operate.
Departing employees may also delete data through innocent actions. They might be trying to delete personal data that was accidentally stored at work but, with limited time, also delete critical work data that was accidentally commingled with their personal files. Either way, these actions can result in significant harm, particularly if the employee had a long tenure or worked in critical parts of the organization.
Converting the user into a shared mailbox or reassigning their OneDrive to another user after they have left is simply too late.
The insidious nature of disgruntled employees can be an even worse problem. Even minor acts of rebellion such as not following data retention policies can hurt team productivity. Malicious behavior such as deleting or tampering data over a period of many months can be very hard to detect.
Any inbuilt Microsoft 365 feature to recover data, like the recycle bin, won’t help given the limited recovery windows. Finally, a disgruntled employee can also intentionally deploy malware or ransomware to cause damage or impact the company’s reputation and use their insider knowledge to increase the attack’s blast radius.
To combat insider threats, all organizations should deploy a 3rd party backup system that is not only independent of Microsoft 365 but also retains a very deep history of backups going back years. For systems like Microsoft 365, backup systems must not only run backups multiple times a day, but they should intelligently schedule backups when employees are active to capture more relevant changes.
While tempting, using Microsoft 365’s recycle bin or litigation hold for backup is a recipe for disaster. The recycle bin places an undue burden on all users to notice deleted items and to restore them before their data is purged within a very limited period of time.
For example, Exchange’s default retention period for deleted emails is 14 days, with a maximum limit of 30 days. Recovery during this period involves moving items out of a non-intuitive Recoverable Items folder back into the recycle bin and then to the original location. Data stored in recycle bins also count towards storage quotas for the organization.
To work around these limitations, some admins have started using litigation hold, a feature found in higher Microsoft licensing tiers and meant for legal eDiscovery purposes, for backups. Litigation hold can preserve contents but needs to be applied org-wide to approximate a backup. This increases legal exposure by conflicting with defensible retention policies or in case of an actual discovery request.
Restoring data requires the admin to manually export data. For example, for emails, an admin would use the Exchange Admin Center to export this data into a file, download the file, and then re-import the file back into Outlook. Further, the emails would be restored to a separate location than where the original data was located. This manual process fails at scale and for a ransomware attack where fast company-wide recovery is critical.
There is also no point-in-time restore capability or safe backup identification with litigation holds to prevent corrupted or malicious data from being accidentally restored. To address these fundamental limitations of in-built features, a modern Microsoft 365 backup product is needed that minimizes business impact by offering permanent backups with large retention periods and automates, at scale, the fast recovery of corrupted or deleted data.
While there are a large number of “table stake” items required to meet the minimal bar for Office 365 backup, security-conscious Microsoft 365 data protection requires us to think about a new set of features. When evaluating different Microsoft 365 backup and backup-as-a-service vendors, the following vendor checklist defines the must-have features required to keep your environment protected.
Alcion fits the above criteria and is super easy to use and get started. You can try Alcion for free! The trial runs for 21 days, and no credit card is required.