The unseen risk in Microsoft 365: disaster recovery

According to the Synergy Research Group, Microsoft continues to dominate the Software-as-a-Service (SaaS) market earning more worldwide revenue than the next four SaaS providers — Salesforce, Adobe, Intuit, and SAP — combined. And while sales for the other SaaS providers have remained relatively flat over the past two years, growth of Microsoft 365 continues to be strong. Being the king of the hill also has its disadvantages — according to IT Threat Evolution , Microsoft 365 documents ranked first in number of attempts by cybercriminals to exploit vulnerabilities (80%), while 600 million identity-based attacks target Microsoft Entra ID every day, according to the 2024 Microsoft Digital Defense Report.

Despite the popularity of Microsoft 365 among organizations, there’s a common misconception that their data is backed up by Microsoft and they’re covered in the event of a disaster. The reality about Microsoft 365 backup – or lack thereof – will keep IT decision makers up at night.

Doing your part: the Microsoft 365 shared responsibility model

The Microsoft 365 Shared Responsibility Model is a framework to help IT decision makers understand what components and tasks they’re responsible for in a Microsoft 365 environment.

Perhaps nowhere is there greater confusion on where the responsibilities lie than when it comes to creating backups of data held in Microsoft 365. Some businesses wrongly assume that backup and recovery are taken care of by default, but they would be wrong: Microsoft’s only responsible for the security of the Microsoft 365 environment. Customers are the ones who are responsible for the security of their data, including Microsoft 365 Exchange Online, SharePoint Online, OneDrive for Business, Microsoft Teams, and Entra ID.

Reinforcing Microsoft 365 cyber resilience

Cyber resilience has become top of mind for organizations everywhere with the average cost of downtime now estimated to be as much as $9,000 per minute and more than $5 million per hour in higher-risk industries. Regulatory requirements, such as the European Union’s (EU) Digital Operational Resilience Act (DORA), further increase the stakes for financial institutions operating in the EU. Whether or not an organization is subject to regulations such as DORA, it’s clear that operational resilience has become a mandate across industries everywhere. Ensuring regular, encrypted, immutable backups of critical Microsoft 365 and Entra ID data is an integral component of any cyber resilience strategy.

Regular backups ensure an organization can quickly restore access to its data, irrespective of whether data loss occurs due to malware, human error, misconfiguration, or any other cause. When determining how often to run a backup, it’s important to consider how much data can reasonably be lost in the event of an incident. For some businesses, this could be a day, for others with more stringent data recovery it could be hours or even minutes.

Encryption is fundamental to the protection of sensitive information, ensuring that only authorized parties with the correct decryption key can access the original, unencrypted information, whether it’s in use, in motion, or at rest. Encryption provides a layer of security that helps businesses safeguard their Microsoft 365 communications, documents, and other data, no matter where they reside within their cloud infrastructure.

In the modern cloud area, immutable backups are somewhat analogous to traditional off-site storage for tape or disk backups. Immutability ensures backups can’t be altered or deleted by storing them in a secure repository or vault that’s often “air-gapped”. Immutable backups are among the most important defenses against ransomware attacks, in particular, with 93% of ransomware attacks specifically targeting backups.

Exploring Microsoft 365 data protection use cases

Businesses’ Microsoft 365 and Entra ID data is at risk. Whether it’s external threat actors, accidental deletions and misconfigurations, or the risk of non-compliance with regulatory mandates, IT leaders need a comprehensive data protection and data recovery solution for their Microsoft 365 and Entra ID environment.

• Minimizing operational disruptions from security threats: Threat actors employ nefarious tactics, such as phishing and credential stuffing, to steal user accounts with alarmingly great success. Once they have access, threat actors may encrypt important files, exfiltrate sensitive data, and more. Whether recovering from a ransomware attack, mitigating insider risks, or restoring accidental deletions, backups are your safety net.
• Maintaining compliance: Data security and privacy regulatory frameworks and standards – such as the Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), Digital Operational Resilience Act (DORA), and Payment Card Industry (PCI) Data Security Standard (DSS) – mandate robust security controls, including comprehensive data protection and disaster recovery, and impose stiff penalties for non-compliance. The flexibility to control the storage location (for example, in a trusted region) for your backups is crucial for addressing compliance requirements in various regulations, such as GDPR, for data sovereignty.
• Safeguarding against deletions and misconfigurations: Organizations must safeguard their identity data (in Entra ID) and sensitive information (in Exchange Online, OneDrive, SharePoint Online, Teams, and more) from insider risks, whether accidental or malicious, including deletions and misconfigurations. While Microsoft offers some basic protection, it’s limited. Microsoft Entra ID’s Recycle Bin feature, for example, offers a recovery window of up to only 30 days for certain critical objects. A comprehensive backup solution extends beyond the capabilities of Microsoft’s built-in safeguards and ensures that mistakes don’t spiral into crises.
• Ensuring efficient recovery: According to the Microsoft Digital Defense Report 2024, the average detection time for incidents is 207 days. Many breaches begin with small unnoticed changes, such as an unauthorized adjustment to permissions, the deletion of a security group, or some other minor tweak in settings. The ability to detect these changes early is vital in preventing them from escalating into successful attacks. Accelerated change detection and granular recovery capabilities, including metadata comparison, object-level restore, regular backups, and actionable recovery plans, empower organizations to anticipate and address issues quickly, restore only the data that is needed, and minimize unnecessary downtime.

Comprehensive data protection

True data resilience means more than simple data protection. Data resilience encompasses backup, rapid recovery, data security, easy portability, and intelligence, enabling organizations to withstand, recover from, and adapt to any digital disruption. A resilient data strategy is the backbone of regulatory compliance, business continuity, and customer trust.

Veeam Data Cloud for Microsoft 365, integrates with Microsoft 365 Backup Storage to provide comprehensive data protection and data recovery for your Microsoft 365 environment including Microsoft Exchange, SharePoint, OneDrive for Business, Teams, and support for Entra ID protection. Visit the Veeam website to learn more about Veeam Data Cloud for Microsoft 365 and request a demo today.