By Iniel Dreyer, MD at Data Management Professionals South Africa
Software-as-a-Service (SaaS), such as Microsoft 365, has changed the game for many businesses, especially those in the Small to Medium and Micro Enterprise (SMME) market. It ensures always-on access and offers cloud-based storage that means that data is available anytime and on any device.
However, this does not mean that data backup has become redundant, which is a misconception many businesses may be under – until it is too late. Ransomware and accidental deletion can still affect data stored in the cloud, and data loss events can be catastrophic for business no matter where the data is stored. It is essential to apply best practices around data management, including backing up Microsoft 365 data.
The big cloud providers like Microsoft operate on a shared responsibility model, which means that, while they are responsible for the availability of their applications, the data that these applications contain and the people that have access to this data, remains the responsibility of the customer. As long as the provider can deliver the functionality of their product, they are fulfilling their responsibility, and while they will give their best effort to assist in the event of ransomware, data loss or corruption, it is not their ultimate responsibility.
The easiest way to understand is to think of cloud storage as a data centre, or even as an external hard drive for smaller businesses. These are simply storage devices, no matter where they are located, and businesses need to take steps to protect the data that is contained in them. Whether data loss occurs through accidental deletion, malicious action or encryption via malware such as ransomware, once it is gone, it is gone, unless there is a third-party solution in place to protect data and provide a recovery mechanism.
When files are accidentally (or purposely) deleted from cloud storage, there is only a limited time period in which they will be available to recover. For example, with Microsoft 365, users have 93 days to restore deleted files from the recycle bin before they are permanently removed. After this period, unless there is some sort of backup and recovery system in place, the files are gone.
There is also the growing problem of ransomware, which does not necessarily immediately activate once it has infected data. This means that ransomware could easily be synced to cloud storage and lie in wait, sometimes even for months, before activating and encrypting data – including all of the data stored in the cloud, such as in OneDrive, as well as email, SharePoint, Teams data and more. If your native cloud storage keeps data for 90 days, and the ransomware infection occurred six months before it was activated, the only way to remove the infection would be to roll back to a copy of data prior to infection.
Holistic solutions are needed
The risk of data loss is well known – businesses cannot operate when their data is encrypted or unavailable, it is expensive and time consuming to recover, and there is significant reputational risk attached to a data breach. The trouble is that most businesses only realise how significant the impact is once something happens and it is too late.
It is imperative to have some sort of mitigation plans in place, whether this is as simple as an external storage device, or whether it is a full backup and recovery solution from a third-party provider. The key is to maintain a backup copy in a separate location to production data to enable recovery in the event of data loss.
Learn from the experience of others
The reality is that the principles and best practices around data management remain the same, no matter where data is stored. The basic steps are to make sure you are protected and can recover, and then to continually test that recovery ability. However, the reality is often more complicated, because not all data is of equal value, and most businesses are not data management experts.
There is no such thing as a ‘one size fits all’ approach to data management, protection and recovery, but the truth is that prevention is always better than cure, so some sort of system needs to be in place. Waiting for things to go wrong before trying to fix them will inevitably result in unforeseen repercussions and challenges. An experienced service provider partner can help businesses to implement the best solution for their needs based on industry, legal requirements, budgetary constraints, the value of data and more.