It is evident that many users do not recognize the need for backup and recovery services to secure their data in the cloud but rely on the protection from their cloud service providers. Research undertaken by Barracuda depicted that nearly 84% of Indian organizations are relying solely on capabilities built-in Microsoft 365 for backup while 89% of them are concerned about ransomware locking their Microsoft 365 data.

There are two main factors that lead to this. Firstly, users are not familiar with the distinction between email archiving and data protection. Secondly, some lack the understanding of shared responsibility and believe that cloud service providers are protecting all data and applications.

Although some cloud service providers such as Microsoft provide email archiving options for Microsoft 365, it may not be the best service in terms of features and functionality, or the most cost effective in terms of value for money. The archiving service from Microsoft can get expensive depending on which services you purchase.

A comprehensive email-archiving solution provides eDiscovery, regulatory compliance, and legal protection of your email data. In simple words, it captures every email that has been sent and received by your organization, and ensures that these messages can be found and retrieved.

It is strongly recommended that all businesses deploy good email archiving solutions in place to protect the company from potential compliance and legal incidents. The risk of not having an archiving solution in place leaves a company wide open and exposed to any legal ramification that relies on email evidence.

Email archiving is not a backup

Even if you have email archiving services in place, you should still maintain a backup and recovery solution. Archiving can hold and retrieve specific messages, but it cannot restore a complete mailbox and all of its contents to a single point in time. Consider the following scenarios:

• Somebody hacks your Microsoft 365 account, deletes everything in your mailbox, and empties the recycle bin. This type of deletion is common during account takeover attacks, so that there is less evidence of the attack left behind.
• You accidentally delete a sub folder containing important work email and various documents (attachments). You may not notice this straight away as often you have lots of subfolders in your mailbox and this type of thing is easy to do by mistake on your phone.
• A former employee’s account was deleted and you realize you need to restore his mailbox. Using an email archiver for this task would be tedious and require multiple steps outside of the archiver.
• A cyberattack, a human error, or a catastrophic event has caused data loss in OneDrive for Business, SharePoint Online, or Microsoft Teams. Email archiving does not store this content.

With an archiving solution at hand, you can search and retrieve specific email items from the archive, but even if you knew what to retrieve from the archiver, do you have the time to reconstruct your inbox structure and contents? Can you remember what your mailbox looked like last night or last week? How long would this take if you have lost your calendar items, contacts, tasks, journal items, etc.? And as noted above, email archiving doesn’t protect everything in Microsoft 365.Disaster Recovery – Who does what?

Even though Microsoft has a highly resilient infrastructure that rarely suffers an outage, which is good, because Microsoft is responsible for making sure your Microsoft 365 environment is always available. This makes it easy to assume that you should not have to provide a third-party disaster recovery service for Microsoft 365. Disaster recovery appears to be Microsoft’s responsibility.

Unfortunately that is not the case. Microsoft is only responsible for the Microsoft 365 infrastructure that supports your data. It is not responsible for the data in your Microsoft 365 environment. Microsoft calls this out in their Managed Services Agreement – Section 6B – “We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps”

Recycle bin is not a backup

Microsoft provides a recycle bin for Exchange Online, SharePoint Online and OneDrive for Business – so even without an archiver there is some native protection for these items. However, the recycle bin is not a backup. Similar to a PC recycle bin or a Mac trash can, the Microsoft 365 recycle bin is just a folder that contains items that you have deleted.

You cannot do a point-in-time recovery from your deleted items folder, because this folder only holds items that were deleted and would not contain the good emails or files that you need to restore. Additionally, the maximum extended retention of the Recycle Bin is 93 days, and your items may be purged and unrecoverable after that time.

It is strongly advised that you should have an integrated Cloud-to-Cloud Backup of your Microsoft 365 data. GDPR compliance requires you to have the software and policies in place to protect your business and employees. For the most comprehensive protection, it is essential to have both an archiving solution and a backup solution in place.

[This article is authored by Parag Khurana, Country Manager of Barracuda Networks India. The views expressed are solely of the author]