In Blog

The idea that, at some point, one of your users is going to delete something important is well-founded. IT system administrators exist because of things like this. And when running your business operations within Office 365, the potential for data to be deleted is just as real. 

To compensate for this, Microsoft has gone to great lengths to provide organizations with an ability to retrieve deleted items from a Recycle Bin in many of their services. In some cases, Microsoft provides nearly four months of deleted item retention to give their customers as much time as possible to figure out something’s missing and to retrieve it. They also offer versioning of documents to allow users to quickly revert to older versions.

Even so, there’s a need for your organization to maintain backups of its data within Office 365. Far too often, users rely on Microsoft to maintain the organization’s data – when, in fact, Microsoft clearly states they’re not responsible for your data. So, like their on-premises counterparts you used to manage, you need to address backups of Office 365, despite Microsoft retaining deleted items and previous versions of data.  

Here are three scenarios where Office 365 deleted item retention and/or versioning won’t help, requiring backups to save the day:

1. When You Realize You Need It Far Too Late

Even Office 365’s retention times have limits, so it’s reasonable to conceive of a scenario where someone tries to find that deleted email after the default 14 days of retention in Exchange Online, or that deleted document in SharePoint Online after 93 days. To be fair, Microsoft has built in additional controls – such as retention policies for email and 14 days’ worth of backups for SharePoint Online – but the possibility exists that even after those controls are exceeded, you’re not going to get that email or document back. 

2. When Something is Maliciously Deleted or Manipulated

The Malicious insider is alive and well, representing nearly one-third of data breaches. But insiders also work to cover their tracks. In one publicized case, a departing employee stole customer records, deleted notes, and manipulated customer data. Translate this into Office 365, and you have a scenario where the user isn’t going to wake up one morning realizing they need to undelete something; they want it deleted. Also, in cases of manipulation, versioning can help in the case of SharePoint and OneDrive, but that brings us to our last scenario…

3. When Safeguards are Misconfigured

Microsoft does provide IT system administrators with the ability to configure these settings to meet the needs of the business. Should they not be – for example leaving Exchange with the default retention time setting – can shorten Office 365’s ability to deliver. Don’t forget the potential for that malicious insider to be an admin – 63% of organizations think privileged IT users are the biggest risk of insider threats. All it takes is something as simple as configuring versioning down to 1 or retention times to a single day to have a massive impact on the organization’s recoverability. 

Your Retention and Versioning Need a Backup Plan

In many circumstances, the safeguards Microsoft has put in place will work and provide users with the ability to get back that document or email they need quickly. To ensure long-term protection against forgetful or malicious users, it’s necessary to have backups of Office 365 data in place to mitigate the risk. 

To learn more about the operational risks involved with hosting Office 365 data and how backups can be used to mitigate that risk, download the eBook Modern Office 365 Data Protection Challenges today!