This article was contributed by Alex Tray, an IT expert with experience as system administrator for various tech companies.
The Main reasons to back up Exchange Online
COVID-19 caused a rapid shift toward remote work and, thus, fueled the rise in adoption of Microsoft Office 365 services, including Exchange Online. While a growing number of users are choosing Exchange Online, the native data protection tools may be insufficient to ensure data protection and compliance retention. And this is where Exchange Online backups come into play.
This article covers the five main reasons why businesses need to back up Office 365 Exchange Online. Additionally, it includes practical tips on how to minimize data loss based on the industry’s backup best practices.
Reason #1. Microsoft isn’t responsible for protecting your Exchange Online data
Microsoft is legally responsible for its host infrastructure and platform availability. But the company is not responsible for data protection or data loss outside occasional outages or disruptions on Microsoft’s side.
The Microsoft platform does become unavailable. In 2020 alone, Microsoft had three outages that brought Office 365 tools, including Teams, Exchange and Outlook, down for a total of 11 hours during ten days.
Microsoft is clear that they don’t back up Exchange Online though. If email data is lost or corrupted due to accidental or malicious actions, the recovery of emails and other data in mailboxes is the customer’s responsibility. Even in the service agreement, Microsoft recommends that you regularly back up the data stored in Microsoft 365 applications to minimize possible data loss.
You can protect Exchange Online emails with native access control features and multi-factor authentication. But according to the Microsoft Shared Responsibility Model, data protection and account access management fall under your responsibility. This means that if your data is accessed by cybercriminals, Microsoft won’t be the one to blame.
Misconceptions about the liabilities of software as a service (SaaS) providers are commonplace. Research shows that 37% of organizations solely rely on SaaS vendors like Microsoft to protect their application data. Another 33% don’t think that SaaS application data needs to be backed up at all.
These misconceptions put your Exchange Online data at greater risk of being attacked or stolen, which brings us to the next point.
Reason #2. Your data is vulnerable to external threats
Your critical company data and user contact details make Exchange Online a treasure trove for cybercriminals. Here are the three main types of external threats you should be aware of:
- Phishing. Users can receive infected emails with links to malicious websites or malware. Once they open a link, criminals steal credentials and get access to critical data.
- Ransomware. Users can download this type of malware by opening a phishing email or an infected file. Once malware invades your system, it locks your IT environment until your organization pays the ransom.
- Spyware and viruses. Viruses and spyware can collect your credentials and other sensitive data.
Microsoft is a reliable service provider. However, user behavior can open Exchange Online data to cyberattacks and ransomware. In 2019 and 2020, Microsoft faced a massive phishing attack that compromised customers’ business email accounts in 62 countries. In 2021, an attack on Microsoft Exchange Server caused a massive data breach that affected at least 30,000 users.
As Microsoft isn’t responsible for your data protection, adding an extra layer of security makes a lot of sense. Exchange Online backups won’t save you from attacks, but they guarantee the recoverability of mailboxes with no or minimal data loss. Additionally, backups enable point-in-time recovery, which is outside the scope of the Exchange Online functionality. You can restore data from the backups made before the attack and, thus, avoid paying ransoms.
Criminals can do a lot of harm, but sometimes threats come from people within the company too.
Reason #3. Your employees can delete or compromise data
Your employees can delete emails and accounts in Exchange Online or even cause a data leak by sending an email with confidential information to someone outside the company. The employee’s actions can be accidental or intentional. The latter is particularly dangerous because your staff knows the company’s weaknesses and can cause irreversible damage.
An Exchange Online mailbox allows users to restore deleted objects for only 14-30 days, depending on the account settings. After 30 days, deleted objects aren’t recoverable. So Exchange Online backups are the only chance to retrieve this data.
Leading backup providers allow you to restore emails (with all attachments), contacts or calendar items in minutes without recovering the entire mailbox. What’s more, you can choose whether to recover items to the original location or another mailbox (for example, when you need to restore the folders of a deleted account).
With access control, the principle of least privilege, multi-factor authentication and similar data security tools, you can minimize human errors and even prevent damage. But is it safe to rely on Microsoft native protection?
Reason #4. Microsoft protection isn’t enough
Microsoft offers a variety of native tools to protect Exchange Online mailboxes, including privileged access management, data encryption with sensitivity labels, email-filtering service against phishing and malware (Exchange Online Protection and more advanced Microsoft Defender). However, you need more comprehensive and reliable protection.
Protection capabilities vary across Office 365 plans. Most features, including message encryption and Data Loss Prevention (DLP), are available in the Office 365 E3 and E5 plans. Threat protection (Microsoft Defender) and Office 365 Cloud App Security are added only to the most expensive plan, the E5 plan.
All Office 365 users can take advantage of identity and access management. However, according to research by Vectra, a network threat detection provider, malicious applications are bypassing Microsoft embedded security controls and multi-factor authentication in 96% of the Office 365 customers they have studied.
Microsoft native data protection does offer some tools to help you prevent attacks and unauthorized access. But you need more. This brings us to the second reason why you need to back up Exchange Online—the risk of external threats. In case an external threat appears, backups will allow you to resume your IT operations and minimize data loss.
Reason #5. You can have legal and regulatory penalties
Businesses can be subject to a variety of legal standards and regulations, such as European General Data Protection Regulation (GDPR) or the US Payment Card Industry Data Security Standard (PCI DSS). The law requires companies to retain Exchange Online emails and accounts for legal compliance. So in case of an audit or a trial court, the company should retrieve this data for e-discovery and further investigation.
For compliance purposes, Exchange Online allows users to configure retention policies and use In-Place or Litigation Hold where mailbox objects are retained immutably. But these tools are not as effective as you may think:
- Retention planning can be confusing, especially with several Office 365 workloads.
- Your employee can forget to include Exchange Online accounts in the policy or lose data due to employee turnover or data migration.
- If you delete a user account, its mailbox will be marked for deletion too, even if it’s currently on hold.
Once you lose an account or mailbox, you lose the chance to restore this data without a backup. If you’re lucky enough you can notice the loss and recover objects within 14-30 days. But it’s a bad strategy to rely on luck, as this can cost you eye-watering compliance fines.
An effective backup strategy, on the other hand, can allow you to configure automatic backup workflows and flexible retention policies to ensure that no data is lost. Let’s explore this in more detail.
Stay in control of your data with Exchange Online backups
With regular and reliable Exchange Online backups, you can easily recover emails and accounts, restore ransom-free mailboxes and comply with regulatory requirements.
Here are a few tips on how to make your Exchange Online backup strategy more effective and resilient to threats:
- Use incremental backups. Exchange Online mailboxes can consume a lot of storage space, so ensure that your backups are lightweight and don’t put an extra load on the network.
- Store on-premise. Keep your backups protected from ransomware and malware by storing them offline, on a local computer or a server.
- Control access to backups. Set role-based access control and multi-factor authentication to ensure the security of your backup activities.
- Automate your backup activities. Ensure that your backups are regular and complete to avoid any data loss.
- Adopt flexible rotation schemes. Optimize your storage space usage with rotation schemes, such as Grandfather, Father, Son (GFS) that allows you to rotate your backups on a daily, monthly or yearly basis.
Backups mitigate the risk of data loss, ensure business continuity and keep you away from compliance fees. With a reliable partner in your corner, you can be sure that your data is always recoverable.
Millions of people use Exchange Online to send emails, manage their calendars and contacts. With so much data circulating in mailboxes, Exchange Online is a treasure trove for ransomware and other criminals. But while many users rely on Microsoft native data protection, these tools can fail to prevent attacks.
Despite the common belief, Microsoft isn’t legally responsible for data protection, recovery, and access control. Users may face data loss during occasional outages or due to human mistakes and poor data management. And if this happens, Exchange Online backups become the only chance to restore data and avoid ransoms or compliance fees.
Learn how to back up Exchange Online with no data loss and management headaches.
About the author
Alex Tray is a system administrator with ten years of experience in the IT field. After receiving a Bachelor’s degree in Computer Science, he worked at multiple Silicon Valley companies and helped launch several startups. Currently, Alex is employed as a system administrator at one of the major tech companies in Texas. His primary expertise is Windows Server and Desktop Administration with extensive knowledge of Azure, Active Directory, Office365, DNS, DHCP, Group Policy, Endpoint Manager (Intune) and Microsoft Endpoint Configuration Manager (SCCM).