Is your Microsoft 365 data secure?

Moving to the cloud is crucial for businesses willing to achieve complete digital transformation. Microsoft 365 is among the most reliable Software as a Service (SaaS) solutions on the market, but is your data fully protected? 

Microsoft 365 plans for business include built-in security capabilities such as anti-spam, anti-phishing and anti-malware protection. But while this protects the infrastructure where your data is stored, Microsoft 365 does not offer any backup alternatives or extra layers of protection. Therefore, it is recommended to implement multi-cloud backup solutions. 

Most enterprises are not aware of the importance of data governance and the need for a holistic data protection strategy. Recent research by TechTarget’s Enterprise Strategy Group (ESG) revealed that over 35% of private and public-sector IT organisations in the US and Canada wrongly assume that their SaaS provider is responsible for all levels of data protection. 

This knowledge gap poses substantial risks to both big enterprises and small businesses where data is a key asset. In this insight, we answer common questions about Microsoft 365 data security, so you can make informed decisions about cloud protection. 

What does your Microsoft 365 licence cover? 

It can be difficult to understand exactly what your Microsoft 365 plan covers. This is because Microsoft 365 was called Office 365 until April 2021, when a few changes occurred.  

In short, Office 365 was a cloud-based package of productivity apps such as Microsoft Word, PowerPoint, Excel, and Outlook. Depending on the plan you choose, you could also get access to additional services like Skype for Business, SharePoint, OneDrive, Teams, Yammer and Planner.  

Microsoft 365, on the other hand, is a bundle of services. It also includes Windows Enterprise, Enterprise Mobility, and machine learning, depending on your plan. All Microsoft 365 services are also available as separate licences.  

There is also a Microsoft 365 E5 licence which provides the above productivity apps with advanced security and compliance features to protect against malware and phishing. This includes Microsoft 365 Defender and Microsoft Insider Risk Management among others.

However, many organisations prefer tiering different security products to prevent the potential risks of relying on a single supplier. For this reason, a multi-cloud backup solution is recommended.  Whatever licence you choose, it is important to know what it covers, so you can make informed decisions about data protection. 

Unsure how secure your Microsoft 365 data is?

What are the security advantages of the cloud? 

The cloud is one of the most effective ways to store data, and its use is ever-growing. According to research by Datto, over the last five years, businesses have increasingly shifted from on-premise services to cloud solutions, especially SaaS. By the end of 2022, 78% of businesses will run almost entirely on SaaS applications. This includes both enterprises and small and medium businesses.  

Small businesses especially have started to look at digital transformation as a critical asset, so much so that the market for SaaS has reached around $113 billion in value. With the rise of remote working, the cloud is fundamental to ensure better data protection.  

Cloud technology makes it easier for businesses to safely store data on a platform that can be shared for remote tasks and to edit files. With cloud-based applications, you can edit files from anywhere and the changes will be saved on the cloud platform.  

78% of businesses run on SaaS applications and the SaaS market value is worth $113 billion

Crucially, you can access the cloud platform, applications and files from multiple compatible devices. This means there is no need to rely on a hard drive or on-premise solution, decreasing the risk of hardware failure. If your files and data are stored on a cloud platform, there is a much lower risk of something happening to them, because no software will need to be reinstalled in case of anomalies.  

How vulnerable is the cloud? 

Cloud and SaaS solutions are not without risks. When data is stored within a cloud platform, you are completely reliant on the provider to access it. Service outages can result in significant downtime costs for your business. 

Additionally, with easier access to data comes a potentially larger attack vector. Any solution, be it on-premises or cloud, can be hacked either by guessing passwords or via more sophisticated hacking techniques. Hackers can steal security tokens, even without stealing your password. Once they gain access, they can encrypt your data and ask for a ransom to give it back or infect your files with malware.

An alternative backup provider ensures that your data is protected and monitored at a different cloud location. Most importantly, businesses need to be aware of established security functions and expand them, while building an effective business continuity strategy. With an average of 85% of company data being stored in the cloud, business continuity is crucial. It is important to be aware of risks as well as the different roles and responsibilities in SaaS data protection. 

What is the Microsoft 365 shared responsibility model? 

Microsoft operates on a shared responsibility model for SaaS applications. The model defines what Microsoft is responsible for and the additional measures your business should take to have full protection. In short, Microsoft protects the infrastructure where your data is stored (the cloud) but it does not guarantee any recovery support in case of data loss.  

Specifically, in their service agreement, Microsoft state the following about service availability: “We strive to keep the Services up and running; however, they are not offered with a guaranteed level of quality of service and all online services suffer occasional disruptions and outages. In the event of an outage or disruption to the Service, you may temporarily not be able to retrieve Your Content. We recommend that you regularly back up Your Content and Data that you store on the Services or store using Third-Party Apps and Services”. 

The Office 365 shared responsibility model

Because Microsoft SaaS solutions only create a replica of your data, this means your data is not actually backed up anywhere. Microsoft 365 offers short-term data loss recovery, which is the Recycle Bin function, and protection against software failure, natural disasters and any kind of power or operating system outages. 

What Microsoft is not responsible for includes data and access management, protection and backup. GDPR compliance is also your responsibility, and failure to comply could result in costly fines. Specifically, Microsoft SaaS solutions cannot protect you against: 

  • Accidental or malicious deletion of data 
  • Malware or ransomware attacks 
  • Operational errors internal to your business, such as accidental data overwrite 
  • Cancelled licences resulting in data loss. 

There is a widespread lack of awareness about data protection for Microsoft solutions: according to research, about 80% of company data stored in the cloud is not backed up. Understanding the different levels of responsibilities is essential to save your organisation from potential damage.​

85% of company data is stored on the cloud and 80% of this data is not backed up

What can you do for Microsoft 365 data loss prevention? 

Relying on a third-party managed services provider (MSP) is the most effective way to prevent Microsoft 365 data loss. It allows you to minimise expenses and disruptions to your business, especially small businesses. 

Firstly, an MSP can help reduce the impact of downtime and service outages. Downtime can affect productivity and prevent you from accessing essential documents. An MSP can use third-party services to export Microsoft 365 files and ensure you are able to keep running your business offline.  

Secondly, an MSP can implement integrated security with a multi-layered protection approach to data security. This can include protection against cyberattacks for collaboration tools such as Microsoft Teams, data backup and proactive cyber defence. Even in accidental deletion and data loss scenarios, an MSP can intervene to reverse unwanted actions and monitor your business constantly by relying on third-party solutions. 

Finally, an MSP can help you define a holistic cyber security strategy accounting for data recovery and business continuity solutions. 

Data protection responsibilities

Conclusion: implementing effective protection for SaaS solutions 

Microsoft offers some of the most widely used SaaS solutions all over the world. While these solutions are secure at an infrastructure level, it is recommended that businesses protect their data with tiered security measures. Human errors, programmatic errors, and external hackers can put business data at risk, resulting in financial losses.  

Implementing multi-cloud backup solutions is essential for any business willing to move to the cloud and invest in collaboration. The best way to do this is to be aware of what each different licence includes. Relying on an MSP is also recommended to make informed decisions and implement an effective data security and business continuity strategy.  


  1. Datto (2022) Selling Microsoft 365 made MSPeasy. [Accessed: 23 September 2022].
  2. Microsoft (2017) 7 steps to a holistic security strategy. [Accessed: 22 September 2022].
  3. Microsoft (2022) Microsoft Services Agreement. Microsoft 15 August 2022. [Accessed: 23 September 2022]
  4. Microsoft (2022) Top 10 ways to secure your business. Microsoft 365 Admin 16 September 2022 [Accessed: 22 September 2022]
  5. Sullivan, E. (2021) Data protection experts weigh in on Saas backup confusion. TechTarget 26 July 2021 [Accessed: 23 September 2022].
  6. Vangala, M. and Toelle, E. (2022) Data governance: 5 tips for holistic data protection. Microsoft Security 24 August 2022 [Accessed: 23 September 2022].​​


Cyber Security in Healthcare: 5 ways to stay secure

© 2024 ROCK. All rights reserved.

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now