The why and the how of protecting your Microsoft 365 data in the cloud

5 cryptography and data protection
Getty Images

Cloud-based productivity and collaboration apps such as Microsoft 365 and Google Workspace have been around for years but have really come into their own with the sudden transition to distributed workforces in response to the pandemic.

These services are delivered by highly sophisticated global technology companies and hosted in highly secure data centres protected by multiple levels of physical and cyber security.

These facts can engender a false sense of security among customers: that the data they entrust to these applications is safe, and not something they need to worry about. Not true. These services do not provide the backup of customer data that organisations need to safeguard operations. It remains the responsibility of the customer to ensure their data is protected from loss, intentional or otherwise, and ensure their operations will not be disrupted by the lack of access to any data they have entrusted to such applications.

This can be a particular problem for regulated industries. Without implementing additional measures to secure data in these applications they could be non-compliant.

In this article we will explore some of the ways data stored in these services can be lost, compromised, or rendered inaccessible, with some illustrative examples and some solutions that organisations can deploy to protect against such adverse events and ensure regulatory compliance.

The security problems with cloud apps

Microsoft 365 today is a combination of the original Microsoft 365 services that were originally part of Office 365, most of which were absorbed into Microsoft 365 in 2018. Symantec had a pretty poor assessment of Office 365 security in 2018, saying it did not provide the level of protection demanded from on-premises defence measures. “Office 365 native security may not provide the visibility you need to tell whether a cloud-based account is being used by an authorised user or being exploited by cyber criminals.”

This message does not seem to have been widely heeded. IDC in 2019 found 60 percent of Microsoft 365 users it surveyed relying solely on Microsoft capabilities for the backup and recovery of data they had stored in Microsoft 365. Another recent survey found 80 percent of companies using SaaS had lost business data.

IDC warned. “Ultimate responsibility of data protection lies with the customer or the data owner — you. Adopting O365 without enterprise-grade backup is a risky strategy.”

It listed customers responsibilities as being:

  • Access to and control of all data residing in O365.
  • Implementing enterprise-grade backup and data retention outside the O365 environment.
  • Ultimate responsibility for legal requirement on data and for compliance with corporate and industry regulations.
  • Protecting O365 data from internal threats such as accidental deletion, malicious insiders, disgruntled employees and from malware, ransomware, and rogue applications.

Salutary lessons

And data loss can be costly. A Verizon report found small data loss incidents could cost businesses an average of up to $US35,000, and large incidents where more than 100 million records are lost could cost up to $US15 million.

The experience of KPMG is one of the most salutary lessons about what can happen when there is no strategy to back up data in Office 365. In 2020 the personal chat histories of 145,000 KPMG staff in Microsoft Teams were deleted through an IT blunder, the Register reported. IT staff had been trying to delete just one user’s chat history.

KPMG had told staff not to use the chat function for information on crucial business decisions, but as one commentator observed: “When chat is available, it becomes a key and integrated communication method. Chat threads document the story of a decision-making process, not just the outcome.”

Another user, Irish construction company Walls, suffered a ransomware attack that deleted a staff member’s OneDrive and resulted in the complete loss of that user’s data. As a result, the company implemented an Office 365 backup product from AvePoint.

Introducing AvePoint

In short, whether it’s for their own security or for regulatory compliance, no organisation can afford not to have a means of backing up and restoring any data held in Microsoft 365, Salesforce, Google Workspace, or similar cloud-based services.

AvePoint offers robust, reliable, and comprehensive cloud-based solutions for safeguarding data in all of these services. AvePoint has been offering its solution for multi-cloud backup since 2013, and all data is encrypted to ISO:27001 standards.

For Microsoft 365, AvePoint also offers the AvePoint Virtual Assistant, AVA. This bot has been specially made to help users locate and restore content. Integrated with AvePoint’s Cloud Backup for Microsoft 365, it can find content that is no longer retained by Microsoft 365’s native backup capabilities. AvePoint has helped thousands of customers in meeting their data recovery and retention needs. Check out these great customer success stories:

AvePoint Meets Australian Government Security Requirements

Earlier this year AvePoint’s Cloud Backup, Cloud Governance, and Cloud Records solutions were assessed under the Australian Government’s Information Security Registered Assessors Program (IRAP). The assessment was initiated in partnership with the Australian Transport Safety Bureau to ensure that its record management in Microsoft 365 complied with Australian Government record keeping requirements. The bureau is among more than 130 government entities in Australia that use AvePoint to migrate, manage, and enhance the protection of their Microsoft 365 and SharePoint data.

For more information

If you’re in a highly regulated industry and looking for solutions to meet your data compliance requirements, look no further. Book a free consultation with the AvePoint team today!


Copyright © 2021 IDG Communications, Inc.