3 Things You Need to Know
Microsoft 365 includes availability features, not recovery-grade backup. Data deleted or corrupted is not automatically restorable after retention periods expire.
Small organisations need a structured but lightweight backup approach: three components, minimal overhead, no dedicated IT department required.
A practical framework exists that covers Exchange Online, SharePoint, OneDrive, and Teams without requiring complex infrastructure.
The Problem: A Misconception That Can Be Costly
A small accounting firm with twelve employees loses access to two years of client correspondence after a ransomware attack encrypts their SharePoint environment. Their IT provider reassures them: “You’re on Microsoft 365, your data is safe.” Two weeks later, it becomes clear that Microsoft’s built-in retention policies had expired and no independent backup existed. The data is gone.
This scenario is not exceptional. Many small organisations – typically those with 10 to 200 employees – operate under the assumption that subscribing to Microsoft 365 means their data is backed up. Microsoft does protect against infrastructure failure and offers limited retention tooling, but this is not the same as recoverable backup in the event of user error, malicious deletion, or a ransomware incident.
The good news is that small organisations do not need enterprise-grade complexity to protect Microsoft 365 data effectively. What they need is a clear framework: three components, defined recovery objectives, and a tested process.
Why Microsoft 365 Is Not a Replacement for Proper Backup
Microsoft operates on a shared responsibility model. Microsoft is responsible for the infrastructure – the servers, the network, the availability of the service. The organisation is responsible for its data.
Microsoft 365 includes features such as the Recycle Bin, version history, and the Compliance Center’s retention policies. These are designed to support compliance and accidental recovery within defined windows – typically 30 to 93 days depending on the feature. After these windows close, data is permanently deleted.
What Microsoft does not provide:
Protection against ransomware that overwrites or encrypts files within Microsoft’s systems
Recovery from admin errors that delete entire mailboxes or SharePoint sites
Long-term archiving that satisfies legal or audit requirements beyond the default retention periods
Granular, point-in-time recovery with guaranteed restore times
According to ENISA best practices for cyber crisis management (https://www.enisa.europa.eu/publications/best-practices-for-cyber-crisis-management), organisations should distinguish between availability (uptime of a service) and recoverability (the ability to restore data after a loss event). Microsoft 365 guarantees the first. The second requires an independent backup solution.
What Does a Small Organisation Actually Need to Back Up?
Microsoft 365 contains several data types that serve different operational and legal purposes. Not all require the same level of protection.
Exchange Online (email and calendars)
Email is typically the highest-priority workload. It is used for contracts, client communication, and audit trails. A restore window of 30 days is insufficient for most organisations that must retain records for 5 to 7 years.
SharePoint Online and OneDrive
These store documents, project files, and operational data. Version history exists, but it does not protect against complete folder or site deletion, nor against ransomware that alters files over a long period before detection.
Microsoft Teams
Teams stores chat history and attached files across both Exchange and SharePoint. Teams data is often overlooked in backup planning despite being a primary collaboration channel for many organisations.
Microsoft 365 Groups and Planner
Less critical for most small organisations, but worth including if these tools are used for project coordination. For organisations subject to the NIS2 Directive
Conclusion: Availability Is Not the Same as Recoverability
Small organisations often delay Microsoft 365 backup because they assume it is complex, expensive, or already handled by Microsoft. None of these assumptions are accurate. Microsoft provides availability – not recoverability. A practical backup framework requires three steps, runs in the background with minimal maintenance, and costs a fraction of what a single recovery incident would cost.
The question is not whether your organisation can afford to back up Microsoft 365. It is whether you can afford not to.
Four Mistakes Small Organisations Commonly Make
A Practical Three-Step Framework for Small Organisations
The following framework is designed for organisations without a dedicated IT department. It requires a one-time setup of approximately half a day and minimal ongoing maintenance.
Step 1: Determine how much downtime and data loss is acceptable
Before selecting a tool, define two parameters: Recovery Time Objective (RTO): How long can your organisation operate without email or documents? For most small businesses, 4 to 24 hours is the realistic threshold. Recovery Point Objective (RPO): How much data can you afford to lose? Daily backup covers most needs; critical workloads may require more frequent snapshots. Write these down. They are your requirements, not a vendor’s marketing claim.
Step 2: Choose a backup solution built specifically for Microsoft 365
Use a solution designed specifically for Microsoft 365 – not a general-purpose file backup tool. Key criteria: Backs up Exchange, SharePoint, OneDrive, and Teams from a single interface Stores backup data in a location independent of Microsoft’s infrastructure (separate cloud or on-premises) Supports granular restore (individual email, file, or site – not just full restore) Provides clear retention configuration (minimum 1 year; 7 years for regulated industries) Mindtime’s Microsoft Cloud Backup (https://mindtime.eu/products-microsoft-cloud-security/) is built on these principles and is designed for organisations that need reliable protection without managing complex infrastructure.
Step 3: Test the restore process and document it
A backup that has never been tested is not a backup – it is an assumption. Schedule a quarterly restore test and document the following: Who initiates the restore Which system is used Expected restore time What was tested and the outcome This documentation is also relevant for insurance purposes and, in regulated sectors, for NIS2 compliance.