TL;DR
Microsoft and Google do not guarantee recovery of your data after accidental deletion, ransomware, or malicious insider actions — the shared responsibility model leaves that risk with you. This playbook outlines what Australian SMBs must back up, which third-party tools fit a 10–50 person team, and how to run a quarterly restore drill that actually proves your backups work.
The Shared Responsibility Gap
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Cloud providers protect their infrastructure. They do not protect your data from you.
Microsoft 365 and Google Workspace operate under a shared responsibility model: the vendor ensures the service is available, while the customer is responsible for the data inside it. Microsoft retains deleted Exchange Online items for a maximum of 93 days. Google Workspace offers 25–30 days for Gmail and Drive via the admin console. After that, data is permanently purged. If a ransomware strain encrypts your SharePoint libraries, a disgruntled admin wipes a Shared Drive, or a retention policy silently deletes old project files, neither vendor will restore it. The 2026 LiteLLM supply chain cascade demonstrated how quickly production credentials and intellectual property ca
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →What Must Be Backed Up
An SMB running on Microsoft 365 or Google Workspace should treat the following as critical backup scope:
| Data Type | M365 Component | Google Workspace Component | Why It Matters |
|---|---|---|---|
| Exchange Online, shared mailboxes | Gmail, Google Groups | Primary business communication and legal record | |
| Files | OneDrive, SharePoint document libraries | Google Drive, Shared Drives | Contracts, financials, IP, operational documents |
| Collaboration | Teams chats, channel files, wiki tabs | Chat spaces, Drive attachments | Context and decisions that do not live in email |
| Calendar & Contacts | Exchange calendar, Outlook contacts | Google Calendar, Contacts | Scheduling history and business relationships |
| Configurations | SharePoint site structures, Teams settings | Admin policies, Drive sharing rules | Recovery speed depends on restoring the environment, not just files |
Retention targets should align with the Australian Securities and Investments Commission (ASIC) record-keeping requirements and the Notifiable Data Breaches scheme: seven years for financial records, and point-in-time restore capability for at least 90 days for operational data.
Third-Party Backup Options for 10–50 Users
The native recycle bin is not a backup strategy. For a 10–50 headcount Australian SMB, evaluate these dedicated SaaS backup tools:
| Product | Best For | Rough AUD Pricing (10–50 seats) | Notes |
|---|---|---|---|
| Veeam Backup for M365 | M365-heavy environments, hybrid setups | ~$5–7/user/month | Mature, granular item-level restore, requires self-hosted or Veeam-hosted infrastructure |
| Afi | Google Workspace-first teams | ~$4–6/user/month | Fastest GWS restore speeds, strong ransomware detection, Australian data centre option |
| Dropsuite | Budget-conscious multi-tenant MSPs | ~$3–5/user/month | Email and website backup focus, simple compliance reporting |
| Spanning (by Kaseya) | Teams wanting set-and-forget | ~$4–6/user/month | Good M365/GWS coverage, automated daily backups |
Selection criteria: Australian data residency, AES-256 encryption at rest and in transit, point-in-time restore granularity, and immutable backup storage (write-once, read-many) to survive a compromised admin account.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for SMBs worldwide.
Get the Starter Pack →The Quarterly Restore-Test Drill
A backup you have never restored is a hypothesis. Run this drill every quarter:
- Pick a scenario: accidental deletion, ransomware simulation (restore from before an arbitrary date), or departing employee data recovery.
- Restore to an isolated location: never overwrite live production during a test.
- Verify integrity: spot-check file contents, email headers, and metadata. A hash mismatch means the backup chain is corrupted.
- Time the process: document how long it takes to restore a single mailbox, a Shared Drive, and an entire SharePoint site. This becomes your recovery time objective (RTO) baseline.
- Update the runbook: if the restore took longer than four hours for critical data, your architecture or tooling needs adjustment.
Schedule the next drill before closing the current one. If a restore fails, treat it as a live incident — because during a real breach, it will be.
FAQ
Q: Doesn't Microsoft 365 already back up my data? A: No. Microsoft replicates data across their infrastructure for uptime, but deleted items age out after 93 days and ransomware-encrypted files are treated as legitimate user edits. You need an independent backup copy outside the M365 tenant.
Q: Is Google Vault a backup tool? A: Google Vault is an eDiscovery and archiving tool for legal holds and compliance. It is not designed for fast point-in-time restore of individual files or mailboxes. Do not rely on it for disaster recovery.
Q: How often should backups run? A: At minimum, daily automated backups for email and files. For organisations handling sensitive client data or regulated industries, incrementals every four hours with a retained snapshot every 24 hours is the safer baseline.
Q: What is the ACSC's position on cloud backups? A: The Australian Cyber Security Centre recommends the "3-2-1" rule: three copies of data, on two different media types, with one copy offline or immutable. This applies equally to cloud SaaS environments as it does to on-premise servers.
Conclusion
The shared responsibility model is not a loophole — it is a boundary. Everything on your side of that boundary is your risk to manage. For an Australian SMB, that means defining backup scope beyond email, selecting a third-party tool with local data residency, and proving recovery works before you need it.
Start with an audit of what lives in your M365 or Google Workspace tenant today. Map it against the checklist above. If you cannot restore a deleted email from six weeks ago in under an hour, your backup strategy is incomplete.
Visit consult.lil.business for a free cybersecurity assessment and a tailored backup recovery plan for your business.
References
- Australian Cyber Security Centre — Essential Eight: Data Recovery
- Microsoft — Shared Responsibility in the Cloud
- Google Workspace Admin Help — Data retention and the Vault
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.