TL;DR
Microsoft and Google protect their infrastructure — not your data. The shared-responsibility model leaves a gap: accidental deletion, ransomware, malicious admins, and retention-policy purges can permanently destroy business data after 30–93 days. Australian SMBs with 10–50 staff need a dedicated third-party backup solution, documented retention targets, and a quarterly restore-test drill to survive a breach. This playbook compares four leading options and gives you a practical checklist to close the gap.
The Gap You Didn't Know You Had
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
When you move to Microsoft 365 or Google Workspace, you assume your data is backed up. It isn't — at least, not in the way you think.
Both platforms operate on a shared-responsibility model. Microsoft and Google guarantee service uptime and infrastructure resilience. They replicate data across data centres to survive hardware failures. What they do not guarantee: recovery from you — accidental deletion, a departing employee wiping files, a ransomware attack encrypting your SharePoint library, or a malicious admin purging retention policies.
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →Native recycle bins cover 30 days in Google Workspace and 93 days in Microsoft 365. After that window closes, data is gone permanently. No support ticket will bring it back.
This gap is not theoretical. In 2025 alone, Sophos tracked 5,400 documented ransomware attacks across 137 countries. Ransomware groups expanded by 35%, and newer outfits like Qilin now boast over 1,000 victims. Credential-based attacks — where an attacker logs in as a legitimate user — now account for millions of compromised identities monthly. When an attacker authenticates as your finance director and deletes every Teams channel, Microsoft's native retention won't save you [1].
What Must Be Backed Up
For a 10–50 seat SMB, the backup scope should cover:
| Service | Microsoft 365 | Google Workspace |
|---|---|---|
| Exchange Online mailboxes, archives, public folders | Gmail (primary + archived) | |
| Files | OneDrive for Business, SharePoint document libraries | Google Drive (My Drive + Shared Drives) |
| Collaboration | Teams chats (1:1 + channel), Planner tasks | Google Chat spaces, Meet recordings |
| Identity | Entra ID groups + conditional access policies | Workspace group memberships + OUs |
A common blind spot: Teams channel files live in SharePoint. Backing up SharePoint covers the files, but not the chat context around them. If your team uses Teams as its operational hub, chat-level backup matters.
Comparing Third-Party Backup Products (10–50 Seats)
Four products dominate the SMB-friendly M365/Workspace backup market in Australia. All prices are approximate per-user-per-month in AUD as of mid-2026.
| Product | M365 Price | Workspace Price | Key Strength | Watch For |
|---|---|---|---|---|
| Veeam M365 | ~$4.80/user/mo | Via partner only | Enterprise heritage, flexible storage targets (object, local, cloud) | Requires infrastructure to run (VM or server); overkill for sub-10 seats |
| Afi | ~$5.00/user/mo | ~$5.00/user/mo | AI-powered search across backups, automated restore testing, no infrastructure | Newer player; check Australian data residency |
| Dropsuite | ~$3.80/user/mo | ~$3.80/user/mo | Australian-born, local data centres, tight RPO (as low as 3x daily) | Primarily sold through telco/reseller partners (Telstra, etc.) |
| Spanning | ~$7.00/user/mo | ~$7.00/user/mo | Simple setup, cross-platform if you run both M365 and Workspace | Premium pricing per seat; fewer granular restore options |
Recommendation for 10–50 seats: Dropsuite wins on price and Australian data sovereignty if you're buying through a local MSP. Afi wins on automation — its AI-driven restore testing means you're not manually verifying backups monthly. Veeam suits teams already running on-prem infrastructure who want backup sovereignty (storing copies outside the cloud platform entirely).
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for SMBs worldwide.
Get the Starter Pack →The Quarterly Restore-Test Drill
Only 5% of SMBs have tested their Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets within the past quarter. A backup that hasn't been restored is a wish, not a plan.
Run this drill every 90 days:
- Pick a real file. Choose a recent SharePoint document or a Shared Drive file modified in the last 7 days.
- Simulate deletion. Note the timestamp. Delete it (this is the safe part — you're testing backup, not live data).
- Time the restore. From deletion to the moment the file is back in the user's viewable folder — that's your RTO.
- Check the last backup timestamp. The gap between file modification and the most recent backup snapshot is your RPO. Target: under 4 hours for mail, under 12 hours for files.
- Document. Log both numbers. If RTO exceeds 2 hours or RPO exceeds your target, escalate to your vendor or MSP.
Rotate the test across services — email one quarter, Teams chats the next, Shared Drives the third. A single SharePoint file restore is not proof your entire tenant can recover.
FAQ
Q: Doesn't Microsoft 365's 93-day retention cover me? A: Retention policies preserve data for compliance — they were never designed for disaster recovery. If a ransomware variant encrypts files and the 93-day window passes before you notice, the encrypted version becomes the retained version. Retention is not backup. Additionally, a malicious global admin can purge retention policies entirely. Third-party backup with immutable storage prevents this [2].
Q: We're only 15 staff. Is third-party backup really necessary? A: Research from Check Point confirms that attackers increasingly target mid-sized businesses specifically because they hold valuable data but invest less in defence than enterprises. A 15-person accounting firm losing every client file in Google Drive faces the same operational paralysis as a 500-person firm — but with fewer resources to rebuild. At ~$60–100/month for a full backup solution, it is one of the cheapest insurance policies a business can purchase [3].
Q: Can't I just use a Synology NAS and sync everything locally? A: Synology's Active Backup for Microsoft 365 is a legitimate option and costs nothing beyond the hardware. However, it introduces new risks: the NAS becomes a single point of failure, requires off-site replication, and you are responsible for its security patches and physical protection. For most 10–50 seat SMBs, a SaaS backup product with immutable storage removes the self-managed infrastructure risk.
Q: How often should backups run? A: Minimum 3x daily for email, 1x daily for files. Dropsuite and Afi both support this cadence. Anything less than daily means you risk losing an entire business day's work — acceptable in 2018, not in 2026 when the average ransomware dwell time (time from intrusion to detonation) has compressed from weeks to hours.
Conclusion
Your cloud productivity suite is a shared-responsibility platform, not a backup service. The playbook is simple: scope what needs backing up (mail, files, chats, identity), pick a third-party product matched to your seat count and budget, set explicit RPO and RTO targets, and run a hands-on restore test every 90 days. Documentation means nothing without verification.
Next step: Visit consult.lil.business for a free 30-minute cybersecurity assessment. We'll review your current M365 or Google Workspace setup, identify backup gaps, and recommend the right product for your team size and budget — no obligation, no vendor lock-in.
References
- Sophos Threat Research: Ransomware Landscape 2025-2026
- ACSC Essential Eight: Backup and Recovery Guidance
- Check Point: Exclusive Warning on Rising SMB Cyber Risk
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →ELI10: Ransomware Gangs Are Adapting — Here's Why Your Backup Isn't Enough Anymore
TL;DR
- Ransomware is like someone locking your filing cabinets and demanding payment for the key.
- Businesses got smart — they started making copies of everything first. So now attackers also steal the files before locking them.
- The average ransom demand is now over $1 million. 86% of businesses don't pay.
- The businesses that survive do three things: keep backups criminals can't reach, know exactly how to restore, and watch for suspicious copying before the lock-up happens.
Imagine your business is a restaurant. All your recipes, customer contacts, supplier contracts — everything that keeps the doors open — lives in filing cabinets in the back office.
A ransomware attack is like someone sneaking in overnight, locking every single cabinet with their own padlocks, and leaving a note: "Pay us $1 million and we'll give you the keys."
For years, smart businesses fought back by making copies. Keep a backup of every file somewhere else — your own fireproof safe, an offsite storage unit, a cloud system only you can access. Problem solved, right? If they lock the cabinets, you just use your copies.
Ransomware criminals noticed. And they adapted.
What "Dual Extortion" Means (and Why It Changes Everything)
Now, before attackers lock your filing cabinets, they quietly make their own copies first. Every customer record, every financial document, every private contract — they copy it all out the back door before they lock up.
Then they leave two notes. Note one: "Pay us to unlock your cabinets." Note two: "If you don't pay, we'll post all your private files on the internet for anyone to see."
This is called dual extortion, and it now accounts for 70% of ransomware attacks [1]. Even if you can restore from your backup — even if you never need to pay the ransom — your private data might still end up exposed.
The Real Numbers (Translated)
- The average ransom demand in 2025 was over $1 million [1]. That went up 47% in a single year.
- 86 out of 100 businesses that got hit refused to pay [1]. Good call.
- For the 14% who did pay, negotiators helped get the demand reduced by about 65% — but they still paid an average of $355,000 [1].
- Retailers saw a 58% jump in ransomware attacks in the middle of 2025. Manufacturers saw a 61% jump [2].
The good news: the amount of damage ransomware causes is actually going down — 19% lower on average than the year before [1]. That's because backup strategies are working. Businesses are recovering without paying. The criminals get nothing.
The 3 Things That Actually Protect You
Think of these as three locks on three different doors.
Lock 1: Backups Criminals Can't Reach Your backup copy needs to live somewhere that an attacker — even one who has already taken over your entire computer system — simply cannot get to. That means separate login credentials, a separate system, and ideally a "write once, read many" storage system where files can be added but never deleted or changed. It's like keeping a copy of your filing cabinet contents in a vault only you can open, with no connection to your main office.
Lock 2: A Tested Recovery Plan Having a copy means nothing if you don't know how to use it under pressure. Write down, step by step, exactly how your business would get back online if every computer was suddenly unusable. Then practice it. The businesses that recover quickly have done this. The ones that struggle haven't.
Lock 3: Watching for the "Copy Before the Lock" Move Because attackers now steal data before they encrypt it, you need to watch for unusual copying or large file transfers happening on your systems — especially outside business hours. Most business email and cloud storage tools have free alert settings for this. Turn them on.
The Other Big Threat: Business Email Scams
Ransomware gets the headlines, but Business Email Compromise is actually the most common cyber insurance claim — 31% of all incidents [1]. This is where someone gets into your email, or pretends to be your accountant or boss, and convinces someone in your business to transfer money somewhere fraudulent.
The average loss is $27,000 per incident [1]. The prevention is simple: for any payment change request that arrives by email, call the person directly to confirm. No exceptions. That one phone call prevents most of these attacks.
What to Do This Week
- Check your backup setup: Can a hacker who already has your passwords access your backups? If yes, fix that first.
- Write a recovery runbook: If everything broke today, how would you get back up? Write the steps down.
- Turn on file transfer alerts: In Microsoft 365 or Google Workspace, turn on alerts for large downloads or unusual sharing activity.
- Add a phone confirmation rule: Any payment change request by email must be confirmed by phone. No exceptions.
Your business is already more resilient than it was two years ago — the data proves it. These four steps make that resilience last.
FAQ
Both. The frequency of attacks is flat and the average damage is down 19% — which means backup strategies are working. But attackers have adapted by also stealing data before encrypting it (dual extortion), so the nature of the threat has changed even if the raw financial damage is dropping [1].
Cloud backup services start at under $20/month for small businesses. Microsoft 365 Business includes backup options. The cost of doing nothing is $262,000 on average — and that's the better outcome [1]. This is one of the highest-ROI investments a small business can make.
No — 86% of businesses don't pay and most recover successfully [1]. The key is having backups in place before an attack. Without backups, you're in a much harder position. With them, you restore and move on.
BEC is when attackers either hack into a business email account or convincingly impersonate someone — usually a boss, vendor, or bank — to trick employees into making fraudulent payments. The single best prevention is a verbal confirmation policy: any payment instruction received by email must be confirmed by phone before action is taken [1].
References
[1] Coalition, "2025 Cyber Claims Report," Coalition, 2026. [Online]. Available: https://www.coalitioninc.com/blog/coalition-cyber-claims-report-2025
[2] CyberProof, "CyberProof 2026 Global Threat Intelligence Report," CyberProof, 2026. [Online]. Available: https://www.cyberproof.com/cyberproof-2026-global-threat-intelligence-report/
[3] Help Net Security, "Backup strategies are working, and ransomware gangs are responding with data theft," Help Net Security, March 6, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/06/cyber-claims-report-ransomware-gangs-data-theft/
[4] Cybersecurity and Infrastructure Security Agency, "Malicious Domain Blocking and Reporting (MDBR)," CISA, 2026. [Online]. Available: https://www.cisa.gov/resources-tools/services/malicious-domain-blocking-and-reporting-mdbr
[5] eSecurity Planet, "CyberProof 2026 Report Warns of Rising Identity and AI Cyberattacks," eSecurity Planet, March 6, 2026. [Online]. Available: https://www.esecurityplanet.com/threats/cyberproof-2026-report-warns-of-rising-identity-and-ai-cyberattacks/
Want someone to check if your backup setup would actually survive a ransomware attack? That's exactly what lilMONSTER does. Book a free 30-minute consultation →
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.