TL;DR
Microsoft and Google protect their cloud infrastructure — not your data once you delete it or an attacker encrypts it. Their built-in retention windows (14–93 days) are not backups. This playbook lays out what to back up, which third-party tools fit a 10–50 person Australian business, and how to run a quarterly restore drill so you know your safety net actually works.
The Shared-Responsibility Gap Most SMBs Miss
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Here is the assumption that catches businesses off guard: "We pay for Microsoft 365 / Google Workspace, so our data is backed up." It is not. Both vendors operate under a shared-responsibility model. They guarantee platform uptime, redundancy across data centres, and protection against their own hardware failures. What they do not guarantee is recovering your data after:
- Accidental deletion. A staff member deletes a SharePoint site or a Shared Drive. After the recycle-bin window expires, it is gone.
- Ransomware. An attacker encrypts files in OneDrive or Drive. The encrypted versions sync to the cloud, overwriting good copies.
- Malicious admin acti
ons. A disgruntled administrator bulk-purges mailboxes before anyone notices.
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist → - Retention-policy purges. Compliance retention lapses or misconfigured policies silently hard-delete content.
Microsoft 365 retains deleted items for 14–93 days depending on the workload and licence tier. Google Vault holds data only as long as your retention rules specify — and rules can be changed or removed. Beyond those windows, neither vendor can recover your data. Period.
For Australian SMBs subject to the Privacy Act 1988 and the Notifiable Data Breaches scheme, losing customer records, financial documents, or correspondence is not just an operational headache — it is a potential regulatory breach.
What to Back Up: The Complete Checklist
Every Australian SMB running Microsoft 365 or Google Workspace should back up the following workloads:
| Workload | What It Contains | Why It Matters |
|---|---|---|
| Email (Exchange / Gmail) | Client correspondence, contracts, invoices | Legal hold, dispute evidence, ASIC records |
| OneDrive / Google Drive | Personal productivity files | IP, proposals, HR documents |
| SharePoint / Shared Drives | Team documents, policies, templates | Institutional knowledge, compliance artefacts |
| Teams chats & channels | Instant messages, meeting recordings, file attachments | Decision trails, project history |
Retention target: Minimum 12 months of point-in-time backup history, with the ability to restore to any day within that window. Financial services and healthcare businesses should aim for 7 years to satisfy ASIC and health-record retention obligations.
Product Comparison: Third-Party Backup for 10–50 Staff
| Feature | Veeam M365 | Afi.ai | Dropsuite | Spanning |
|---|---|---|---|---|
| M365 support | Full (Exchange, OneDrive, SharePoint, Teams) | Full | Full | Full |
| Google Workspace | Limited (via separate product) | Full | Full | Full |
| Deployment | On-prem, cloud, or hybrid | SaaS only | SaaS only | SaaS only |
| Backup frequency | Continuous (Exchange), 4-hourly (sites) | Up to every 1 hour | 1–3 times daily | 3 times daily |
| Retention | Unlimited (your storage) | Unlimited | Unlimited | Unlimited |
| Ransomware detection | Basic change monitoring | AI-driven anomaly alerts | Basic | Basic |
| Approx. cost (50 users) | ~AUD $2,500–3,500/yr | ~AUD $2,000–3,000/yr | ~AUD $1,800–2,500/yr | ~AUD $2,200–3,000/yr |
| Best for | Businesses with on-prem infrastructure or existing Veeam investment | Teams wanting AI-powered anomaly detection | Budget-conscious SMBs needing simplicity | Google Workspace–heavy environments |
Recommendation for most 10–50 person Australian SMBs: Afi.ai or Dropsuite if you want set-and-forget SaaS with no infrastructure to manage. Veeam M365 if you already run on-prem servers or need granular item-level restore with PowerShell automation.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for SMBs worldwide.
Get the Starter Pack →Quarterly Restore-Test Drill
A backup you have never restored is not a backup — it is a hope. Run this drill every quarter:
- Pick a random workload. Rotate: email one quarter, SharePoint the next, Teams the next, Drive the next.
- Select a restore point. Choose a date 30–60 days in the past.
- Restore to a staging location. Do not overwrite production data.
- Verify integrity. Open 5–10 files or emails. Confirm content, attachments, and metadata are intact.
- Time the restore. Record how long it took. If a real incident hits, you need to know whether recovery takes 15 minutes or 4 hours.
- Document the result. Log the date, workload, restore time, and any issues. Store the log in your incident-response runbook.
This drill takes under an hour per quarter. It is the single highest-ROI activity in your backup programme because it turns an assumption into a verified capability.
FAQ
Does Microsoft 365 not include backup with my Business Premium licence? No. Business Premium includes advanced threat protection, compliance tools, and 93-day recycle-bin retention for some workloads. It does not include point-in-time backup, unlimited retention, or recovery from ransomware that has already synced encrypted files to the cloud.
How long does Google Workspace keep deleted files? Google Drive files sit in the trash for 30 days before permanent deletion. Gmail messages are retained based on your Google Vault rules. If no rule covers a message or file, it is permanently removed after the trash window expires and cannot be recovered by Google support.
Is cloud-to-cloud backup necessary if I already have a local NAS backup? Only if your NAS backup explicitly includes M365 and Google Workspace data via API — not just folder-synced copies. Most NAS backup tools sync only files that live on local machines. Cloud-native email, Teams chats, and SharePoint content never touch a local drive, so your NAS misses them entirely.
What should I do first if I suspect a ransomware attack has hit our cloud data? Immediately disable the compromised user account, disconnect any active sync clients, and contact your backup vendor to initiate a restore from the last clean snapshot before encryption began. Then report the incident to the Australian Cyber Security Centre via cyber.gov.au.
Conclusion
Australian SMBs face the same ransomware and data-loss threats as large enterprises, but with far less margin for error. VikingCloud's 2026 research found that 40% of SMBs admit an attack costing $100,000 or less could put them out of business. The shared-responsibility gap in Microsoft 365 and Google Workspace is real, measurable, and cheap to close — most third-party backup solutions cost less per year than a single day of unplanned downtime.
Start with a backup product that covers all four workloads. Set 12-month minimum retention. Run your first restore drill this quarter. That is the entire playbook.
Visit consult.lil.business for a free cybersecurity assessment tailored to your Australian SMB.
References
- Australian Cyber Security Centre — Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
- Microsoft — Shared Responsibilities for Cloud Computing: https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility-model
- NIST SP 800-34 Rev 1 — Contingency Planning Guide for Federal Information Systems: https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final
- VikingCloud 2026 SMB Threat Landscape Report: https://www.vikingcloud.com/press-news/cyberattacks-overtake-inflation-and-recession-concerns-as-the-1-threat-to-smbs-in-2026-new-vikingcloud-research-finds
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.