How to Back Up Microsoft 365 and Google Workspace Data

Here is a belief that has cost businesses their data more times than I can count: “Our email and files are in the cloud, so Microsoft and Google back them up for us.” That assumption is wrong, and the gap it creates is one of the most dangerous blind spots in small business IT. This guide explains what the cloud providers actually protect, what they do not, and how to close the hole.

The Shared Responsibility Gap

Microsoft and Google both operate on a shared responsibility model. They guarantee the infrastructure: the servers stay running, the data centers stay online, and the platform itself is highly available. What they explicitly do not promise is to recover your data if you or one of your people destroys it.

Read Microsoft’s own service agreement and you will find language recommending you keep your own backup of your content. Google says the same thing in different words. The providers protect against their failures. They do not protect against yours.

How Data Actually Disappears in the Cloud

The threats here are rarely dramatic. They are ordinary and they happen constantly.

• Accidental deletion. An employee deletes a folder or an entire mailbox. Native retention gives you a limited window, often around thirty days, and then it is gone permanently.
• Departing employees. When you remove a user’s license to stop paying for it, their mailbox and files can be deleted on a timer. Businesses lose years of records this way.
• Ransomware and malware. Modern ransomware syncs straight into cloud storage, encrypting OneDrive, SharePoint, and Google Drive files right alongside local ones.
• Malicious insiders. A disgruntled employee can wipe shared documents on the way out the door.
• Retention policy gaps. The default native recovery windows are short, and once they lapse, the provider cannot help you.

None of these are platform outages. Every one of them is squarely your responsibility to plan for.

What Native Recovery Does and Does Not Give You

Both platforms include basic recycle bin and version history features. Microsoft 365 has the Recycle Bin, retention policies, and Litigation Hold. Google Workspace has its trash, Vault for eligible editions, and admin recovery for recently deleted users. These tools are genuinely useful for the everyday “I deleted it an hour ago” mistake.

What they are not is a true backup. They are short-term, they are tangled up with the live system, and a sophisticated attacker or a careless administrator can purge them. A real backup is independent, retained for as long as you need, and recoverable to a point in time before a problem occurred. That independence is the entire point.

Third-Party Backup: The Real Fix

The clean solution is a dedicated SaaS backup service that copies your Microsoft 365 or Google Workspace data into separate, independent storage on a schedule. Established names in this space include Datto, Veeam, Acronis, Dropsuite, and Backupify, among others. They typically run a few dollars per user per month.

A good one will protect the full set: mailboxes, calendars, contacts, OneDrive or Google Drive files, SharePoint and shared drives, and Teams data. Look for a few specific things when you evaluate options.

Confirm it covers every data type you rely on, not just email. Check the retention options, because the ability to keep data for years is exactly what native tools lack. Test the restore process, since a backup you cannot restore is theater. And verify the backup storage is isolated from your production tenant so ransomware cannot reach it.

The 3-2-1 Principle Still Applies in the Cloud

The old backup rule holds even when everything lives in someone else’s data center: three copies of your data, on two different types of media, with one copy kept off-site or otherwise isolated. Your live Microsoft 365 tenant is one copy. A third-party backup in separate storage is your independent second. Treating your cloud provider as your only copy violates the principle no matter how reliable that provider is.

A Simple Action Plan

Start by writing down what would actually hurt to lose: email histories, shared files, financial records, customer data. Confirm where each lives. Check your current native retention settings so you know your real exposure window. Then put a third-party backup in place for the platform you use, set retention to match your record-keeping and legal needs, and schedule a restore test on your calendar. Run that test at least twice a year.

The whole exercise costs less per month than most software subscriptions and removes one of the genuinely catastrophic risks a small business carries without realizing it. Cloud convenience is real. Cloud invincibility is a myth.

How Long Should You Keep Backups?

Retention is where the difference between native tools and real backup becomes obvious. The native recycle bin gives you weeks. Your actual obligations are often measured in years. Tax records, employment files, contracts, and industry-specific data can all carry multi-year retention requirements, and a former employee’s mailbox might hold the only copy of a critical agreement.

Set your backup retention to match the longest requirement you are subject to, not the shortest one that feels convenient. For most small businesses, keeping a year of recoverable history is a sensible floor, and several years is wise for anything tied to finances, contracts, or regulated data. Storage is cheap. Discovering you deleted the one email that proves a contract term, two years after the fact, is not.

The Mistakes That Undo a Backup Plan

Having a backup and having a working recovery are two different things, and the gap between them is where businesses get hurt.

The most common mistake is never testing a restore. A backup job that runs green every night but cannot actually reconstruct a mailbox is worthless, and you only learn that during an emergency. Schedule a real restore test at least twice a year and confirm the data comes back intact and usable.

The second mistake is backing up only email and forgetting everything else. OneDrive, SharePoint, shared drives, Teams chats, and calendars all hold business-critical data, and a backup that misses them leaves the same hole you were trying to close. The third is keeping the backup inside the same account it is protecting, where ransomware or a malicious admin can reach both at once. Independent storage is non-negotiable. Get those three things right and you have a backup you can actually rely on when the day comes.