Skip to Content

Why back up your Google Workspace and Microsoft 365 data

(Le cloud, c'est juste un ordinateur, mais pas le vôtre...)

TL;DR:

The cloud is not a backup: Google and Microsoft protect the infrastructure, but not your data in case of deletion, error or attack. This is the principle of shared responsibility.

Google Workspace: bins limited to ~30 days, +25 days via the admin. Beyond that, it''s lost. Google Vault is not a backup and retains nothing if an account is deleted.

Microsoft 365: recoverable emails 14–30 days, OneDrive/SharePoint files 93 days, Teams around 21 days. No real full “point‑in‑time” restore.

Both environments remain vulnerable to the same risks:

  • admin errors (e.g. KPMG deleting 145,000 chat histories),
  • provider incidents (e.g. UniSuper on Google Cloud),
  • accidental deletion,
  • ransomware encrypting synchronized data,
  • compromised accounts (phishing).

The solution: implement a dedicated external (cloud‑to‑cloud) backup for Google/M365, following the 3‑2‑1 rule (multiple copies, different media, one off‑site copy), with granular restoration.

To complement this, follow good practices: MFA for everyone, limited access rights, monitoring and alerts, user awareness, and a clearly designated person responsible for backups.

Many SMEs mistakenly think their data “lives safely” once it''s in the Cloud. After all, Google and Microsoft invest billions in securing their infrastructures. Yet the providers remind you themselves: they ensure the availability and reliability of the platforms, but not the everlasting protection of each file. This is called the shared responsibility model: the provider secures the “cloud” (infrastructure), but backup and restoration of user data remain your responsibility. In short, “neither Microsoft nor Google guarantee the complete restoration of your data after accidental or malicious deletion.” In other words, entrusting your data to the Cloud does not exempt you from making your own backup.

Limits of native protections

Google Workspace

In Google Workspace (Gmail, Drive, Calendar…), the built‑in tools have many constraints. For example, a deleted email goes to the user''s trash… but stays there only 30 days before being permanently lost. Beyond that, the G Suite admin has another 25 days to restore it via the admin console, then it''s gone for good. Same with Google Drive: when a user empties their bin, Google retains deleted data for only 25 days, after which there is no recoverable trace. In practice, most files deleted in Drive or Docs are irretrievably lost after 30 days.

Moreover, Google Vault – the advanced retention solution – is not an “automatic backup” per se. It is a legal archiving tool: it allows you to retain or delete data according to compliance rules. But Vault retains nothing from a definitively deleted account. If you delete a Workspace user, all their emails, calendars and documents disappear, even from Vault. In other words, without a third‑party backup, an admin who deletes an account deprives themselves of any recourse.

In summary, Google''s native protections are limited: the bin auto‑deletes after 30 days, there is no long‑term “snapshot” of your data, and it’s up to you to protect yourself. As a specialized guide notes: “Google doesn''t take care of protecting the user''s Gmail data; that responsibility lies with the IT administrator.”

Microsoft 365

On the Microsoft 365 side (Exchange, OneDrive, SharePoint…), the situation is a little different but just as restrictive. By default, deleted emails in Outlook/Exchange remain in the “Recoverable Items” folder for only 14 days (up to 30 days maximum). After that, they disappear permanently. On the file side, a document deleted in OneDrive or SharePoint ends up in the site recycling bin for 93 days, then is purged automatically. The problem is that these durations often cover scenarios too short for a company: if you accidentally exceed these deadlines (for example by not checking the bin in time) there is nothing left to restore without an external tool.

Better yet, even Microsoft''s internal “backups” are essentially short‑term buffer zones. For example, the automatic backup version for Teams (channels) is saved only 21 days, and a full “point‑in‑time” restoration of an environment does not exist. In short, as CloudAlly summarizes, “Microsoft 365 does not fully back up your data, and relying on the default settings can lead to permanent loss beyond 30 days.”

Finally, remember the shared model: Microsoft guarantees service availability, not the security of user data. In case of ransomware or human error, OneDrive and SharePoint are just as vulnerable. A common piece of advice is that “even OneDrive must be backed up” by another system. In summary, neither Google nor Microsoft replace a true backup strategy: their native tools have limits (short retention windows, lack of extended historical restoration, complexity of retention‑policy‑based backups) that expose your data in case of disaster.

Google vs Microsoft: what differences?

Overall, Google Workspace and Microsoft 365 have similar mechanisms (bins, limited versions) and suffer from the same weaknesses (shared responsibility, short retention periods). But you can distinguish some key points:

  • Restoration window: Google limits recoveries to about 30 days (Trash + 25 days admin), while Microsoft offers up to 93 days in OneDrive/SharePoint bins and 14–30 days in Exchange. Microsoft thus leaves a little more time by default in some cases, but still too short for important data that needs to be retained long‑term.
  • Application coverage: Google primarily protects Gmail, Drive, Contacts, etc. Other services (like Sites, some Google Forms) have no dedicated restoration. Microsoft covers Exchange, OneDrive, SharePoint and Teams via its M365 platform, but again the data are often “in the same cloud,” with no independent export. In fact, both giants rely on the same “flaw”: if a failure or attack hits the global infrastructure, your data and its copy disappear together.
  • Additional tools: Google offers Vault (retention management) and Takeout (manual export), but they are complicated and do not replace automated backup. Microsoft offers Purview (compliance) and recently a basic built‑in backup, but again with limits (no unlimited point‑in‑time, no advanced granular recovery). As expert W. Preston notes, “the feature you think is protecting you is often the one that causes the loss, because it is stored inside the same system as the data to be protected” (illustrated by KPMG below).

In practice, both environments are vulnerable to the same scenarios: a simple accidental deletion of a Drive file or SharePoint folder can instantly lose months (or years) of work if they have not been backed up elsewhere. For example, Google Drive deletes its bin after 30 days, while Microsoft purges SharePoint after 93 days. Beyond these deadlines, the data are gone for good. Neither service offers a free long‑term backup option for SMEs: backup management (3‑2‑1, points‑in‑time) must come from the company itself.

Concrete incidents of data loss in the cloud

Real‑life examples abound. This is not pure theory: companies have already seen their data disappear because of the cloud. Here are a few:

  • Catastrophic human error: In May 2024, Google Cloud accidentally deleted the cloud account of UniSuper (an Australian pension fund with $125 billion in assets) due to a simple admin mistake. The entire subscription was cancelled, erasing all the data and their built‑in backups. Result: UniSuper experienced a week‑long outage for 620 000 members. This debacle clearly shows that “even advanced cloud systems can be broken by a simple error.” Fortunately, UniSuper had made backups with a third‑party provider, which allowed data to be restored faster than if they had relied solely on Google.
  • Massive accidental deletion: A noteworthy case concerns KPMG (145 000 M365 accounts). An admin wanted to delete the chat of a single user in Teams, but accidentally created a retention policy that was too broad. They moved all users to the wrong policy and erased the entire chat history of 145 000 accounts. Afterwards, Microsoft explained that there was no automatic way to recover these conversations – the only option would have been to manually restore restricted chat logs. For a company subject to compliance obligations, that is a huge loss. This incident illustrates the danger: internal mechanisms (retention policies, bins) are recorded in the same system. Result: “Make a mistake like KPMG and your backups disappear as well.”
  • Small business, big disappointment: The case of Musey Inc. (which equipped an SME) is telling. Employees inadvertently deleted their entire Google Drive account without having made a third‑party backup. In less than 30 days, no file was accessible and even Google support could do nothing. Musey therefore lost all its Drive data (10 years of archives) because “Google does not retrieve files deleted more than 30 days.” This anecdote reminds us that disaster doesn’t just strike very large accounts.
  • Ransomware targeting the cloud: Cybercriminals have understood that the Cloud is a gold mine. According to Spin.AI, as early as 2021 “ransomware 2.0” specifically targeted cloud data. The typical scenario is this: an employee inadvertently downloads malware onto their PC synchronized with Google Drive or OneDrive. This malware spreads and remotely encrypts the synchronized files. Result: all the documents online are encrypted, and without an independent backup there is no clean version to restore. The native protections generally do not prevent this scenario, because cloud services sync and delete as quickly as they back up. If a file is replaced by an encrypted version, the internal “backup” also stores this encrypted file. That’s why several experts note that in the event of ransomware, there is often no clean restore point in the default tools.
  • Phishing and compromised accounts: Even without internal error, a hacked account can compromise everything. For example, an employee who clicks on a phishing link loses their login and password: the hacker can then remotely delete data in Google Workspace or M365. Within minutes they erase emails, Drive/OneDrive folders, etc. Again, without off‑site backup the loss is permanent. This is a common internal threat scenario: an authorized account, poorly protected, can destroy an entire business by deleting everything from the trash… there’s nothing to recover after the allowed deadlines.

These examples show that a simple error or attack can cause a catastrophe. A clumsy admin, a technical misstep or a sophisticated cyberattack can all lead to the irreversible loss of critical data if you haven’t taken precautions. For example, in the UniSuper incident, the absence of an external backup almost cost months of work and a lot of trust. Likewise, KPMG realized that even a tool designed to protect (retention policies) can blow everything up. In all these cases, an independent backup, external to the primary cloud, made the difference or would have. As one expert sums up: “without a dedicated Cloud backup solution, the organization remains vulnerable.”

Practical advice for SMEs

The good news is that protecting your cloud data is both possible and often simple. Today there are external backup solutions specially designed for Google Workspace and Microsoft 365, even for small businesses. These SaaS services automate the collection of your emails, calendars, Drive/OneDrive files, SharePoint, Teams, etc., and copy them to separate storage (cloud‑to‑cloud). This is sometimes called applying the “3‑2‑1” rule to SaaS: keep at least 3 copies of your data on 2 different media, with 1 copy off‑site. In practice, you can keep your data on the original cloud, add external storage (backups in another cloud) and keep a local or off‑site copy. These solutions provide granular restores: you can recover a specific email or a previous version of a file in a few clicks, even outside the short deadlines of the native bins. Many providers (some SME offers start at just a few euros per user) offer this service with encryption and role‑based access. In short, cloud backup has become simple and affordable.

In addition, here are some easy‑to‑implement best practices:

  • Two‑factor authentication (MFA): Enable MFA for all user accounts (Gmail, Office 365). It’s a basic measure against hacking. Without MFA, a stolen password is all it takes to trigger everything. According to specialists, enabling MFA blocks more than 90 % of unauthorised access. It’s free and quick to configure on Google and Microsoft.
  • Rigorous access management: Ensure everyone only has the rights they need. Avoid sharing folders “with everyone” without reason, and regularly review who can view or modify sensitive files. A simple forgotten public link can lead to a data leak. Also limit the number of administrators of your consoles: the fewer high‑privilege accounts there are, the lower the risk of error.
  • Monitoring and alerts: Use built‑in tools (security centres, audit logs) to monitor suspicious logins. For example, set up alerts when an account logs in from a new device or from another country. Google Workspace and Microsoft 365 offer security dashboards—don’t ignore them. A real‑time alert can allow you to act before a problem escalates.
  • User awareness: The most common flaw remains human. Train your employees to spot fraudulent emails, suspicious attachments and phishing attempts. Explain to them the importance of never sending their passwords or granting too‑wide permissions by mistake. An informed employee is the first line of defence. For example, One Sky notes that “the problem doesn’t always come from [Microsoft or Google]… but from us”—a weak password or a hasty click can bring everything down.
  • Assign a point person: Designate someone (IT or an external provider) responsible for backup and data security. They will ensure backups are regularly tested (it’s recommended to simulate a crash and check that you can restore data), update security solutions, and update backup policies as the business evolves. This prevents good practices from “falling through the cracks” or no one noticing that a backup has failed.

In summary, it’s not about becoming paranoid: cloud platforms are technically secure, but the ultimate defence comes from you. Fortunately, as the French government documentation reminds us, “cloud offerings democratize… the essential function of data backup.” There are turnkey solutions, with no hardware to manage, that can (for a few dozen euros per month) create automatic backups of your Google/Microsoft accounts. These tools handle everything in the background: you just have to check from time to time that everything is running properly.

Conclusion

The Cloud brings flexibility and undeniable convenience for SMEs. But let’s remember: cloud does not mean automatic backup. Real incidents (accidental deletion, ransomware or admin error) confirm this time and again. The good news is that with a little prevention and simple solutions, you can largely reduce these risks. In short, back up your cloud data as you would a local PC: automate copies outside the primary system, test that they work and train your team. This way you make your SME more resilient: even if the worst happens, your information remains safe and operations can resume quickly. Don’t let a “mouse click” erase months of work—invest a few minutes today to protect yourself effectively.

Anytype and sovereign note‑taking