If your business uses Microsoft 365 — and the vast majority of UK SMEs do — your email, calendar, contacts, and OneDrive files are hosted in Microsoft's cloud. This creates a dangerous assumption that many business owners make: because the data is "in the cloud," it must be safe. Microsoft will take care of it. Nothing can go wrong. This assumption is wrong, and it has cost countless UK businesses dearly.
Microsoft provides infrastructure-level resilience for its cloud services. Their data centres have redundant power, cooling, and storage. They replicate data across multiple facilities. Their uptime SLA for Exchange Online is 99.9%. But none of this protects your data from the threats that actually cause data loss in practice: accidental deletion by users, malicious deletion by disgruntled employees or compromised accounts, ransomware that encrypts mailbox content via synchronisation, retention policy misconfiguration that purges data prematurely, or regulatory requirements to retain data beyond Microsoft's default retention periods.
The Shared Responsibility Model
Microsoft operates under what they call the Shared Responsibility Model. In simple terms, Microsoft is responsible for the availability of the service — keeping the servers running, maintaining the infrastructure, and ensuring the platform is accessible. You are responsible for your data — ensuring it is properly backed up, protected from user error, and retained in accordance with your legal and regulatory obligations.
This is not a hidden policy. Microsoft states it explicitly in their service agreement: "We recommend that you regularly backup your Content and Data that you store on the Services or store using Third-Party Apps and Services." They are telling you, in plain language, that their service is not a backup and that you need your own backup solution.
Microsoft DOES protect against: hardware failure in their data centres, natural disasters affecting data centre regions, service outages (with SLA compensation). Microsoft does NOT protect against: accidental deletion by users (beyond 30-day recycle bin), malicious deletion by compromised or rogue accounts, ransomware that encrypts data via sync clients, retention policy errors that permanently delete data, legal hold requirements beyond standard retention, migration errors that corrupt or lose data.
What Needs Backing Up
A comprehensive Microsoft 365 backup strategy should cover all the workloads that contain business-critical data. The most critical is Exchange Online — email, calendar, and contacts. For many businesses, email is the primary record of client communications, contractual agreements, and business decisions. Losing email data can have serious legal, regulatory, and commercial consequences.
Beyond email, your backup should also cover OneDrive for Business (each user's personal cloud storage), SharePoint Online (shared team sites and document libraries), and Microsoft Teams data (which is stored across SharePoint, OneDrive, and Exchange). If your business uses other Microsoft 365 services such as Planner, Lists, or Power Platform, check whether your chosen backup solution covers these workloads as well.
Microsoft 365 Backup Solutions for UK Businesses
Several enterprise-grade backup solutions are available for Microsoft 365, each with different strengths. The leading options in the UK market include Veeam Backup for Microsoft 365, Acronis Cyber Protect Cloud, Barracuda Cloud-to-Cloud Backup, Druva inSync, and more recently, Microsoft's own Backup solution (currently in preview). Here is how they compare for a typical UK SME.
| Feature | Veeam for M365 | Acronis Cyber Protect | Barracuda Cloud |
|---|---|---|---|
| Exchange Online backup | Yes | Yes | Yes |
| OneDrive backup | Yes | Yes | Yes |
| SharePoint backup | Yes | Yes | Yes |
| Teams backup | Yes | Yes | Yes |
| UK data residency | Yes (choose storage) | Yes (UK DCs) | Yes (UK DCs) |
| Granular restore | Individual items | Individual items | Individual items |
| Backup frequency | Up to 5x daily | 3x daily | 3x daily |
| Ransomware protection | Immutable backups | Immutable + AI detection | Immutable backups |
| Approx. cost per user/month | £2.50-£4.00 | £3.00-£5.00 | £3.50-£5.50 |
For most UK SMEs, Veeam Backup for Microsoft 365 is the most popular choice. It provides comprehensive coverage of all Microsoft 365 workloads, flexible storage options (including UK-based Azure Blob Storage or AWS S3), granular restore capabilities down to individual emails or calendar items, and competitive per-user pricing. When managed by an IT provider, Veeam runs entirely in the background with no impact on end users.
Setting Up Email Backup: Step by Step
Implementing a Microsoft 365 backup solution follows a consistent process regardless of which product you choose. The steps below outline the typical approach for a UK SME deploying Veeam Backup for Microsoft 365, though the principles apply to any solution.
The initial full backup can take several hours to several days depending on the volume of data and the number of users. Subsequent incremental backups capture only changes since the last backup and typically complete in minutes. Most businesses configure backups to run three times daily — ensuring that in the worst case, no more than a few hours of data could be lost.
Restore Scenarios: When Backup Saves the Day
Understanding common restore scenarios helps illustrate why backup is essential. The most frequent scenario is accidental deletion — a user deletes an important email or empties their deleted items folder. If this is discovered within 30 days, Microsoft's built-in recovery may help. After 30 days, the data is permanently gone unless you have an independent backup.
A more serious scenario is a compromised account. If an attacker gains access to a user's Microsoft 365 account, they may delete emails to cover their tracks, set up forwarding rules to exfiltrate data, or encrypt mailbox content. By the time the breach is discovered, the damage may be irreversible without a backup taken before the compromise occurred.
Ransomware that targets cloud data through synchronisation is an increasingly common threat. If a user's device is infected with ransomware, the encrypted files can sync to OneDrive and SharePoint, replacing good copies with encrypted versions. Microsoft's version history can sometimes help here, but a dedicated backup provides a guaranteed clean recovery point.
Without M365 Backup
- Permanently deleted emails are gone after 30 days
- No recovery from ransomware that syncs to cloud
- No protection against malicious admin account actions
- Cannot restore a departed employee's mailbox after licence removal
- No point-in-time recovery to a clean state
- HMRC and legal disclosure requests may be impossible to fulfil
With M365 Backup
- Restore any email from any point in backup history
- Recover from ransomware using pre-infection backup
- Independent copy immune to admin account compromise
- Restore departed employees' data at any time
- Point-in-time recovery to any backed-up state
- Full compliance with HMRC and legal retention requirements
Compliance and Data Residency
For UK businesses, data residency is a critical consideration when choosing a backup solution. Under UK GDPR, transferring personal data outside the UK requires appropriate safeguards. Storing your email backup in a UK data centre simplifies compliance by keeping all data within UK jurisdiction.
Most backup solutions allow you to choose the storage location. With Veeam, for example, you can store backups in Azure Blob Storage in the UK South (London) region, ensuring complete UK data residency. Acronis and Barracuda also offer UK-based storage options. Always confirm the storage location before deploying, and document it as part of your data protection records.
Beyond data residency, your backup solution should support UK GDPR compliance in other ways. It should allow you to search for and delete specific personal data across backups in response to data subject erasure requests. It should provide audit logs showing who accessed backup data and when. And it should encrypt backup data both in transit and at rest, with encryption keys managed securely.
A backup that has never been tested is not a backup — it is a hope. Schedule regular test restores to verify that your backup solution is working correctly. At minimum, test a full mailbox restore quarterly and individual item restores monthly. Document the test results, including restore time and data integrity verification. Your managed IT provider should include regular backup testing as part of their service — if they do not, ask why.
Is Your Business Email Backed Up?
Cloudswitched provides managed Microsoft 365 backup for UK businesses, with UK-based storage, daily backup verification, and guaranteed restore capabilities. Do not wait for a data loss event to discover you have no backup.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.