TL;DR

Microsoft and Google do not guarantee recovery of your data after accidental deletion, ransomware, or malicious insider actions — the shared responsibility model leaves that risk with you. This playbook outlines what Australian SMBs must back up, which third-party tools fit a 10–50 person team, and how to run a quarterly restore drill that actually proves your backups work.​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​​‌‌​​‌‌‍​​‌‌​‌‌​‍​​‌‌​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​​‌‌‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌

The Shared Responsibility Gap

Cloud providers protect their infrastructure. They do not protect your data from you.

Microsoft 365 and Google Workspace operate under a shared responsibility model: the vendor ensures the service is available, while the customer is responsible for the data inside it. Microsoft retains deleted Exchange Online items for a maximum of 93 days. Google Workspace offers 25–30 days for Gmail and Drive via the admin console. After that, data is permanently purged. If a ransomware strain encrypts your SharePoint libraries, a disgruntled admin wipes a Shared Drive, or a retention policy silently deletes old project files, neither vendor will restore it. The 2026 LiteLLM supply chain cascade demonstrated how quickly production credentials and intellectual property can

vanish when trust is misplaced — the same principle applies to your SaaS data.​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​​‌‌​​‌‌‍​​‌‌​‌‌​‍​​‌‌​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​​‌‌‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌

What Must Be Backed Up

An SMB running on Microsoft 365 or Google Workspace should treat the following as critical backup scope:

Data Type M365 Component Google Workspace Component Why It Matters
Email Exchange Online, shared mailboxes Gmail, Google Groups Primary business communication and legal record
Files OneDrive, SharePoint document libraries Google Drive, Shared Drives Contracts, financials, IP, operational documents
Collaboration Teams chats, channel files, wiki tabs Chat spaces, Drive attachments Context and decisions that do not live in email
Calendar & Contacts Exchange calendar, Outlook contacts Google Calendar, Contacts Scheduling history and business relationships
Configurations SharePoint site structures, Teams settings Admin policies, Drive sharing rules Recovery speed depends on restoring the environment, not just files

Retention targets should align with the Australian Securities and Investments Commission (ASIC) record-keeping requirements and the Notifiable Data Breaches scheme: seven years for financial records, and point-in-time restore capability for at least 90 days for operational data.

Third-Party Backup Options for 10–50 Users

The native recycle bin is not a backup strategy. For a 10–50 headcount Australian SMB, evaluate these dedicated SaaS backup tools:

Product Best For Rough AUD Pricing (10–50 seats) Notes
Veeam Backup for M365 M365-heavy environments, hybrid setups ~$5–7/user/month Mature, granular item-level restore, requires self-hosted or Veeam-hosted infrastructure
Afi Google Workspace-first teams ~$4–6/user/month Fastest GWS restore speeds, strong ransomware detection, Australian data centre option
Dropsuite Budget-conscious multi-tenant MSPs ~$3–5/user/month Email and website backup focus, simple compliance reporting
Spanning (by Kaseya) Teams wanting set-and-forget ~$4–6/user/month Good M365/GWS coverage, automated daily backups

Selection criteria: Australian data residency, AES-256 encryption at rest and in transit, point-in-time restore granularity, and immutable backup storage (write-once, read-many) to survive a compromised admin account.

The Quarterly Restore-Test Drill

A backup you have never restored is a hypothesis. Run this drill every quarter:

  1. Pick a scenario: accidental deletion, ransomware simulation (restore from before an arbitrary date), or departing employee data recovery.
  2. Restore to an isolated location: never overwrite live production during a test.
  3. Verify integrity: spot-check file contents, email headers, and metadata. A hash mismatch means the backup chain is corrupted.
  4. Time the process: document how long it takes to restore a single mailbox, a Shared Drive, and an entire SharePoint site. This becomes your recovery time objective (RTO) baseline.
  5. Update the runbook: if the restore took longer than four hours for critical data, your architecture or tooling needs adjustment.

Schedule the next drill before closing the current one. If a restore fails, treat it as a live incident — because during a real breach, it will be.

FAQ

Q: Doesn't Microsoft 365 already back up my data? A: No. Microsoft replicates data across their infrastructure for uptime, but deleted items age out after 93 days and ransomware-encrypted files are treated as legitimate user edits. You need an independent backup copy outside the M365 tenant.

Q: Is Google Vault a backup tool? A: Google Vault is an eDiscovery and archiving tool for legal holds and compliance. It is not designed for fast point-in-time restore of individual files or mailboxes. Do not rely on it for disaster recovery.

Q: How often should backups run? A: At minimum, daily automated backups for email and files. For organisations handling sensitive client data or regulated industries, incrementals every four hours with a retained snapshot every 24 hours is the safer baseline.

Q: What is the ACSC's position on cloud backups? A: The Australian Cyber Security Centre recommends the "3-2-1" rule: three copies of data, on two different media types, with one copy offline or immutable. This applies equally to cloud SaaS environments as it does to on-premise servers.

Conclusion

The shared responsibility model is not a loophole — it is a boundary. Everything on your side of that boundary is your risk to manage. For an Australian SMB, that means defining backup scope beyond email, selecting a third-party tool with local data residency, and proving recovery works before you need it.

Start with an audit of what lives in your M365 or Google Workspace tenant today. Map it against the checklist above. If you cannot restore a deleted email from six weeks ago in under an hour, your backup strategy is incomplete.

Visit consult.lil.business for a free cybersecurity assessment and a tailored backup recovery plan for your business.

References

  1. Australian Cyber Security Centre — Essential Eight: Data Recovery
  2. Microsoft — Shared Responsibility in the Cloud
  3. Google Workspace Admin Help — Data retention and the Vault

TL;DR

  • Google found that hackers used 90 secret software holes (called "zero-days") in 2025 to break into computers
  • Nearly half of these attacks targeted business equipment like firewalls and routers, not web browsers
  • The good news: you don't need to patch everything, just focus on the holes hackers are actually using
  • Smart businesses focus on the 1% of problems that matter instead of trying to fix everything

What's a "Zero-Day"? (Simple Explanation)

Imagine you buy a house with a secret door that you didn't know existed. Burglars discover this secret door and start using it to break into houses. The door manufacturer doesn't know about the problem yet, so there's no fix available.

That's a zero-day vulnerability — a secret security hole that:

  • The software maker doesn't know about
  • Has no available fix (patch)
  • Hackers are actively using to break in

The name comes from the idea that the software maker has had zero days to create and release a fix.

Google's security team tracked 90 of these secret holes being used by hackers in 2025 [1]. That's up from 78 in 2024, meaning the problem is growing.

The Big Shift: Hackers Changed Targets

Here's what's really important for business owners: hackers have shifted targets.

Old pattern (before 2025): Hackers mostly focused on web browsers (Chrome, Safari, Firefox) as the way into computers.

New pattern (2025): Hackers now focus on business equipment:

  • Firewalls (the security guards for your internet connection)
  • Routers (the traffic directors for your network)
  • VPN systems (how employees connect remotely)

Google found that 48% of all zero-day attacks in 2025 targeted business systems — the highest level ever recorded [1]. Meanwhile, attacks on browsers dropped to less than 10%.

What this means for you: The equipment you bought to protect your business (firewalls, security appliances) is now the primary target. The assumption that "browsers are the weak point" is outdated.

Related: Cisco Just Patched 48 Firewall Flaws — Including 2 Perfect 10s

Why Business Equipment Is Targeted

Think about it from a hacker's perspective:

Web browsers:

  • Get updated frequently (Chrome updates every 2-4 weeks)
  • Have strong security built in
  • Run on each person's computer, where security software can watch them
  • If hacked, only affect one computer

Business firewalls and routers:

  • Often run for years without updates
  • Have limited security monitoring (often can't run antivirus software)
  • Sit at the edge of your network — if hacked, give access to everything
  • Affect the entire business if compromised

Google points out that limited visibility on these devices is a recurring problem [1] — meaning security teams often can't see what's happening on them until it's too late.

The 1% Rule: Don't Try to Fix Everything

Here's something that might surprise you: across all software companies, there were over 20,000 security issues discovered in 2025 [2].

But Google tracked only 90 that hackers actually used.

This is the 1% Rule: focus on the 1% of problems that are being exploited, ignore the 99% that are theoretical.

Smart businesses don't try to patch everything. They:

  1. Subscribe to alerts from the US cybersecurity agency (CISA) about which vulnerabilities hackers are actually using
  2. Prioritise those for immediate patching
  3. Handle the rest during regular maintenance, not as emergencies

Related: Stop Patching Everything: The 1% Rule That Keeps SMBs Secure Without Burning Out

The Vendor Reality: Cisco, Fortinet, and Others

Google's report specifically mentions that Cisco and Fortinet — two very common business equipment vendors — were frequent targets [1].

This doesn't mean their products are bad. It means:

  • They're widely used (lots of businesses have them)
  • Hackers focus on popular targets (more potential victims)
  • When flaws are found, hackers exploit them quickly

If your business uses Cisco or Fortinet equipment (and many do), the solution isn't to panic and replace everything. The solution is:

  • Keep them updated — Install security patches promptly
  • Monitor them — Watch for unusual activity
  • Protect them — Put them behind additional security layers

Think of it like car safety: just because some car models have had recalls doesn't mean you stop driving. You just stay informed and get the fixes when they're available.

What AI Means for Zero-Days (Future Warning)

Google warns that artificial intelligence will make this problem worse by:

  1. Finding holes faster — AI can test software automatically and find vulnerabilities quicker than human researchers
  2. Building attacks faster — AI can create code to exploit vulnerabilities as soon as they're discovered
  3. Automating everything — What used to take skilled hackers months can now be done in days by AI tools

But AI also helps defenders:

  1. Finding holes first — AI can discover vulnerabilities before hackers do, giving software makers time to fix them
  2. Detecting attacks — AI can spot attack patterns even when the specific vulnerability is unknown
  3. Responding faster — AI can automatically isolate systems and limit damage when attacks occur

The message for businesses: AI-powered security is becoming essential, not optional. The cost of AI security tools is falling, and they're increasingly the only way to keep up with AI-powered attackers.

Related: AI Isn't Building New Attack Playbooks — It's Running Old Ones 44% Faster: What the 2026 IBM X-Force Report Means for Your Business

The Practical Protection Plan

You can't fix zero-days directly (by definition, they're secret and unpatched). But you CAN protect your business:

1. Reduce the Attack Surface (Close Unnecessary Doors)

If a vulnerability exists but can't be reached, it can't be exploited.

What to do:

  • Turn off features you don't use on your firewall and router
  • Disable remote management from the internet (only allow management from inside your network)
  • Separate guest WiFi from business systems (compromised guest devices shouldn't reach business data)

Real impact: The US cybersecurity agency CISA found that over 60% of exploited vulnerabilities in business equipment are reached via exposed management interfaces [2]. Simply closing these interfaces prevents the majority of attacks.

2. Assume Breach, Focus on Detection

Since some zero-days will inevitably be used, focus on catching the attack early.

What to do:

  • Monitor network traffic for unusual patterns (large data transfers at odd hours, connections to unknown servers)
  • Install EDR (Endpoint Detection and Response) on computers that manage your business equipment
  • Keep logs and review them regularly for suspicious activity

Why this works: You can't stop every zero-day, but you can detect when something's wrong and respond before major damage occurs.

3. Patch Smart, Not Hard

When patches become available, focus on the ones that matter:

Priority system:

  1. Urgent (patch within 48 hours) — Vulnerabilities that CISA confirms are being actively exploited by hackers
  2. Important (patch within 30 days) — Critical vulnerabilities from equipment vendors
  3. Routine (patch when convenient) — Everything else, during scheduled maintenance

This approach ensures limited time and resources go to real threats, not theoretical ones.

4. Choose Vendors Wisely

When buying business equipment:

Ask vendors:

  • "How quickly do you patch security issues?"
  • "How do you notify customers about vulnerabilities?"
  • "What security features are built in?"

Research vendors:

  • Check their security track record
  • Look for transparent security practices
  • Avoid vendors with histories of slow patching or hiding problems

The Business Case: Why This Matters for Your Bottom Line

Zero-day protection isn't just security — it's business resilience. Consider:

  • Customer trust — Businesses that demonstrate proactive security win more customers
  • Insurance costs — Cybersecurity insurance premiums are lower for well-protected businesses
  • Regulatory compliance — Laws like GDPR require "appropriate" security measures, and zero-day defense is increasingly considered mandatory
  • Supply chain requirements — Larger customers are starting to require vendors to meet security standards

According to industry research, by 2026, 75% of organisations will treat zero-day protection as a board-level issue [3] — meaning it's discussed by company leadership, not just left to IT.

For small businesses, this is actually an advantage: you can move faster than big companies. Implementing smart security practices is easier with 50 systems than 50,000. Use that agility.

The Reality Check: This Is Happening Now

The 90 zero-days Google tracked in 2025 aren't theoretical. They were used against real businesses: hospitals, hotels, manufacturers, professional services.

The Sileno ransomware attack we discussed earlier (22.9 TB encrypted in 14 hours) likely involved exploitation of one or more vulnerabilities in their systems [4].

This isn't science fiction. It's happening today, to businesses like yours.

What You Can Do This Week

Based on Google's report and current threat landscape, here's your immediate checklist:

  1. Inventory your business equipment — Make a list of every firewall, router, VPN device, and wireless access point. Include model, firmware version, and last patch date.
  2. Check for exposed management — Ensure device management interfaces aren't accessible from the internet. If they are, work with your IT person to close that access.
  3. Subscribe to alerts — Sign up for CISA's Known Exploited Vulnerabilities mailing list. These are the vulnerabilities hackers are actually using.
  4. Review vendor advisories — If you use Cisco, Fortinet, or other major vendors, check their security advisory pages for recent announcements.
  5. Plan your patching — Create a simple system: urgent patches within 48 hours, important patches within 30 days, routine updates during scheduled maintenance.

FAQ

All zero-days are vulnerabilities, but not all vulnerabilities are zero-days.

  • Vulnerability — A security weakness in software. The software maker may know about it and have a fix available.
  • Zero-day — A vulnerability that is secret (unknown to the software maker) and has no fix yet.

Think of it like health:

  • Vulnerability — A known risk (like smoking). Your doctor can give you advice to address it.
  • Zero-day — A new, unknown disease. No treatments exist yet because doctors haven't seen it before.

Since you can't patch what you don't know about, protection focuses on making attacks harder and limiting damage:

  1. Reduce attack surface — Turn off unnecessary features, close exposed management interfaces, and segment networks so compromised devices can't reach everything
  2. Detect compromises early — Monitor network traffic, watch for unusual activity, and have systems that alert you when something's wrong
  3. Limit blast radius — Use network segmentation so even if one device is compromised, the damage doesn't spread

It's like securing a building: you can't guarantee no burglars will ever try to break in, but you can make it harder for them to succeed and limit how much they can steal if they do.

Google's Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in 2025 [1]. This is up from 78 in 2024, representing a "stabilised range" of activity according to Google.

The breakdown:

  • 48% targeted enterprise systems (firewalls, routers, business software) — highest ever
  • 44% targeted operating systems (Windows, macOS, Android, iOS)
  • Less than 10% targeted browsers — continuing decline

The shift from browsers to enterprise systems reflects the reality that browsers have gotten much harder to exploit, while business equipment often runs neglected and unmonitored.

No. Google identifies them as frequently targeted because they're widely used, not because they're uniquely bad [1]. Cisco and Fortinet have enormous market share. More deployments means:

  • More hackers focusing on them (more potential victims)
  • More zero-days discovered simply because there are more targets

The practical approach:

  • Don't abandon proven vendors — Switching to obscure products doesn't guarantee safety (they may have undiscovered vulnerabilities and less testing)
  • Deploy additional controls — If you use Cisco or Fortinet, layer on extra security: monitoring, segmentation, and rapid patching
  • Stay informed — Subscribe to vendor security advisories and respond quickly when they announce issues

It's like car safety: some car models have had recalls, but that doesn't mean you stop driving. You just stay informed and get the fixes.

CISA is the Cybersecurity & Infrastructure Security Agency — the US government's cybersecurity agency. Their Known Exploited Vulnerabilities Catalog is a list of security holes that hackers are actively using in the wild [2].

Why it matters:

  • CISA focuses on real threats, not theoretical ones
  • Their catalog tells you exactly what hackers are exploiting right now
  • For many US government agencies and contractors, CISA-listed vulnerabilities must be patched by specific deadlines

For small businesses, CISA's catalog is a free prioritization tool: instead of trying to figure out which of 20,000 CVEs to worry about, just focus on the ~100-200 on CISA's list at any given time.

References

[1] Google Threat Intelligence Group, "Zero-Day Vulnerability Analysis 2025," Google, 2026. [Online]. Available: https://securitybrief.com.au/story/google-warns-of-surge-in-enterprise-zero-day-attacks

[2] CISA Known Exploited Vulnerabilities Catalog, "Known Exploited Vulnerabilities Catalog," Cybersecurity & Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[3] Gartner, "Zero-Day Vulnerability Management: A Board-Level Risk," Gartner, 2025. [Online]. Available: https://www.gartner.com/zero-day-board-risk

[4] Cybersecurity News Everyday, "Ransom! Sileno Companies Inc (MAR-2026)," Hendry Adrian, 2026. [Online]. Available: https://www.hendryadrian.com/ransom-sileno-companies-inc-mar-2026/

Zero-day protection sounds technical, but it's really about smart prioritization and layered defense. lilMONSTER helps small businesses build practical protection against the threats that actually matter — without overwhelming you with technical complexity. We assess your systems, focus on the 1% of vulnerabilities that matter, and build defense-in-depth that keeps you secure. Book a free consultation at consult.lil.business — let's make sure your business is protected against 2026's threats.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation