TL;DR
Microsoft and Google protect their infrastructure — not your data. The shared-responsibility model leaves a gap: accidental deletion, ransomware, malicious admins, and retention-policy purges can permanently destroy business data after 30–93 days. Australian SMBs with 10–50 staff need a dedicated third-party backup solution, documented retention targets, and a quarterly restore-test drill to survive a breach. This playbook compares four leading options and gives you a practical checklist to close the gap.
The Gap You Didn't Know You Had
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
When you move to Microsoft 365 or Google Workspace, you assume your data is backed up. It isn't — at least, not in the way you think.
Both platforms operate on a shared-responsibility model. Microsoft and Google guarantee service uptime and infrastructure resilience. They replicate data across data centres to survive hardware failures. What they do not guarantee: recovery from you — accidental deletion, a departing employee wiping files, a ransomware attack encrypting your SharePoint library, or a malicious admin purging retention policies.
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →Native recycle bins cover 30 days in Google Workspace and 93 days in Microsoft 365. After that window closes, data is gone permanently. No support ticket will bring it back.
This gap is not theoretical. In 2025 alone, Sophos tracked 5,400 documented ransomware attacks across 137 countries. Ransomware groups expanded by 35%, and newer outfits like Qilin now boast over 1,000 victims. Credential-based attacks — where an attacker logs in as a legitimate user — now account for millions of compromised identities monthly. When an attacker authenticates as your finance director and deletes every Teams channel, Microsoft's native retention won't save you [1].
What Must Be Backed Up
For a 10–50 seat SMB, the backup scope should cover:
| Service | Microsoft 365 | Google Workspace |
|---|---|---|
| Exchange Online mailboxes, archives, public folders | Gmail (primary + archived) | |
| Files | OneDrive for Business, SharePoint document libraries | Google Drive (My Drive + Shared Drives) |
| Collaboration | Teams chats (1:1 + channel), Planner tasks | Google Chat spaces, Meet recordings |
| Identity | Entra ID groups + conditional access policies | Workspace group memberships + OUs |
A common blind spot: Teams channel files live in SharePoint. Backing up SharePoint covers the files, but not the chat context around them. If your team uses Teams as its operational hub, chat-level backup matters.
Comparing Third-Party Backup Products (10–50 Seats)
Four products dominate the SMB-friendly M365/Workspace backup market in Australia. All prices are approximate per-user-per-month in AUD as of mid-2026.
| Product | M365 Price | Workspace Price | Key Strength | Watch For |
|---|---|---|---|---|
| Veeam M365 | ~$4.80/user/mo | Via partner only | Enterprise heritage, flexible storage targets (object, local, cloud) | Requires infrastructure to run (VM or server); overkill for sub-10 seats |
| Afi | ~$5.00/user/mo | ~$5.00/user/mo | AI-powered search across backups, automated restore testing, no infrastructure | Newer player; check Australian data residency |
| Dropsuite | ~$3.80/user/mo | ~$3.80/user/mo | Australian-born, local data centres, tight RPO (as low as 3x daily) | Primarily sold through telco/reseller partners (Telstra, etc.) |
| Spanning | ~$7.00/user/mo | ~$7.00/user/mo | Simple setup, cross-platform if you run both M365 and Workspace | Premium pricing per seat; fewer granular restore options |
Recommendation for 10–50 seats: Dropsuite wins on price and Australian data sovereignty if you're buying through a local MSP. Afi wins on automation — its AI-driven restore testing means you're not manually verifying backups monthly. Veeam suits teams already running on-prem infrastructure who want backup sovereignty (storing copies outside the cloud platform entirely).
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →The Quarterly Restore-Test Drill
Only 5% of SMBs have tested their Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets within the past quarter. A backup that hasn't been restored is a wish, not a plan.
Run this drill every 90 days:
- Pick a real file. Choose a recent SharePoint document or a Shared Drive file modified in the last 7 days.
- Simulate deletion. Note the timestamp. Delete it (this is the safe part — you're testing backup, not live data).
- Time the restore. From deletion to the moment the file is back in the user's viewable folder — that's your RTO.
- Check the last backup timestamp. The gap between file modification and the most recent backup snapshot is your RPO. Target: under 4 hours for mail, under 12 hours for files.
- Document. Log both numbers. If RTO exceeds 2 hours or RPO exceeds your target, escalate to your vendor or MSP.
Rotate the test across services — email one quarter, Teams chats the next, Shared Drives the third. A single SharePoint file restore is not proof your entire tenant can recover.
FAQ
Q: Doesn't Microsoft 365's 93-day retention cover me? A: Retention policies preserve data for compliance — they were never designed for disaster recovery. If a ransomware variant encrypts files and the 93-day window passes before you notice, the encrypted version becomes the retained version. Retention is not backup. Additionally, a malicious global admin can purge retention policies entirely. Third-party backup with immutable storage prevents this [2].
Q: We're only 15 staff. Is third-party backup really necessary? A: Research from Check Point confirms that attackers increasingly target mid-sized businesses specifically because they hold valuable data but invest less in defence than enterprises. A 15-person accounting firm losing every client file in Google Drive faces the same operational paralysis as a 500-person firm — but with fewer resources to rebuild. At ~$60–100/month for a full backup solution, it is one of the cheapest insurance policies a business can purchase [3].
Q: Can't I just use a Synology NAS and sync everything locally? A: Synology's Active Backup for Microsoft 365 is a legitimate option and costs nothing beyond the hardware. However, it introduces new risks: the NAS becomes a single point of failure, requires off-site replication, and you are responsible for its security patches and physical protection. For most 10–50 seat SMBs, a SaaS backup product with immutable storage removes the self-managed infrastructure risk.
Q: How often should backups run? A: Minimum 3x daily for email, 1x daily for files. Dropsuite and Afi both support this cadence. Anything less than daily means you risk losing an entire business day's work — acceptable in 2018, not in 2026 when the average ransomware dwell time (time from intrusion to detonation) has compressed from weeks to hours.
Conclusion
Your cloud productivity suite is a shared-responsibility platform, not a backup service. The playbook is simple: scope what needs backing up (mail, files, chats, identity), pick a third-party product matched to your seat count and budget, set explicit RPO and RTO targets, and run a hands-on restore test every 90 days. Documentation means nothing without verification.
Next step: Visit consult.lil.business for a free 30-minute cybersecurity assessment. We'll review your current M365 or Google Workspace setup, identify backup gaps, and recommend the right product for your team size and budget — no obligation, no vendor lock-in.
References
- Sophos Threat Research: Ransomware Landscape 2025-2026
- ACSC Essential Eight: Backup and Recovery Guidance
- Check Point: Exclusive Warning on Rising SMB Cyber Risk
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- Google found that hackers used 90 secret software holes (called "zero-days") in 2025 to break into computers
- Nearly half of these attacks targeted business equipment like firewalls and routers, not web browsers
- The good news: you don't need to patch everything, just focus on the holes hackers are actually using
- Smart businesses focus on the 1% of problems that matter instead of trying to fix everything
What's a "Zero-Day"? (Simple Explanation)
Imagine you buy a house with a secret door that you didn't know existed. Burglars discover this secret door and start using it to break into houses. The door manufacturer doesn't know about the problem yet, so there's no fix available.
That's a zero-day vulnerability — a secret security hole that:
- The software maker doesn't know about
- Has no available fix (patch)
- Hackers are actively using to break in
The name comes from the idea that the software maker has had zero days to create and release a fix.
Google's security team tracked 90 of these secret holes being used by hackers in 2025 [1]. That's up from 78 in 2024, meaning the problem is growing.
The Big Shift: Hackers Changed Targets
Here's what's really important for business owners: hackers have shifted targets.
Old pattern (before 2025): Hackers mostly focused on web browsers (Chrome, Safari, Firefox) as the way into computers.
New pattern (2025): Hackers now focus on business equipment:
- Firewalls (the security guards for your internet connection)
- Routers (the traffic directors for your network)
- VPN systems (how employees connect remotely)
Google found that 48% of all zero-day attacks in 2025 targeted business systems — the highest level ever recorded [1]. Meanwhile, attacks on browsers dropped to less than 10%.
What this means for you: The equipment you bought to protect your business (firewalls, security appliances) is now the primary target. The assumption that "browsers are the weak point" is outdated.
Related: Cisco Just Patched 48 Firewall Flaws — Including 2 Perfect 10s
Why Business Equipment Is Targeted
Think about it from a hacker's perspective:
Web browsers:
- Get updated frequently (Chrome updates every 2-4 weeks)
- Have strong security built in
- Run on each person's computer, where security software can watch them
- If hacked, only affect one computer
Business firewalls and routers:
- Often run for years without updates
- Have limited security monitoring (often can't run antivirus software)
- Sit at the edge of your network — if hacked, give access to everything
- Affect the entire business if compromised
Google points out that limited visibility on these devices is a recurring problem [1] — meaning security teams often can't see what's happening on them until it's too late.
The 1% Rule: Don't Try to Fix Everything
Here's something that might surprise you: across all software companies, there were over 20,000 security issues discovered in 2025 [2].
But Google tracked only 90 that hackers actually used.
This is the 1% Rule: focus on the 1% of problems that are being exploited, ignore the 99% that are theoretical.
Smart businesses don't try to patch everything. They:
- Subscribe to alerts from the US cybersecurity agency (CISA) about which vulnerabilities hackers are actually using
- Prioritise those for immediate patching
- Handle the rest during regular maintenance, not as emergencies
Related: Stop Patching Everything: The 1% Rule That Keeps SMBs Secure Without Burning Out
The Vendor Reality: Cisco, Fortinet, and Others
Google's report specifically mentions that Cisco and Fortinet — two very common business equipment vendors — were frequent targets [1].
This doesn't mean their products are bad. It means:
- They're widely used (lots of businesses have them)
- Hackers focus on popular targets (more potential victims)
- When flaws are found, hackers exploit them quickly
If your business uses Cisco or Fortinet equipment (and many do), the solution isn't to panic and replace everything. The solution is:
- Keep them updated — Install security patches promptly
- Monitor them — Watch for unusual activity
- Protect them — Put them behind additional security layers
Think of it like car safety: just because some car models have had recalls doesn't mean you stop driving. You just stay informed and get the fixes when they're available.
What AI Means for Zero-Days (Future Warning)
Google warns that artificial intelligence will make this problem worse by:
- Finding holes faster — AI can test software automatically and find vulnerabilities quicker than human researchers
- Building attacks faster — AI can create code to exploit vulnerabilities as soon as they're discovered
- Automating everything — What used to take skilled hackers months can now be done in days by AI tools
But AI also helps defenders:
- Finding holes first — AI can discover vulnerabilities before hackers do, giving software makers time to fix them
- Detecting attacks — AI can spot attack patterns even when the specific vulnerability is unknown
- Responding faster — AI can automatically isolate systems and limit damage when attacks occur
The message for businesses: AI-powered security is becoming essential, not optional. The cost of AI security tools is falling, and they're increasingly the only way to keep up with AI-powered attackers.
The Practical Protection Plan
You can't fix zero-days directly (by definition, they're secret and unpatched). But you CAN protect your business:
1. Reduce the Attack Surface (Close Unnecessary Doors)
If a vulnerability exists but can't be reached, it can't be exploited.
What to do:
- Turn off features you don't use on your firewall and router
- Disable remote management from the internet (only allow management from inside your network)
- Separate guest WiFi from business systems (compromised guest devices shouldn't reach business data)
Real impact: The US cybersecurity agency CISA found that over 60% of exploited vulnerabilities in business equipment are reached via exposed management interfaces [2]. Simply closing these interfaces prevents the majority of attacks.
2. Assume Breach, Focus on Detection
Since some zero-days will inevitably be used, focus on catching the attack early.
What to do:
- Monitor network traffic for unusual patterns (large data transfers at odd hours, connections to unknown servers)
- Install EDR (Endpoint Detection and Response) on computers that manage your business equipment
- Keep logs and review them regularly for suspicious activity
Why this works: You can't stop every zero-day, but you can detect when something's wrong and respond before major damage occurs.
3. Patch Smart, Not Hard
When patches become available, focus on the ones that matter:
Priority system:
- Urgent (patch within 48 hours) — Vulnerabilities that CISA confirms are being actively exploited by hackers
- Important (patch within 30 days) — Critical vulnerabilities from equipment vendors
- Routine (patch when convenient) — Everything else, during scheduled maintenance
This approach ensures limited time and resources go to real threats, not theoretical ones.
4. Choose Vendors Wisely
When buying business equipment:
Ask vendors:
- "How quickly do you patch security issues?"
- "How do you notify customers about vulnerabilities?"
- "What security features are built in?"
Research vendors:
- Check their security track record
- Look for transparent security practices
- Avoid vendors with histories of slow patching or hiding problems
The Business Case: Why This Matters for Your Bottom Line
Zero-day protection isn't just security — it's business resilience. Consider:
- Customer trust — Businesses that demonstrate proactive security win more customers
- Insurance costs — Cybersecurity insurance premiums are lower for well-protected businesses
- Regulatory compliance — Laws like GDPR require "appropriate" security measures, and zero-day defense is increasingly considered mandatory
- Supply chain requirements — Larger customers are starting to require vendors to meet security standards
According to industry research, by 2026, 75% of organisations will treat zero-day protection as a board-level issue [3] — meaning it's discussed by company leadership, not just left to IT.
For small businesses, this is actually an advantage: you can move faster than big companies. Implementing smart security practices is easier with 50 systems than 50,000. Use that agility.
The Reality Check: This Is Happening Now
The 90 zero-days Google tracked in 2025 aren't theoretical. They were used against real businesses: hospitals, hotels, manufacturers, professional services.
The Sileno ransomware attack we discussed earlier (22.9 TB encrypted in 14 hours) likely involved exploitation of one or more vulnerabilities in their systems [4].
This isn't science fiction. It's happening today, to businesses like yours.
What You Can Do This Week
Based on Google's report and current threat landscape, here's your immediate checklist:
- Inventory your business equipment — Make a list of every firewall, router, VPN device, and wireless access point. Include model, firmware version, and last patch date.
- Check for exposed management — Ensure device management interfaces aren't accessible from the internet. If they are, work with your IT person to close that access.
- Subscribe to alerts — Sign up for CISA's Known Exploited Vulnerabilities mailing list. These are the vulnerabilities hackers are actually using.
- Review vendor advisories — If you use Cisco, Fortinet, or other major vendors, check their security advisory pages for recent announcements.
- Plan your patching — Create a simple system: urgent patches within 48 hours, important patches within 30 days, routine updates during scheduled maintenance.
FAQ
All zero-days are vulnerabilities, but not all vulnerabilities are zero-days.
- Vulnerability — A security weakness in software. The software maker may know about it and have a fix available.
- Zero-day — A vulnerability that is secret (unknown to the software maker) and has no fix yet.
Think of it like health:
- Vulnerability — A known risk (like smoking). Your doctor can give you advice to address it.
- Zero-day — A new, unknown disease. No treatments exist yet because doctors haven't seen it before.
Since you can't patch what you don't know about, protection focuses on making attacks harder and limiting damage:
- Reduce attack surface — Turn off unnecessary features, close exposed management interfaces, and segment networks so compromised devices can't reach everything
- Detect compromises early — Monitor network traffic, watch for unusual activity, and have systems that alert you when something's wrong
- Limit blast radius — Use network segmentation so even if one device is compromised, the damage doesn't spread
It's like securing a building: you can't guarantee no burglars will ever try to break in, but you can make it harder for them to succeed and limit how much they can steal if they do.
Google's Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in 2025 [1]. This is up from 78 in 2024, representing a "stabilised range" of activity according to Google.
The breakdown:
- 48% targeted enterprise systems (firewalls, routers, business software) — highest ever
- 44% targeted operating systems (Windows, macOS, Android, iOS)
- Less than 10% targeted browsers — continuing decline
The shift from browsers to enterprise systems reflects the reality that browsers have gotten much harder to exploit, while business equipment often runs neglected and unmonitored.
No. Google identifies them as frequently targeted because they're widely used, not because they're uniquely bad [1]. Cisco and Fortinet have enormous market share. More deployments means:
- More hackers focusing on them (more potential victims)
- More zero-days discovered simply because there are more targets
The practical approach:
- Don't abandon proven vendors — Switching to obscure products doesn't guarantee safety (they may have undiscovered vulnerabilities and less testing)
- Deploy additional controls — If you use Cisco or Fortinet, layer on extra security: monitoring, segmentation, and rapid patching
- Stay informed — Subscribe to vendor security advisories and respond quickly when they announce issues
It's like car safety: some car models have had recalls, but that doesn't mean you stop driving. You just stay informed and get the fixes.
CISA is the Cybersecurity & Infrastructure Security Agency — the US government's cybersecurity agency. Their Known Exploited Vulnerabilities Catalog is a list of security holes that hackers are actively using in the wild [2].
Why it matters:
- CISA focuses on real threats, not theoretical ones
- Their catalog tells you exactly what hackers are exploiting right now
- For many US government agencies and contractors, CISA-listed vulnerabilities must be patched by specific deadlines
For small businesses, CISA's catalog is a free prioritization tool: instead of trying to figure out which of 20,000 CVEs to worry about, just focus on the ~100-200 on CISA's list at any given time.
References
[1] Google Threat Intelligence Group, "Zero-Day Vulnerability Analysis 2025," Google, 2026. [Online]. Available: https://securitybrief.com.au/story/google-warns-of-surge-in-enterprise-zero-day-attacks
[2] CISA Known Exploited Vulnerabilities Catalog, "Known Exploited Vulnerabilities Catalog," Cybersecurity & Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[3] Gartner, "Zero-Day Vulnerability Management: A Board-Level Risk," Gartner, 2025. [Online]. Available: https://www.gartner.com/zero-day-board-risk
[4] Cybersecurity News Everyday, "Ransom! Sileno Companies Inc (MAR-2026)," Hendry Adrian, 2026. [Online]. Available: https://www.hendryadrian.com/ransom-sileno-companies-inc-mar-2026/
Zero-day protection sounds technical, but it's really about smart prioritization and layered defense. lilMONSTER helps small businesses build practical protection against the threats that actually matter — without overwhelming you with technical complexity. We assess your systems, focus on the 1% of vulnerabilities that matter, and build defense-in-depth that keeps you secure. Book a free consultation at consult.lil.business — let's make sure your business is protected against 2026's threats.
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.