TL;DR
Microsoft and Google protect their infrastructure — not your data. The shared-responsibility model leaves a gap: accidental deletion, ransomware, malicious admins, and retention-policy purges can permanently destroy business data after 30–93 days. Australian SMBs with 10–50 staff need a dedicated third-party backup solution, documented retention targets, and a quarterly restore-test drill to survive a breach. This playbook compares four leading options and gives you a practical checklist to close the gap.
The Gap You Didn't Know You Had
When you move to Microsoft 365 or Google Workspace, you assume your data is backed up. It isn't — at least, not in the way you think.
Both platforms operate on a shared-responsibility model. Microsoft and Google guarantee service uptime and infrastructure resilience. They replicate data across data centres to survive hardware failures. What they do not guarantee: recovery from you — accidental deletion, a departing employee wiping files, a ransomware attack encrypting your SharePoint library, or a malicious admin purging retention policies.
Native recycle bins cover 30 days in Google Workspace and 93 days in Microsoft 365. After that window closes, data is gone permanently. No support ticket will bring it back.
This gap is not theoretical. In 2025 alone, Sophos tracked 5,400 documented ransomware attacks across 137 countries. Ransomware groups expanded by 35%, and newer outfits like Qilin now boast over 1,000 victims. Credential-based attacks — where an attacker logs in as a legitimate user — now account for millions of compromised identities monthly. When an attacker authenticates as your finance director and deletes every Teams channel, Microsoft's native retention won't save you [1].
What Must Be Backed Up
For a 10–50 seat SMB, the backup scope should cover:
| Service | Microsoft 365 | Google Workspace |
|---|---|---|
| Exchange Online mailboxes, archives, public folders | Gmail (primary + archived) | |
| Files | OneDrive for Business, SharePoint document libraries | Google Drive (My Drive + Shared Drives) |
| Collaboration | Teams chats (1:1 + channel), Planner tasks | Google Chat spaces, Meet recordings |
| Identity | Entra ID groups + conditional access policies | Workspace group memberships + OUs |
A common blind spot: Teams channel files live in SharePoint. Backing up SharePoint covers the files, but not the chat context around them. If your team uses Teams as its operational hub, chat-level backup matters.
Comparing Third-Party Backup Products (10–50 Seats)
Four products dominate the SMB-friendly M365/Workspace backup market in Australia. All prices are approximate per-user-per-month in AUD as of mid-2026.
| Product | M365 Price | Workspace Price | Key Strength | Watch For |
|---|---|---|---|---|
| Veeam M365 | ~$4.80/user/mo | Via partner only | Enterprise heritage, flexible storage targets (object, local, cloud) | Requires infrastructure to run (VM or server); overkill for sub-10 seats |
| Afi | ~$5.00/user/mo | ~$5.00/user/mo | AI-powered search across backups, automated restore testing, no infrastructure | Newer player; check Australian data residency |
| Dropsuite | ~$3.80/user/mo | ~$3.80/user/mo | Australian-born, local data centres, tight RPO (as low as 3x daily) | Primarily sold through telco/reseller partners (Telstra, etc.) |
| Spanning | ~$7.00/user/mo | ~$7.00/user/mo | Simple setup, cross-platform if you run both M365 and Workspace | Premium pricing per seat; fewer granular restore options |
Recommendation for 10–50 seats: Dropsuite wins on price and Australian data sovereignty if you're buying through a local MSP. Afi wins on automation — its AI-driven restore testing means you're not manually verifying backups monthly. Veeam suits teams already running on-prem infrastructure who want backup sovereignty (storing copies outside the cloud platform entirely).
ISO 27001 SMB Starter Pack — $147
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for SMBs worldwide.
Get the Starter Pack →The Quarterly Restore-Test Drill
Only 5% of SMBs have tested their Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets within the past quarter. A backup that hasn't been restored is a wish, not a plan.
Run this drill every 90 days:
- Pick a real file. Choose a recent SharePoint document or a Shared Drive file modified in the last 7 days.
- Simulate deletion. Note the timestamp. Delete it (this is the safe part — you're testing backup, not live data).
- Time the restore. From deletion to the moment the file is back in the user's viewable folder — that's your RTO.
- Check the last backup timestamp. The gap between file modification and the most recent backup snapshot is your RPO. Target: under 4 hours for mail, under 12 hours for files.
- Document. Log both numbers. If RTO exceeds 2 hours or RPO exceeds your target, escalate to your vendor or MSP.
Rotate the test across services — email one quarter, Teams chats the next, Shared Drives the third. A single SharePoint file restore is not proof your entire tenant can recover.
FAQ
Q: Doesn't Microsoft 365's 93-day retention cover me? A: Retention policies preserve data for compliance — they were never designed for disaster recovery. If a ransomware variant encrypts files and the 93-day window passes before you notice, the encrypted version becomes the retained version. Retention is not backup. Additionally, a malicious global admin can purge retention policies entirely. Third-party backup with immutable storage prevents this [2].
Q: We're only 15 staff. Is third-party backup really necessary? A: Research from Check Point confirms that attackers increasingly target mid-sized businesses specifically because they hold valuable data but invest less in defence than enterprises. A 15-person accounting firm losing every client file in Google Drive faces the same operational paralysis as a 500-person firm — but with fewer resources to rebuild. At ~$60–100/month for a full backup solution, it is one of the cheapest insurance policies a business can purchase [3].
Q: Can't I just use a Synology NAS and sync everything locally? A: Synology's Active Backup for Microsoft 365 is a legitimate option and costs nothing beyond the hardware. However, it introduces new risks: the NAS becomes a single point of failure, requires off-site replication, and you are responsible for its security patches and physical protection. For most 10–50 seat SMBs, a SaaS backup product with immutable storage removes the self-managed infrastructure risk.
Q: How often should backups run? A: Minimum 3x daily for email, 1x daily for files. Dropsuite and Afi both support this cadence. Anything less than daily means you risk losing an entire business day's work — acceptable in 2018, not in 2026 when the average ransomware dwell time (time from intrusion to detonation) has compressed from weeks to hours.
Conclusion
Your cloud productivity suite is a shared-responsibility platform, not a backup service. The playbook is simple: scope what needs backing up (mail, files, chats, identity), pick a third-party product matched to your seat count and budget, set explicit RPO and RTO targets, and run a hands-on restore test every 90 days. Documentation means nothing without verification.
Next step: Visit consult.lil.business for a free 30-minute cybersecurity assessment. We'll review your current M365 or Google Workspace setup, identify backup gaps, and recommend the right product for your team size and budget — no obligation, no vendor lock-in.
References
- Sophos Threat Research: Ransomware Landscape 2025-2026
- ACSC Essential Eight: Backup and Recovery Guidance
- Check Point: Exclusive Warning on Rising SMB Cyber Risk
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →