TL;DR

Microsoft and Google protect their cloud infrastructure — not your data once you delete it or an attacker encrypts it. Their built-in retention windows (14–93 days) are not backups. This playbook lays out what to back up, which third-party tools fit a 10–50 person Australian business, and how to run a quarterly restore drill so you know your safety net actually works.​‌‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​​‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌‌‍​​‌‌​‌‌​‍​​‌‌​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​​‌‌‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​

The Shared-Responsibility Gap Most SMBs Miss

Here is the assumption that catches businesses off guard: "We pay for Microsoft 365 / Google Workspace, so our data is backed up." It is not. Both vendors operate under a shared-responsibility model. They guarantee platform uptime, redundancy across data centres, and protection against their own hardware failures. What they do not guarantee is recovering your data after:

  • Accidental deletion. A staff member deletes a SharePoint site or a Shared Drive. After the recycle-bin window expires, it is gone.
  • Ransomware. An attacker encrypts files in OneDrive or Drive. The encrypted versions sync to the cloud, overwriting good copies.
  • Malicious admin actio ns. A disgruntled administrator bulk-purges mailboxes before anyone notices.
  • Retention-policy purges. Compliance retention lapses or misconfigured policies silently hard-delete content.

Microsoft 365 retains deleted items for 14–93 days depending on the workload and licence tier. Google Vault holds data only as long as your retention rules specify — and rules can be changed or removed. Beyond those windows, neither vendor can recover your data. Period.​‌‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​​‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌‌‍​​‌‌​‌‌​‍​​‌‌​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​​‌‌‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​

For Australian SMBs subject to the Privacy Act 1988 and the Notifiable Data Breaches scheme, losing customer records, financial documents, or correspondence is not just an operational headache — it is a potential regulatory breach.

What to Back Up: The Complete Checklist

Every Australian SMB running Microsoft 365 or Google Workspace should back up the following workloads:

Workload What It Contains Why It Matters
Email (Exchange / Gmail) Client correspondence, contracts, invoices Legal hold, dispute evidence, ASIC records
OneDrive / Google Drive Personal productivity files IP, proposals, HR documents
SharePoint / Shared Drives Team documents, policies, templates Institutional knowledge, compliance artefacts
Teams chats & channels Instant messages, meeting recordings, file attachments Decision trails, project history

Retention target: Minimum 12 months of point-in-time backup history, with the ability to restore to any day within that window. Financial services and healthcare businesses should aim for 7 years to satisfy ASIC and health-record retention obligations.

Product Comparison: Third-Party Backup for 10–50 Staff

Feature Veeam M365 Afi.ai Dropsuite Spanning
M365 support Full (Exchange, OneDrive, SharePoint, Teams) Full Full Full
Google Workspace Limited (via separate product) Full Full Full
Deployment On-prem, cloud, or hybrid SaaS only SaaS only SaaS only
Backup frequency Continuous (Exchange), 4-hourly (sites) Up to every 1 hour 1–3 times daily 3 times daily
Retention Unlimited (your storage) Unlimited Unlimited Unlimited
Ransomware detection Basic change monitoring AI-driven anomaly alerts Basic Basic
Approx. cost (50 users) ~AUD $2,500–3,500/yr ~AUD $2,000–3,000/yr ~AUD $1,800–2,500/yr ~AUD $2,200–3,000/yr
Best for Businesses with on-prem infrastructure or existing Veeam investment Teams wanting AI-powered anomaly detection Budget-conscious SMBs needing simplicity Google Workspace–heavy environments

Recommendation for most 10–50 person Australian SMBs: Afi.ai or Dropsuite if you want set-and-forget SaaS with no infrastructure to manage. Veeam M365 if you already run on-prem servers or need granular item-level restore with PowerShell automation.

Quarterly Restore-Test Drill

A backup you have never restored is not a backup — it is a hope. Run this drill every quarter:

  1. Pick a random workload. Rotate: email one quarter, SharePoint the next, Teams the next, Drive the next.
  2. Select a restore point. Choose a date 30–60 days in the past.
  3. Restore to a staging location. Do not overwrite production data.
  4. Verify integrity. Open 5–10 files or emails. Confirm content, attachments, and metadata are intact.
  5. Time the restore. Record how long it took. If a real incident hits, you need to know whether recovery takes 15 minutes or 4 hours.
  6. Document the result. Log the date, workload, restore time, and any issues. Store the log in your incident-response runbook.

This drill takes under an hour per quarter. It is the single highest-ROI activity in your backup programme because it turns an assumption into a verified capability.

FAQ

Does Microsoft 365 not include backup with my Business Premium licence? No. Business Premium includes advanced threat protection, compliance tools, and 93-day recycle-bin retention for some workloads. It does not include point-in-time backup, unlimited retention, or recovery from ransomware that has already synced encrypted files to the cloud.

How long does Google Workspace keep deleted files? Google Drive files sit in the trash for 30 days before permanent deletion. Gmail messages are retained based on your Google Vault rules. If no rule covers a message or file, it is permanently removed after the trash window expires and cannot be recovered by Google support.

Is cloud-to-cloud backup necessary if I already have a local NAS backup? Only if your NAS backup explicitly includes M365 and Google Workspace data via API — not just folder-synced copies. Most NAS backup tools sync only files that live on local machines. Cloud-native email, Teams chats, and SharePoint content never touch a local drive, so your NAS misses them entirely.

What should I do first if I suspect a ransomware attack has hit our cloud data? Immediately disable the compromised user account, disconnect any active sync clients, and contact your backup vendor to initiate a restore from the last clean snapshot before encryption began. Then report the incident to the Australian Cyber Security Centre via cyber.gov.au.

Conclusion

Australian SMBs face the same ransomware and data-loss threats as large enterprises, but with far less margin for error. VikingCloud's 2026 research found that 40% of SMBs admit an attack costing $100,000 or less could put them out of business. The shared-responsibility gap in Microsoft 365 and Google Workspace is real, measurable, and cheap to close — most third-party backup solutions cost less per year than a single day of unplanned downtime.

Start with a backup product that covers all four workloads. Set 12-month minimum retention. Run your first restore drill this quarter. That is the entire playbook.

Visit consult.lil.business for a free cybersecurity assessment tailored to your Australian SMB.

References

  1. Australian Cyber Security Centre — Essential Eight Maturity Model: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
  2. Microsoft — Shared Responsibilities for Cloud Computing: https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility-model
  3. NIST SP 800-34 Rev 1 — Contingency Planning Guide for Federal Information Systems: https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final
  4. VikingCloud 2026 SMB Threat Landscape Report: https://www.vikingcloud.com/press-news/cyberattacks-overtake-inflation-and-recession-concerns-as-the-1-threat-to-smbs-in-2026-new-vikingcloud-research-finds

TL;DR

  • Google found that hackers used 90 secret software holes (called "zero-days") in 2025 to break into computers
  • Nearly half of these attacks targeted business equipment like firewalls and routers, not web browsers
  • The good news: you don't need to patch everything, just focus on the holes hackers are actually using
  • Smart businesses focus on the 1% of problems that matter instead of trying to fix everything

What's a "Zero-Day"? (Simple Explanation)

Imagine you buy a house with a secret door that you didn't know existed. Burglars discover this secret door and start using it to break into houses. The door manufacturer doesn't know about the problem yet, so there's no fix available.

That's a zero-day vulnerability — a secret security hole that:

  • The software maker doesn't know about
  • Has no available fix (patch)
  • Hackers are actively using to break in

The name comes from the idea that the software maker has had zero days to create and release a fix.

Google's security team tracked 90 of these secret holes being used by hackers in 2025 [1]. That's up from 78 in 2024, meaning the problem is growing.

The Big Shift: Hackers Changed Targets

Here's what's really important for business owners: hackers have shifted targets.

Old pattern (before 2025): Hackers mostly focused on web browsers (Chrome, Safari, Firefox) as the way into computers.

New pattern (2025): Hackers now focus on business equipment:

  • Firewalls (the security guards for your internet connection)
  • Routers (the traffic directors for your network)
  • VPN systems (how employees connect remotely)

Google found that 48% of all zero-day attacks in 2025 targeted business systems — the highest level ever recorded [1]. Meanwhile, attacks on browsers dropped to less than 10%.

What this means for you: The equipment you bought to protect your business (firewalls, security appliances) is now the primary target. The assumption that "browsers are the weak point" is outdated.

Related: Cisco Just Patched 48 Firewall Flaws — Including 2 Perfect 10s

Why Business Equipment Is Targeted

Think about it from a hacker's perspective:

Web browsers:

  • Get updated frequently (Chrome updates every 2-4 weeks)
  • Have strong security built in
  • Run on each person's computer, where security software can watch them
  • If hacked, only affect one computer

Business firewalls and routers:

  • Often run for years without updates
  • Have limited security monitoring (often can't run antivirus software)
  • Sit at the edge of your network — if hacked, give access to everything
  • Affect the entire business if compromised

Google points out that limited visibility on these devices is a recurring problem [1] — meaning security teams often can't see what's happening on them until it's too late.

The 1% Rule: Don't Try to Fix Everything

Here's something that might surprise you: across all software companies, there were over 20,000 security issues discovered in 2025 [2].

But Google tracked only 90 that hackers actually used.

This is the 1% Rule: focus on the 1% of problems that are being exploited, ignore the 99% that are theoretical.

Smart businesses don't try to patch everything. They:

  1. Subscribe to alerts from the US cybersecurity agency (CISA) about which vulnerabilities hackers are actually using
  2. Prioritise those for immediate patching
  3. Handle the rest during regular maintenance, not as emergencies

Related: Stop Patching Everything: The 1% Rule That Keeps SMBs Secure Without Burning Out

The Vendor Reality: Cisco, Fortinet, and Others

Google's report specifically mentions that Cisco and Fortinet — two very common business equipment vendors — were frequent targets [1].

This doesn't mean their products are bad. It means:

  • They're widely used (lots of businesses have them)
  • Hackers focus on popular targets (more potential victims)
  • When flaws are found, hackers exploit them quickly

If your business uses Cisco or Fortinet equipment (and many do), the solution isn't to panic and replace everything. The solution is:

  • Keep them updated — Install security patches promptly
  • Monitor them — Watch for unusual activity
  • Protect them — Put them behind additional security layers

Think of it like car safety: just because some car models have had recalls doesn't mean you stop driving. You just stay informed and get the fixes when they're available.

What AI Means for Zero-Days (Future Warning)

Google warns that artificial intelligence will make this problem worse by:

  1. Finding holes faster — AI can test software automatically and find vulnerabilities quicker than human researchers
  2. Building attacks faster — AI can create code to exploit vulnerabilities as soon as they're discovered
  3. Automating everything — What used to take skilled hackers months can now be done in days by AI tools

But AI also helps defenders:

  1. Finding holes first — AI can discover vulnerabilities before hackers do, giving software makers time to fix them
  2. Detecting attacks — AI can spot attack patterns even when the specific vulnerability is unknown
  3. Responding faster — AI can automatically isolate systems and limit damage when attacks occur

The message for businesses: AI-powered security is becoming essential, not optional. The cost of AI security tools is falling, and they're increasingly the only way to keep up with AI-powered attackers.

Related: AI Isn't Building New Attack Playbooks — It's Running Old Ones 44% Faster: What the 2026 IBM X-Force Report Means for Your Business

The Practical Protection Plan

You can't fix zero-days directly (by definition, they're secret and unpatched). But you CAN protect your business:

1. Reduce the Attack Surface (Close Unnecessary Doors)

If a vulnerability exists but can't be reached, it can't be exploited.

What to do:

  • Turn off features you don't use on your firewall and router
  • Disable remote management from the internet (only allow management from inside your network)
  • Separate guest WiFi from business systems (compromised guest devices shouldn't reach business data)

Real impact: The US cybersecurity agency CISA found that over 60% of exploited vulnerabilities in business equipment are reached via exposed management interfaces [2]. Simply closing these interfaces prevents the majority of attacks.

2. Assume Breach, Focus on Detection

Since some zero-days will inevitably be used, focus on catching the attack early.

What to do:

  • Monitor network traffic for unusual patterns (large data transfers at odd hours, connections to unknown servers)
  • Install EDR (Endpoint Detection and Response) on computers that manage your business equipment
  • Keep logs and review them regularly for suspicious activity

Why this works: You can't stop every zero-day, but you can detect when something's wrong and respond before major damage occurs.

3. Patch Smart, Not Hard

When patches become available, focus on the ones that matter:

Priority system:

  1. Urgent (patch within 48 hours) — Vulnerabilities that CISA confirms are being actively exploited by hackers
  2. Important (patch within 30 days) — Critical vulnerabilities from equipment vendors
  3. Routine (patch when convenient) — Everything else, during scheduled maintenance

This approach ensures limited time and resources go to real threats, not theoretical ones.

4. Choose Vendors Wisely

When buying business equipment:

Ask vendors:

  • "How quickly do you patch security issues?"
  • "How do you notify customers about vulnerabilities?"
  • "What security features are built in?"

Research vendors:

  • Check their security track record
  • Look for transparent security practices
  • Avoid vendors with histories of slow patching or hiding problems

The Business Case: Why This Matters for Your Bottom Line

Zero-day protection isn't just security — it's business resilience. Consider:

  • Customer trust — Businesses that demonstrate proactive security win more customers
  • Insurance costs — Cybersecurity insurance premiums are lower for well-protected businesses
  • Regulatory compliance — Laws like GDPR require "appropriate" security measures, and zero-day defense is increasingly considered mandatory
  • Supply chain requirements — Larger customers are starting to require vendors to meet security standards

According to industry research, by 2026, 75% of organisations will treat zero-day protection as a board-level issue [3] — meaning it's discussed by company leadership, not just left to IT.

For small businesses, this is actually an advantage: you can move faster than big companies. Implementing smart security practices is easier with 50 systems than 50,000. Use that agility.

The Reality Check: This Is Happening Now

The 90 zero-days Google tracked in 2025 aren't theoretical. They were used against real businesses: hospitals, hotels, manufacturers, professional services.

The Sileno ransomware attack we discussed earlier (22.9 TB encrypted in 14 hours) likely involved exploitation of one or more vulnerabilities in their systems [4].

This isn't science fiction. It's happening today, to businesses like yours.

What You Can Do This Week

Based on Google's report and current threat landscape, here's your immediate checklist:

  1. Inventory your business equipment — Make a list of every firewall, router, VPN device, and wireless access point. Include model, firmware version, and last patch date.
  2. Check for exposed management — Ensure device management interfaces aren't accessible from the internet. If they are, work with your IT person to close that access.
  3. Subscribe to alerts — Sign up for CISA's Known Exploited Vulnerabilities mailing list. These are the vulnerabilities hackers are actually using.
  4. Review vendor advisories — If you use Cisco, Fortinet, or other major vendors, check their security advisory pages for recent announcements.
  5. Plan your patching — Create a simple system: urgent patches within 48 hours, important patches within 30 days, routine updates during scheduled maintenance.

FAQ

All zero-days are vulnerabilities, but not all vulnerabilities are zero-days.

  • Vulnerability — A security weakness in software. The software maker may know about it and have a fix available.
  • Zero-day — A vulnerability that is secret (unknown to the software maker) and has no fix yet.

Think of it like health:

  • Vulnerability — A known risk (like smoking). Your doctor can give you advice to address it.
  • Zero-day — A new, unknown disease. No treatments exist yet because doctors haven't seen it before.

Since you can't patch what you don't know about, protection focuses on making attacks harder and limiting damage:

  1. Reduce attack surface — Turn off unnecessary features, close exposed management interfaces, and segment networks so compromised devices can't reach everything
  2. Detect compromises early — Monitor network traffic, watch for unusual activity, and have systems that alert you when something's wrong
  3. Limit blast radius — Use network segmentation so even if one device is compromised, the damage doesn't spread

It's like securing a building: you can't guarantee no burglars will ever try to break in, but you can make it harder for them to succeed and limit how much they can steal if they do.

Google's Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in 2025 [1]. This is up from 78 in 2024, representing a "stabilised range" of activity according to Google.

The breakdown:

  • 48% targeted enterprise systems (firewalls, routers, business software) — highest ever
  • 44% targeted operating systems (Windows, macOS, Android, iOS)
  • Less than 10% targeted browsers — continuing decline

The shift from browsers to enterprise systems reflects the reality that browsers have gotten much harder to exploit, while business equipment often runs neglected and unmonitored.

No. Google identifies them as frequently targeted because they're widely used, not because they're uniquely bad [1]. Cisco and Fortinet have enormous market share. More deployments means:

  • More hackers focusing on them (more potential victims)
  • More zero-days discovered simply because there are more targets

The practical approach:

  • Don't abandon proven vendors — Switching to obscure products doesn't guarantee safety (they may have undiscovered vulnerabilities and less testing)
  • Deploy additional controls — If you use Cisco or Fortinet, layer on extra security: monitoring, segmentation, and rapid patching
  • Stay informed — Subscribe to vendor security advisories and respond quickly when they announce issues

It's like car safety: some car models have had recalls, but that doesn't mean you stop driving. You just stay informed and get the fixes.

CISA is the Cybersecurity & Infrastructure Security Agency — the US government's cybersecurity agency. Their Known Exploited Vulnerabilities Catalog is a list of security holes that hackers are actively using in the wild [2].

Why it matters:

  • CISA focuses on real threats, not theoretical ones
  • Their catalog tells you exactly what hackers are exploiting right now
  • For many US government agencies and contractors, CISA-listed vulnerabilities must be patched by specific deadlines

For small businesses, CISA's catalog is a free prioritization tool: instead of trying to figure out which of 20,000 CVEs to worry about, just focus on the ~100-200 on CISA's list at any given time.

References

[1] Google Threat Intelligence Group, "Zero-Day Vulnerability Analysis 2025," Google, 2026. [Online]. Available: https://securitybrief.com.au/story/google-warns-of-surge-in-enterprise-zero-day-attacks

[2] CISA Known Exploited Vulnerabilities Catalog, "Known Exploited Vulnerabilities Catalog," Cybersecurity & Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[3] Gartner, "Zero-Day Vulnerability Management: A Board-Level Risk," Gartner, 2025. [Online]. Available: https://www.gartner.com/zero-day-board-risk

[4] Cybersecurity News Everyday, "Ransom! Sileno Companies Inc (MAR-2026)," Hendry Adrian, 2026. [Online]. Available: https://www.hendryadrian.com/ransom-sileno-companies-inc-mar-2026/

Zero-day protection sounds technical, but it's really about smart prioritization and layered defense. lilMONSTER helps small businesses build practical protection against the threats that actually matter — without overwhelming you with technical complexity. We assess your systems, focus on the 1% of vulnerabilities that matter, and build defense-in-depth that keeps you secure. Book a free consultation at consult.lil.business — let's make sure your business is protected against 2026's threats.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation