Backups are the last line of defence against ransomware. They are also the control where the gap between "we have backups" and "we have effective backups" is most significant. Many businesses discover the quality of their backup program only when they try to recover from an incident.
What the Essential Eight Requires
At Maturity Level One: important data, software, and configuration settings are backed up regularly. At Maturity Level Two: backups are synchronised to enable recovery to a specific point in time, unprivileged accounts cannot access backup storage, and backups are tested at least every three months. At Maturity Level Three: backup restoration is tested at least quarterly with results documented.
The Offline or Immutable Requirement
Ransomware attacks specifically target backups. If backup storage is accessible from the same network as production systems, it will be encrypted or deleted along with everything else. Effective backup resilience requires at least one copy stored in a location the production environment cannot write to: offline media, immutable cloud storage, or an isolated vault with no direct network path from production.
The 3-2-1 Rule
Three copies of data. On two different media types. With one copy stored offsite. For most Australian SMBs this translates to: local backup to NAS or external drive, cloud backup to immutable storage, and periodic offline media for critical data. Microsoft 365 backup is separate — Microsoft retains data for limited periods and is not a substitute for a business-controlled backup.
Does Microsoft 365 back up our data?
Microsoft operates a highly resilient infrastructure but this is not the same as a business backup. Accidental deletion, malicious deletion by a compromised account, and ransomware can all result in data loss that Microsoft's infrastructure does not protect against. A third-party Microsoft 365 backup solution — Veeam, Acronis, or similar — that creates a separate, business-controlled copy of Exchange, SharePoint, and Teams data is required for comprehensive backup coverage.
