Skip to main content

New eBook: Security Service Edge (SSE) for dummies. Click here to download the eBook now.

Protecting Microsoft 365 data in-line with NCSC


In the digital age, data is the lifeblood of any organisation. It fuels business processes, decision- making, and customer engagement. With the rise of cloud computing, solutions like Microsoft 365 (M365) have become an integral part of daily operations in businesses around the globe. This paper examines the criticality and sensitivity of M365 data, the limitations of its native protection features, and how Acronis backup solutions help meet the essential recommendations provided by the National Cyber Security Centre (NCSC) of the UK.

The criticality and sensitivity of Microsoft 365 data

Microsoft 365, formerly known as Office 365, is a suite of cloud-based productivity and collaboration tools, including Outlook, Word, Excel, PowerPoint, and Teams. These tools process and store a wealth of valuable data, from confidential emails and detailed reports to strategic plans and personal customer information. The loss or compromise of such data could have severe consequences, including operational disruption, loss of customer trust, reputational damage, and regulatory penalties.

Despite the undeniable importance of this data, many organisations have misconceptions about the level of data protection offered by M365. While Microsoft provides a robust infrastructure and a variety of security features, it does not guarantee comprehensive data protection or offer an extensive backup solution. This is largely due to the ‘shared responsibility’ model that underpins cloud computing.

Shared Responsibility Model

In cloud computing, the shared responsibility model defines the roles and responsibilities of cloud service providers (CSPs) and their customers concerning security and compliance. In the case of M365, Microsoft, as the CSP, is responsible for securing the underlying infrastructure that supports the cloud services, known as ‘security of the cloud.’ This includes tasks like ensuring physical security of data centres, maintaining server infrastructure, and protecting the software that runs the cloud services.

On the other hand, customers are responsible for protecting their data within the cloud services, referred to as ‘security in the cloud.’ This includes safeguarding user accounts, managing data access permissions, and, crucially, protecting data through backup and recovery measures.

Microsofts Terms and Conditions

Microsoft’s Services Agreement makes it clear that while they ensure the availability of their services, they do not specialise in data protection. They provide some native protection features, such as Recycle Bin for deleted items and versioning for SharePoint and OneDrive, but these measures have limitations, including finite retention periods and limited recovery options, especially for deleted items and users.

As a result, businesses that rely solely on M365’s native protection features may find themselves unable to recover essential data in the face of accidental deletion, malicious insider activity, ransomware attacks, or other threats. The native features are designed to protect against service failures, not user errors or malicious actions, and thus do not provide a comprehensive backup solution.

The inadequacy of M365’s native backup becomes even more apparent when considering the regulatory landscape. With laws like the European Union’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018, businesses are required to implement robust data protection measures, including regular data backups. Failing to meet these requirements could result in heavy penalties, not to mention the potential damage to a company’s reputation.

Given these realities, it is essential for businesses to supplement M365’s native protection with a robust third-party backup solution. This is where Acronis Backup for Microsoft 365 comes into play.

NCSC guidelines on data backup and protection

Recognising the importance of effective data backup and protection, the NCSC has issued guidelines to help businesses protect their valuable data. These guidelines include recommendations on data backup, understanding third-party protection measures, and legal responsibilities.

Data Backup

At the heart of the NCSC’s guidelines is the principle that organisations should regularly back up any data that is essential for their operations. This includes not only business data, but also configuration data required to operate systems. The guidelines also recommend following the ‘3-2-1’ rule, which suggests having at least three copies of important data, stored on two different types of media, with one copy stored offsite.

Microsoft 365 Backup

“Acronis Cyber Protect goes beyond business-grade backup and cloud storage by adding advanced security and device management features that are especiall useful now that so many businesses are supporting remote workers”

– Analyst, Business, PCMag

Understanding Third-party Protection Measures

The NCSC advises organisations to understand what measures they can take to protect their data and what assurances they need to seek from third parties. This includes considering where they are relying on others to protect their data, such as in cloud services, in their supply chain, or on staff’s personal devices.

Legal Responsibilities

The NCSC also emphasises the need for organisations to understand their legal responsibilities. The guidelines reference the GDPR security outcomes guidance, developed jointly by the Information Commissioner’s Office (ICO) and the NCSC. This guidance outlines a set of technical security outcomes considered appropriate for the protection of personal data under the Data Protection Act 2018.

Meeting NCSC Recommendations with Acronis Backup for Microsoft 365

Acronis Backup for M365 is a comprehensive solution that aligns with the NCSC’s guidelines and addresses the limitations of M365’s native protection features. It offers automated backups of M365 data to secure Acronis Cloud Storage, with flexible recovery options and advanced security measures.

Understanding Data Protection Responsibilities

Acronis takes its responsibilities as a third-party provider seriously. The company ensures the security of your data by storing it in data centres that adhere to rigorous industry standards, including ISO 27001 and ISO 9001. They provide clear information about their data protection practices and offer service-level agreements that provide concrete assurances about their commitment to safeguarding your data.

Compliance with Legal Responsibilities

The Acronis solution is designed with compliance in mind. It offers features that help organisations comply with data protection regulations like GDPR and the Data Protection Act 2018. These include the ability to define customisable retention policies, as well as data deletion and data export capabilities.

Backing Up Essential Data

Acronis Backup for M365 goes beyond the native backup features of M365, offering regular, automatic backups of M365 data, including emails, contacts, calendars, SharePoint sites, OneDrive for Business accounts, and Teams data. These backups are stored in secure Acronis Cloud Storage, separate from the M365 environment, ensuring that they are protected even in the event of a compromise of the M365 account.

Following the ‘3-2-1’ Rule

In line with the NCSC’s guidelines, Acronis Backup for M365 follows the ‘3-2-1’ rule, storing backups in multiple locations to ensure data availability even if one copy is compromised. By default, backups are stored in the secure Acronis Cloud, but customers can also choose to store backups on local storage or another cloud storage of their choice, providing flexibility in their backup strategy.

Ensuring Offline and Restricted Access Backup

Acronis Backup for M365 ensures that backups are kept separate from the network, reducing the risk of them being compromised in the event of a network attack. In addition, access to the backup data is strictly controlled, with role-based access control and multi-factor authentication options available to further secure the data.

Retaining Backups for an Extended Period

Acronis allows organisations to define their backup retention policies, providing the flexibility to retain backups for an extended period. This ensures that organisations can recover their data even if an issue is not detected immediately, addressing one of the key limitations of M365’s native protection features.

Testing Backup and Recovery

Acronis understands the importance of not just backing up data, but also ensuring that it can be restored effectively when needed. As such, they offer intuitive recovery options and encourage customers to regularly test their backups and restoration procedures.

Reducing the Risk of Re-infection

To help reduce the risk of re-infection when restoring data from backups, Acronis offers advanced security features, including built-in anti-malware protection. This feature scans files during the backup and recovery process, helping to ensure that any malicious files are detected and removed before they can cause harm.


In conclusion, to align with the NCSC recommendations and adequately protect your Microsoft 365 data based on the risks identified, it’s necessary to go beyond native protection. Acronis Backup for Microsoft 365 provides a robust, comprehensive backup solution that addresses the areas of risk and responsibility highlighted by the NCSC and Microsoft’s shared responsibility model. It ensures that organisations have the necessary protections in place to secure their M365 data, comply with regulatory requirements, and maintain business continuity.

Click here to get a 30-day free Acronis Trial