If your business uses Microsoft 365, Google Workspace or other cloud apps every day, it is easy to assume your data is already safe. After all, it is “in the cloud”, so surely it is backed up somewhere too.
That is where a lot of businesses get caught out.
Cloud platforms are excellent for accessibility, collaboration and uptime. They let you work from anywhere, keep teams connected and reduce the need for on-site infrastructure. But availability is not the same as backup. In simple terms, your cloud provider makes sure the service is running. That does not always mean they are keeping a separate, restorable, long-term copy of your data in the way your business actually needs. Microsoft’s own documentation points businesses toward retention and deletion controls, while cloud security guidance still puts plenty of responsibility on the customer side.
That difference matters more than ever in the UK. The Cyber Security Breaches Survey 2025 found that 43% of UK businesses identified a cyber breach or attack in the previous 12 months, and the figure stayed much higher for medium and large organisations. Phishing remained the most common attack type.
What cloud-to-cloud backup actually means
Cloud-to-cloud backup is exactly what it sounds like: creating an independent backup copy of your SaaS data from one cloud environment into another secure backup environment.
So, if your team uses Microsoft 365, a cloud-to-cloud backup solution can back up Exchange Online mailboxes, OneDrive files, SharePoint data and Teams-related content. If you use Google Workspace, it can back up Gmail, Drive and other core business data. The key point is that the backup sits outside the live production platform, giving you another recovery option if something goes wrong.
That is very different from relying on recycle bins, short retention windows or the hope that a deleted file can still be recovered by an admin.
Why “in the cloud” is not the same as “backed up”
A lot of businesses only discover the gap when they need to restore something quickly and realise the options are limited.
Here are the most common reasons.
1. Accidental deletion still happens
People delete the wrong folder. Someone removes a user account too early. A mailbox gets purged during offboarding. A sync issue overwrites good data with bad data.
Cloud platforms do include recovery features, but they are not unlimited. For example, Microsoft documents 93-day retention in SharePoint and OneDrive recycle bins, while Exchange Online deleted item retention is 14 days by default and can be configured up to 30 days. Google documents a 25-day admin recovery window for deleted Drive items and up to 20 days to restore a deleted user account and its data.
If you miss those windows, or if data was overwritten rather than simply deleted, recovery can become far harder.
2. Ransomware and compromised accounts can spread damage fast
If a compromised account encrypts, deletes or corrupts data, the damage can sync across your live environment very quickly. That is one reason backup still matters in cloud-first businesses. The NCSC’s guidance is clear that you should make sure at least one backup remains unaffected by an incident, and offline or otherwise protected backup copies play an important role in recovery planning.
A proper cloud-to-cloud backup gives you clean restore points, so you are not forced to rely on whatever the production platform still happens to have available.
3. Retention is not the same as backup
Retention policies are useful. So are legal holds and eDiscovery tools. But they serve different purposes.
Microsoft says retention policies and labels are there for data lifecycle management. Google Vault is designed to retain, search and export organisational data for retention and eDiscovery needs. That is helpful for governance and compliance, but it is not the same as having a fast, granular backup built for operational recovery.
If a director asks, “Can we restore this mailbox to how it looked last Tuesday at 9am?”, retention tools are not always the easiest or fastest answer.
4. Insider mistakes and leavers create real risk
Not every data loss event comes from a cyber criminal. Sometimes the problem is rushed offboarding, poor permissions, bad process or someone leaving with access they should not have had.
If a user is deleted and no one spots the issue in time, native recovery limits start ticking down immediately. That is why backup should sit inside your wider security services strategy, not outside it.
5. SaaS platforms protect the service, not every business scenario
Cloud providers are responsible for keeping their platforms available and resilient, but customer responsibility does not disappear in SaaS. Microsoft’s shared responsibility model makes that clear. Your business still needs to think about data protection, access control, recovery objectives and what happens when a real-life incident does not fit neatly inside a default recovery window.
That is where planning matters. It is also why many businesses combine Cloud Services / Office 365, Migrations (Platform to Platform) and day-to-day IT Support and Management with dedicated backup and recovery thinking.
What a good cloud-to-cloud backup solution should give you
If you are reviewing your setup, look for something practical rather than flashy.
You want:
- automated backups running on a defined schedule
- point-in-time recovery
- granular restore options for single emails, files, folders or full accounts
- independent storage outside the live platform
- protection against deletion during user offboarding
- clear retention settings that match your business needs
- reporting that shows backup success, failure and recovery status
- support from people who can actually help when something goes wrong
In other words, backup should help you recover quickly, not create another admin headache.
Why this matters for smaller UK businesses too
There is still a myth that backup planning is something only big enterprises need. In reality, smaller businesses often feel the impact more sharply because they have less spare capacity to absorb disruption.
The Cyber Security Breaches Survey 2025 also found that small businesses improved their cyber hygiene in several areas, including risk assessments, cyber insurance, policies and business continuity planning. That is a good sign, but it also shows businesses are recognising that resilience needs structure.
A backup plan is part of that structure. Without one, a single deletion, compromised user or failed offboarding process can cause days of disruption, lost billable time and unnecessary stress.
Backup works best when it is part of a wider IT plan
Cloud-to-cloud backup should not sit in isolation. It works best when it is tied into your wider IT environment, your user lifecycle, your security posture and your recovery plan.
That could mean reviewing permissions through Consulting, improving resilience with Penetration Testing, tightening account protection through Security Services, or making sure your cloud environment is properly configured through Northern Star’s cloud support. If you operate across multiple offices, it should also align with your wider Global Support and International Projects setup and your overall business IT strategy.
The goal is simple: when something breaks, gets deleted or gets compromised, you can restore what you need without panic.
The bottom line
“In the cloud” is about where your data lives. “Backed up” is about whether you can recover properly.
They are not the same thing.
If your business relies on Microsoft 365, Google Workspace or other SaaS platforms every day, cloud-to-cloud backup is not an optional extra. It is part of running a sensible, resilient IT environment. Native retention and recovery tools have their place, but they are not a complete backup strategy on their own.
If you want to superpower your IT rather than gamble on default settings, it is worth reviewing your current setup, your recovery windows and what would actually happen if you lost critical cloud data tomorrow.
Speak to Northern Star to review your cloud environment, strengthen your recovery planning and make sure your backup strategy is doing what you think it is. You can also explore more guidance in their Latest News, learn more about their approach to support, or get to know the team behind the service.
FAQs
Is Microsoft 365 or Google Workspace backed up by default?
Not in the way most businesses mean by “backup”. These platforms include native retention, recycle bin and recovery features, but those are not always designed to give you independent, long-term, granular backup copies for every recovery scenario.
What is the difference between retention and backup?
Retention is mainly about keeping data for governance, compliance or lifecycle purposes. Backup is about being able to restore data quickly and reliably after deletion, corruption, ransomware or operational mistakes. They overlap a bit, but they are not the same thing.
Can’t we just use recycle bins and deleted item recovery?
You can use them, and you should know how they work, but they are time-limited. Once those recovery windows expire, your options narrow quickly. That is why businesses that rely heavily on SaaS platforms often add cloud-to-cloud backup as an extra protection layer.
Is cloud-to-cloud backup only for larger businesses?
No. In many cases, smaller businesses feel data loss more sharply because they have fewer internal resources to recover from it. If your team depends on cloud email, files and collaboration tools every day, backup matters whatever your headcount.
Does cloud-to-cloud backup help with ransomware?
It can help significantly as part of a wider recovery plan. A protected backup copy gives you a cleaner route to restore data if live systems or synced files have been encrypted, corrupted or deleted. The NCSC recommends making sure at least one backup is unaffected by an incident.
