Cloud services are sold on the promise of instant access and not having to worry about any of the back-end concerns such as hosting and storage.
But with that ease of access comes a dangerous risk of cloud complacency.

68% of respondents in an IDG survey on cloud data said they were extremely or very confident that their data could be restored by their SaaS providers.

However, the reality is very different.

Put bluntly, it’s your data and your responsibility

This isn’t to criticise the cloud providers — understanding the shared responsibility model is critical for businesses using SaaS applications. SaaS providers are responsible for application uptime and infrastructure resilience. Data protection, however, is the customer’s responsibility.

As such, placing all your trust in a cloud provider to protect your data is an unacceptable risk. European companies need to ensure adequate backup and recovery options are in place for their data as a core part of their business continuity planning.

If keeping the business operational wasn’t enough of a motivation, it’s now also a requirement for many companies as part of the NIS2 directive.

By the time you fix a data breach, it may already be too late

According to IBM’s Cost of a Data Breach 2025 report, it takes an average of 241 days to identify and contain a breach. If your data is deleted or subject to ransomware, and you’re relying solely on a cloud provider’s backup, it may already be too late to recover your data.

Microsoft also reported an 87% increase in cyberthreat campaigns targeting Azure in 2025, highlighting the urgency of the situation.

If a SharePoint library were damaged, the maximum the library can be rolled back to is 30 days. Items deleted from OneDrive can be recovered for up to 93 days, which still falls far short of a typical data breach rectification period.

The limited options for data recovery pose a real risk to any business.

Most data loss isn’t malicious – but it can still be damaging

While cyberthreats are a big risk for business data — particularly ransomware — the top risk for corporate data remains accidental deletion or overwrites, accounting for 43% of data loss.

Data loss is also a concern during disaster recovery. While Microsoft builds in redundancy to its Azure platform, its focus is on uptime not on data integrity. Microsoft itself explains: “Customer-managed unplanned failover usually involves some amount of data loss, and can also potentially introduce file and data inconsistencies. In your disaster recovery plan, it’s important to consider the impact that an account failover would have on your data before initiating one.”

It’s clear that having a failover is not enough. You need separate data backups too.

Lack of granular recovery makes recovery difficult

When dealing with targeted data loss rather than a total outage, recovery options are important. However, the standard options can lack the finesse needed to easily recover lost data.

That 30 day rollback for SharePoint libraries is simply a point-in-time restore. Any changes made since that date will be lost. For a library that is even moderately active, that would be an unfeasible route for most businesses and a measure of last resort.

Microsoft offers a paid backup plan, but even that is limited to one year of data and can’t currently offer restoration of individual items on SharePoint and OneDrive.

Busy businesses need greater control over their recovery options, as any delay can have a direct impact on their ability to operate.

An opportunity (and a risk) for MSPs

Your customers will undoubtedly have SaaS services, so it’s an opportunity to open a conversation about what systems they have, what backups they’re doing and their recovery strategy. Make sure they understand the model of SaaS and what that means for their data.

Navigating this area and providing the best options is where MSPs can provide their value.

But with data sprawl across multiple systems and locations in a customer’s business —potentially even in different jurisdictions — it also underlines the importance for your customers to understand where the MSP’s responsibility ends and theirs begins. That complacency over SaaS could equally extend to the MSP relationship in the belief that the MSP has it all in hand.

It underlines the need for customers to take ownership and understand that business continuity ultimately lies with them. As the MSP you can make it clear where the boundaries of the relationship are in the schedule of services.

But that’s also an opportunity to demonstrate exactly where you’re providing value. Competitors may be backing up and hoping for the best. But if you’re actively carrying out work like checking backups and running simulated recoveries, be sure to make it clear.

Don’t leave backups to chance

If the benefits of backup weren’t enough, Microsoft spells it out clearly as part of its services agreement: “We recommend that you regularly backup your content and data that you store on the services or store using third-party apps and services.”
Whether it’s your data or that of your clients, it’s vital to have confidence in your backups.