Who Takes the Lead on Backup and Disaster Recovery?

For years, businesses have relied on managed service providers (MSPs) to protect their on-premises data. Now, as SaaS solutions like Microsoft Office 365, Salesforce.com, and Google G Suite gain popularity, most companies assume their SaaS providers take the same responsibility for data in the cloud. But they don’t— and that misconception can leave critical data at risk. Of course, if something does go wrong, it’s the MSP who’ll most likely take the blame anyway. To ensure the best results for their customers, and avoid unproductive finger-pointing after the fact, MSPs need to take the lead on backup and recovery for SaaS data just as they do for data stored on-premises. After all, when customers lose data, nobody wins.

Removing the misconception

The economic benefits of SaaS are especially compelling for small businesses. For a big company, a more flexible and efficient cost model is a good way to improve the balance sheet. For a smaller one, it can be a financial lifeline. Instead of allocating scarce resources to in-house infrastructure and IT staff, they can let a SaaS provider handle the back end at a fixed monthly cost. In fact, the factors that lead SMBs to work with SaaS providers have a lot in common with their reasons for relying on MSPs.

However, as small and midsize businesses move to the cloud, they don't always fully understand the implications of this shift for their data. Before the transition, they relied on their MSP to provide backup and recovery for their on-premises data. In moving their data to the cloud, they might assume that this responsibility will shift along with it, from their MSP to Microsoft, Salesforce, Google, and whoever else delivers their SaaS services. But that's simply not the case.

While some SaaS solutions do provide rudimentary capabilities for data recovery, such as the recycle bins and file version histories in Office 365, that’s far from a comprehensive native backup and recovery service. If data goes missing—a CEO accidentally deletes a crucial email, a disgruntled former employee maliciously deletes a critical directory on OneDrive or Google Drive, a hacker locks down business-critical data with ransomware—the company is on their own to try to get it back. And they quickly find this to be a costly and time-consuming effort with no guarantee of success.

Microsoft and other SaaS providers don’t exactly hide their abdication of responsibility for backup and recovery. They make sure data loss is not incurred due to infrastructure failures. However, their Service Level Agreements make clear that it’s up to customers to protect their own data from user errors, security threats, and data corruption.  But one way or another, the message isn’t getting through; according to Shred-it, only 34% of small businesses have policies in place for storing and disposing of confidential data. Furthermore, half of C-Suites say human error or accidental loss by an insider cause a data breach. In the lack of a regular data backup and recovery plan in place, companies are exposed to a major data loss or even more concerning, vulnerable to a ransomware attack. For smaller companies, the resulting damage from these to customer relationships, market credibility, and business continuity can be too much to survive.

The many perils facing SaaS data

These are dangerous times to leave data at risk. A recent Cybercrime Survey from PwC found that seven out of 10 companies had been hit by a cyberattack during the preceding 12 months—with an average data recovery cost of $150,000. Today’s cyberthreats come in more forms than ever, including:

And hackers aren't the only ones posing a danger to data. Companies have just as much to worry about inside their own organizations. As SaaS gives users greater control over the data within an application, it becomes far more difficult for IT and security teams to maintain protection. Similarly, the complexity of SaaS architecture increases the likelihood of security gaps and misconfigurations. All it takes is one malicious insider—a disgruntled, corrupt, or simply mischievous employee—to wreak havoc.

Even well-intentioned but negligent employees can do considerable harm. In fact, such individuals cause the most damage of all: according to the Shredit Report, the lack of training and human error are major contributors to data risk, with 51% of small business owners in the United States identifying employee negligence as their biggest information risk.

Put simply, SMBs who lack third-party backup and recovery for their SaaS data are on thin ice. And when it breaks, they’re all too likely to point their fingers in the wrong direction.