Your client’s five years of tax files, engagement letters, and financial records are in Microsoft 365. You’re paying Microsoft every month. Surely they’re backing it all up — right?
Wrong. And this misconception is quietly putting Philadelphia accounting firms at serious risk every single day.
Microsoft operates under what they call a “Shared Responsibility Model.” They keep their servers running and their infrastructure secure. But your actual data — the emails, the SharePoint files, the OneDrive documents — that’s your responsibility to protect. Microsoft says so explicitly in their Terms of Service. Most small and mid-size CPA firms have never read that paragraph, and their IT setups reflect it.
WHAT MICROSOFT 365 ACTUALLY COVERS (AND WHAT IT DOESN’T)
Microsoft does offer some data retention built into M365 — the Recycle Bin, deleted item recovery, and retention policies. But these aren’t backups. Here’s what they don’t protect you from:
– Ransomware that syncs to OneDrive. When ransomware encrypts files on a workstation, OneDrive dutifully syncs the encrypted versions to the cloud — overwriting the good copies.
– Accidental mass deletion. A departing employee, an admin error, or a badly configured automation can wipe shared drives in seconds.
– Malicious insiders. A disgruntled staff member with the right permissions can permanently delete client files.
– Teams chat data. Teams messages are stored in Exchange mailboxes, but restoring them back into the Teams interface cleanly is notoriously difficult.
– Account deletion. When you offboard an employee and delete their M365 account, their data has a grace period — but miss that window and it’s gone permanently.
WHY THIS MATTERS MORE FOR CPA FIRMS
Accounting firms in Philadelphia and throughout the Delaware Valley sit on some of the most sensitive data in existence — Social Security numbers, tax returns, business financials, payroll records. That data has value to criminals and enormous obligations under IRS Publication 4557 (Safeguarding Taxpayer Data) and state-level privacy regulations.
“The fact that your data is in the cloud doesn’t mean it’s backed up. It means it’s stored somewhere else. Those are very different things.”
WHAT A REAL BACKUP SOLUTION FOR M365 LOOKS LIKE
A proper Microsoft 365 backup solution runs independently of Microsoft’s infrastructure and captures:
– Exchange Online email — full backup with point-in-time restore
– SharePoint and OneDrive — file-level backups with version history that actually works
– Teams data — channels, chats, and files backed up and restorable cleanly
– Contacts and Calendars — often overlooked until they’re gone
At Abuzz, we use Dropsuite for Microsoft 365 backup — it runs automated backups multiple times per day, stores data independently of Microsoft’s infrastructure, and lets us restore individual items or entire accounts in minutes. For a typical 10-person accounting firm, the cost is well under $100 per month.
THE AUDIT QUESTION TO ASK YOUR IT PROVIDER
Ask your IT provider: “Show me a test restore from our Microsoft 365 backup from last week.” If they hesitate, change the subject, or tell you Microsoft handles it — you have a gap that needs to be closed.
A backup that has never been tested is not a backup. It’s a hope.
Recent Comments