But this is where many SMEs are exposed without realising it.

Microsoft 365 is a very secure platform, but security and data protection still require proper configuration, backup, access control and monitoring. Microsoft secures the platform and infrastructure, but businesses are responsible for their data, users, devices and security configuration.

Understanding this difference is one of the most important aspects of cyber security for SMEs today.

Does Microsoft 365 Back Up Your Data?

Microsoft 365 includes retention and recycling features, and data is replicated across Microsoft data centres for availability. However, this is not the same as a full independent backup and disaster recovery solution.

Businesses are still responsible for ensuring their Microsoft 365 data is backed up and recoverable in the event of accidental deletion, ransomware, user account deletion, data corruption or security incidents.

Many businesses only discover this after something has already gone wrong. Files are deleted and go unnoticed for weeks, a user account is removed, and their OneDrive disappears, ransomware encrypts synced files, or SharePoint libraries are overwritten. In these situations, recovery is not always straightforward.

Backup protects files, but resilience protects the business. Businesses need to be able to restore data quickly and continue operating if something goes wrong.

Microsoft Protects the Platform. You Protect the Data.

Microsoft operates under the shared responsibility model. In simple terms, Microsoft ensures its systems are running, secure, and available, but your business is responsible for what sits within your Microsoft environment.

This includes your data, user accounts, devices, permissions, security settings, backups and compliance policies. Most data breaches in Microsoft 365 are not caused by Microsoft being hacked. Compromised user accounts, weak passwords, poor access control, misconfigured security or simple human error cause them.

For most SMEs, the risk is not Microsoft failing. The risk is a lack of visibility and control inside their own environment.

Most Businesses Do Not Know Where Their Data Actually Lives

When we ask businesses where their data is stored, most say email and SharePoint. In reality, company data is spread across many different locations.

Data sits in email, document libraries, personal OneDrive folders, Teams chats, laptops, mobile devices, cloud servers, backup systems, and sometimes in third-party applications that the business has forgotten about. Increasingly, company data is also being pasted into AI tools by staff trying to work more efficiently.

One of the biggest risks we see is not poor security software. It is businesses not knowing where their data is, who has access to it, and how it is being shared.

You cannot secure data you cannot see.

The Biggest Risks We See Inside Microsoft Environments

The most common issue is access and permissions growing over time without being reviewed. Staff join, staff leave, folders get shared, permissions get added, and nobody goes back to review them. Over time, this creates permission sprawl, where far too many people have access to far too much data.

We often find old user accounts still active, shared folders open to large groups, external sharing links still working, and too many global administrator accounts. Most cyber attacks now start with a compromised user account, not someone breaking through a firewall. If an attacker logs in as a user, they often already have access to the data they want.

Another common issue is backup. Many businesses believe Microsoft automatically backs up everything, but retention is not the same as backup. If files are deleted and not noticed for a period of time, if a user account is removed, if ransomware encrypts synced files, or if policies and settings are changed, data can still be lost.

We also see many Microsoft environments that are not configured securely. Multi-factor authentication is not enforced for all users, external sharing is too open, security alerts are not configured, and nobody is monitoring suspicious logins. These are not expensive problems to fix, but they are very common.

The newest risk area is AI and what is often called shadow AI. Staff are already using AI tools to summarise documents, write emails, analyse spreadsheets and create reports. The problem is they often paste company information into public AI tools without realising the data risk this creates. Without AI policies and data governance, sensitive information can leave the business very easily.

This Is Not Just an IT Problem. It Is a Business Risk.

When we talk about data security, many people think this is just an IT issue. It is not. It is a business risk issue.

If a business loses access to its systems, email, or data, it often cannot operate properly. Orders stop, communication stops, finance systems stop, and staff productivity drops immediately. Downtime, data breaches and compliance issues quickly become financial and reputational problems, not just technical problems.

For most SMEs, data is the business. If systems stop, the business stops.

How Do You Secure Microsoft 365 Properly?

Properly securing a Microsoft environment is not about buying one security product. It is about understanding where your data is, who has access to it, how it is protected and how quickly you could recover if something went wrong.

Security usually involves multiple layers working together. This includes backup, identity and access control, multi-factor authentication, security monitoring, data loss prevention policies, endpoint protection, disaster recovery planning, and business continuity planning. Increasingly, it also includes AI governance and Microsoft licensing optimisation to ensure businesses are secure, compliant, and not overspending.

Security is not one tool. Security is visibility, control and resilience.

Visibility Before AI. Backup Before Breach.

Many businesses are now investing in AI, automation and moving more systems to the cloud. These technologies can deliver significant productivity gains, but businesses need to secure their foundations first.

Before adopting AI, businesses need data governance. Before expanding into the cloud, they need visibility. Before a breach happens, they need backup. Before a disaster happens, they need recovery and continuity planning.

Most SMEs are not as secure as they think they are, but most risks can be addressed once identified.

The biggest risk to most businesses is not losing data.
It is not knowing where it is in the first place.

Final Thoughts

Microsoft 365 is a powerful and secure platform, but it is not a complete security, backup and data governance solution on its own. Businesses still need to manage access, monitor security, back up data and understand where their information is stored.

The businesses that invest time in understanding their data, access and security are the ones that recover fastest from incidents, avoid breaches and operate with confidence.

Cyber security is often seen as a technology conversation, but in reality, it is about business continuity, risk management and protecting the organisation’s ability to operate.

And it all starts with knowing where your data is and who has access to it.

We offer a Data Security and Exposure Review to assess your Microsoft environment, data locations, access permissions, backup coverage, and security configuration, and to highlight any risks or gaps.

Pinnacle Technologies Group Limited (“PTGL”), Pinnacle Complete Office Solutions Limited (“PCOSL”), a well-established technology firm that began its journey in Cardiff 36 years ago has announced the formation of a new Group structure, marking a significant milestone in its continued expansion.

The business, which has seen sustained growth and diversification in recent years, has completed an exciting Management Buyout (MBO). This strategic investment paves the way for accelerated growth across the Group and reinforces the company’s long-term vision.

Under the leadership of its long-standing Group CEO & Managing Director (CEO & MD), Clive Hamilton, the organisation has created a new Board with Chief Finance & Operating Officer (CF&OO), Paul Roberts and Senior Leadership Team headed up by our new Group Chief Revenue Officer (CRO), Joe Wyn Griffith to guide its next phase of development.

The strengthened governance structure will support both operational excellence and strategic delivery as the Group scales through a combination of organic and inorganic growth, in the UK, Europe and the US.

The newly formed Group brings together a high-performing international division with trading entities in Europe & the US, leveraging a portfolio of complementary specialist business services, including:

Together, these integrated capabilities position the Group as a leading provider of Technology, Workplace, and Managed Service Solutions, both in the UK and internationally. The combined strength of the businesses enhances the Group’s ability to deliver transformative solutions, drive innovation, and support customers’ evolving needs in an increasingly digital world.

Clive Hamilton, Group CEO, commented: “This marks a pivotal moment in our journey. With the support of our funders and the expertise of our newly formed leadership team, we are poised to accelerate the Group’s growth, expand our service offering, and continue delivering exceptional value to our existing & new customers.”

Paul Roberts, Group CF&OO, commented: “The restructured Group, under new ownership, leadership, and financial backing, forms the foundations for accelerated growth, following a sustained period of reorganisation and stabilisation. This represents an exciting opportunity of reinvention and expansion within the UK, Europe and the US.”

The Group is set to embark on its next chapter with renewed ambition, strengthened capabilities, and a clear strategy for long-term, sustainable growth.