It can be eye-opening for Microsoft clients to learn that Microsoft themselves recommend third-party backup solutions for Office 365. The Service Availability section of the Microsoft Services Agreement states:
“We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”
Office 365 maintains limited recovery for accidentally deleted files in the form of recycle bins, but those two options expire after thirty and ninety days. And while you can do things like recover and restore entire SharePoint libraries, the process is complex because it involves having Microsoft restore to a point in time on an environment shared by other customers - they're not going to do this likely and in fact will only ever allow it once for a given tenant. Additionally, the nature of the restore means any new data stored after that point is lost - we've seen companies who didn't understand this and lost weeks worth of company-wide data while trying to recover one small SharePoint library for a department. Ultimately, though, the nature of data resilience in Office 365 is simply that you can always copy existing data to a new device, with no guarantee about the availability of that data in the first place if it's deleted by you or a malicious actor.
When Google talks about how they handle your data, they use the term "backed up" but that doesn't exactly mean what most people would think. Their site explains how Google always saves your work on their servers in real time so you are always able to access your data, even if your personal computer is stolen or crashes. So when Google talk about "backed up", they are just talking about copying data from your computer to their storage systems. But if the data is lost through accidental deletion, hacking, actions of a malicious employee or encrypted by ransomware you're not getting it back without an independent backup solution in place.
As a gold standard of guidelines and best practices for managing and reducing cyber risk, the NIST Cybersecurity Framework sets out the critical importance of data backup, and there's no exclusion just because you're using a cloud-hosted service like Office 365. One component of the NIST Cybersecurity Framework is “Recover” and includes backing up important data and scheduling incremental backups to make recovery from a data loss incident much less painful.
Seventy-three percent of companies hit by ransomware in 2019 that did NOT pay the ransom attributed their decision to having a full backup. With ransomware threats increasingly targeting cloud providers, the importance of backup for what is fast becoming many companies' primary repository for contracts, invoices, reports and more is clearer than ever.